cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5442
Views
30
Helpful
7
Replies

IPv6 nd raguard policy

afsharmilad89
Level 1
Level 1

Hi Dear All,

I want to filter the RA packets by using IPv6 nd raguard feature, when I try to create a policy with this command "ipv6 nd raguard policy TEST" it gives me this message: "Service not enabled"

does anyone know which feature or service exactly must be enabled?

 

Device: Nexus7700
Software
BIOS: version 3.1.0
kickstart: version 8.2(1)
system: version 8.2(1)
BIOS compile time: 02/27/2013
kickstart image file is: bootflash:///n7700-s2-kickstart.8.2.1.bin
kickstart compile time: 8/30/2017 23:00:00 [09/27/2017 15:07:16]
system image file is: bootflash:///n7700-s2-dk9.8.2.1.bin
system compile time: 8/30/2017 23:00:00 [09/27/2017 18:37:07]

 

 

Many thanks

Milad

 

2 Accepted Solutions

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Hi Milad,

Can you try enabling feature fhs? The FHS stands for First Hop Security and encompasses RA Guard, DHCPv6 Guard, and IPv6 Snooping:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus7000/sw/security/config/cisco_nexus7000_security_config_guide_8x/configuring_ipv6_first_hop_security.html

Best regards,
Peter

View solution in original post

Hi Milad,

Thank you for the clarification.

Unfortunately, in this design, the RA Guard would not be of much use, either. Think of this: You have a bunch of host servers connected to N5K, and one of them starts sending unauthorized IPv6 RAs. Even if you could filter them out on the vPC toward the N7K, the RAs would still be flooded across the ports of the same VLAN on the N5K, and possibly cause harm. Remember: To a switch, IPv6 RAs are just multicast frames, and are flooded within their VLAN. The RA Guard drops unauthorized RAs before they get flooded, but an SVI has nothing to do with this flooding, and that is why you cannot even apply the RA Guard to an SVI.

The IPv6 RA is an access layer protection mechanism, and to have any sensible effect, it must be activated on the access ports closest to the attached hosts. Activating it at any higher layer in the network will leave the lower network layers unprotected and still vulnerable.

Unfortunately, Nexus 5000 series switches do not support the IPv6 RA Guard, so the only remaining option I can see is to use VACLs (vlan access-map, vlan filter) where you would drop all RAs except those sourced from your legitimate IPv6 routers, applied on the N5K to the entire VLANs with your host servers. It is not an ideal solution but likely the closest one to the RA Guard you can get.

Best regards,
Peter

View solution in original post

7 Replies 7

Peter Paluch
Cisco Employee
Cisco Employee

Hi Milad,

Can you try enabling feature fhs? The FHS stands for First Hop Security and encompasses RA Guard, DHCPv6 Guard, and IPv6 Snooping:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus7000/sw/security/config/cisco_nexus7000_security_config_guide_8x/configuring_ipv6_first_hop_security.html

Best regards,
Peter

Hello Peter,

Thanks for your quick response, I enabled the fhs feature and created the policy but it's seems there is no chance to assign the policy under interface vlan, according to our topology I need to filter RA packets on the vdc except vdc admin and also under interface vlan. 

Is there any chance?

Many thanks

Milad

Hi Milad,

Applying the RA Guard to an SVI (an "interface Vlan") does not make much sense. The RA Guard is supposed to prevent unauthorized IPv6 RAs from untrusted hosts to leak into your network, and that is done on the switchport level.

Why do you believe you need to apply the RA Guard to an SVI?

Best regards,
Peter

 

Our host servers are connected to a Nexus 5K and we have a VPC link between 5K and 7K, AFAIK it's not possible to attach raguard policy under vpc link and also I couldn't find any document regarding filtering RA packets on NEXUS 5K so I decided to filter RAs under the SVI on 7K.

 

Hi Milad,

Thank you for the clarification.

Unfortunately, in this design, the RA Guard would not be of much use, either. Think of this: You have a bunch of host servers connected to N5K, and one of them starts sending unauthorized IPv6 RAs. Even if you could filter them out on the vPC toward the N7K, the RAs would still be flooded across the ports of the same VLAN on the N5K, and possibly cause harm. Remember: To a switch, IPv6 RAs are just multicast frames, and are flooded within their VLAN. The RA Guard drops unauthorized RAs before they get flooded, but an SVI has nothing to do with this flooding, and that is why you cannot even apply the RA Guard to an SVI.

The IPv6 RA is an access layer protection mechanism, and to have any sensible effect, it must be activated on the access ports closest to the attached hosts. Activating it at any higher layer in the network will leave the lower network layers unprotected and still vulnerable.

Unfortunately, Nexus 5000 series switches do not support the IPv6 RA Guard, so the only remaining option I can see is to use VACLs (vlan access-map, vlan filter) where you would drop all RAs except those sourced from your legitimate IPv6 routers, applied on the N5K to the entire VLANs with your host servers. It is not an ideal solution but likely the closest one to the RA Guard you can get.

Best regards,
Peter

Thanks for your help Peter :)
Merry Christmas!

Milad,

You are very much welcome! Thank you - merry Christmas / nice holidays to you, too, and all the very best in 2018! :)

Best regards,
Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco