06-14-2021 07:55 AM - edited 07-05-2021 01:27 PM
Hi board,
I'm confused regarding the IPv6 RA guard on the Cisco 9800 WLC.
First of all - when coming from AireOS, it's not clear from the documentation where the IPv6 RA guard is enforced. On the AP or on the WLC?
Secondly, the documentation is pretty much unclear in this topic.
It states, that the IPv6 guard is disabled by default and the image in the corresponding chapter shows, that the AP throws the RA from a wireless client in a recycle bin (not the WLC). However, the config example is on a layer-3 interface on the WLC
interface vlan<VLAN-ID> ... ipv6 nd ra suppress all !
Serious? You need a Layer-3 interface on the WLC to implement RA guard? Catalyst switches are able to do this using a FHS policy. This must be a documentation fault, right?!
In another document - the official config guide the following is stated:
So what's true now?
I captured packets on the WLC port-channel towards the wired infrastructure using the embedded packet capture.
I have a testcase where a wireless clients sends RAs using scapy
send(IPv6(dst="ff02::1")/ICMPv6ND_RA(), iface="wlan0")
The RA is not seen on the WLC Port-Channel towards the layer-3 switch. So it must be dropped somewhere.
- First question: Where?
- Second question: Why?
- Third question: How to confirm? There must be a show output. The AireOS pendant is:
Anybody has thoughts on this?
Solved! Go to Solution.
08-10-2023 01:09 AM
At the end of the day I opened a TAC case with the following results:
Because of this SR, two new bug IDs where opened:
CSCvz54812: AireOS parity : need show commands to verify ipv6 ra
=> My guess is, that this will never be implemented
CSCvz54869: RA guard section on the Ipv6 deployment guide needs update
As a side note: I tested various AP models (release 17.9.4). All of them drops RAs on the AP level (so the RA is never encapsulated in CAPWAP in local mode).
One exception are old IOS based APs (e.g. 2702). These APs encapsulate the RAs in CAPWAP. However, the RAs are never decapsulated and transmitted on the wire.
08-10-2023 01:09 AM
At the end of the day I opened a TAC case with the following results:
Because of this SR, two new bug IDs where opened:
CSCvz54812: AireOS parity : need show commands to verify ipv6 ra
=> My guess is, that this will never be implemented
CSCvz54869: RA guard section on the Ipv6 deployment guide needs update
As a side note: I tested various AP models (release 17.9.4). All of them drops RAs on the AP level (so the RA is never encapsulated in CAPWAP in local mode).
One exception are old IOS based APs (e.g. 2702). These APs encapsulate the RAs in CAPWAP. However, the RAs are never decapsulated and transmitted on the wire.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide