Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
761
Views
0
Helpful
1
Replies

C9800: IPv6 Router-Advertisement (RA) Guard

Go to solution
Johannes Luther
Level 4
Level 4

‎06-14-2021 07:55 AM - edited ‎07-05-2021 01:27 PM

Hi board,

I'm confused regarding the IPv6 RA guard on the Cisco 9800 WLC.

First of all - when coming from AireOS, it's not clear from the documentation where the IPv6 RA guard is enforced. On the AP or on the WLC?

 

Secondly, the documentation is pretty much unclear in this topic.

9800 IPv6 deployment guide 

It states, that the IPv6 guard is disabled by default and the image in the corresponding chapter shows, that the AP throws the RA from a wireless client in a recycle bin (not the WLC). However, the config example is on a layer-3 interface on the WLC

interface vlan<VLAN-ID>
 ... 
 ipv6 nd ra suppress all
!

Serious? You need a Layer-3 interface on the WLC to implement RA guard? Catalyst switches are able to do this using a FHS policy. This must be a documentation fault, right?!

 

In another document - the official config guide the following is stated:

Spoiler
... By default, RA guard is always enabled on the controller ...

So what's true now?

 

I captured packets on the WLC port-channel towards the wired infrastructure using the embedded packet capture.

I have a testcase where a wireless clients sends RAs using scapy

send(IPv6(dst="ff02::1")/ICMPv6ND_RA(), iface="wlan0")

The RA is not seen on the WLC Port-Channel towards the layer-3 switch. So it must be dropped somewhere.

- First question: Where?

- Second question: Why?

- Third question: How to confirm? There must be a show output. The AireOS pendant is:

Spoiler
show ipv6 ra-guard ap summary
show ipv6 ra-guard wlc summary

 Anybody has thoughts on this?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Johannes Luther
Level 4
Level 4

‎08-10-2023 01:09 AM

At the end of the day I opened a TAC case with the following results:

  • The AP drops IPv6 RA packets irrespective of the AP mode
  • There is no need for any further config on the 9800 at all for this to work and by default RA guard is enabled on AP/WLC.
  • There are no show commands available on AP or WLC to check RA drops

Because of this SR, two new bug IDs where opened:

CSCvz54812: AireOS parity : need show commands to verify ipv6 ra
=> My guess is, that this will never be implemented

CSCvz54869: RA guard section on the Ipv6 deployment guide needs update

As a side note: I tested various AP models (release 17.9.4). All of them drops RAs on the AP level (so the RA is never encapsulated in CAPWAP in local mode).

One exception are old IOS based APs (e.g. 2702). These APs encapsulate the RAs in CAPWAP. However, the RAs are never decapsulated and transmitted on the wire.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Johannes Luther
Level 4
Level 4

‎08-10-2023 01:09 AM

At the end of the day I opened a TAC case with the following results:

  • The AP drops IPv6 RA packets irrespective of the AP mode
  • There is no need for any further config on the 9800 at all for this to work and by default RA guard is enabled on AP/WLC.
  • There are no show commands available on AP or WLC to check RA drops

Because of this SR, two new bug IDs where opened:

CSCvz54812: AireOS parity : need show commands to verify ipv6 ra
=> My guess is, that this will never be implemented

CSCvz54869: RA guard section on the Ipv6 deployment guide needs update

As a side note: I tested various AP models (release 17.9.4). All of them drops RAs on the AP level (so the RA is never encapsulated in CAPWAP in local mode).

One exception are old IOS based APs (e.g. 2702). These APs encapsulate the RAs in CAPWAP. However, the RAs are never decapsulated and transmitted on the wire.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card