Saturday, March 29, 2014

Protection from rouge RA advertisements cisco

Cisco  has a feature simply called ipv6 nd raguard.

RAguard allows for you to inspect and drop route-advertisements from  rouge devices.  This security feature protects SLACC enabled clients from picking up rogue gateways.

We will explore a very basic  configuration that I have used for  access-layer security,


The topology


The Ipv6 router-configuration for the 6509 cisco ;

NOTE: I decreased the  rt-advertisement to speed up debug log messages for this blog RT-ADV interval  will be 4 seconds


The local switch RAguard policies for this blog ;

Let stop explain the RAguard policies that I've configured.

The policy named " ROUTER-RA" will be applied to a router-port , where as  " CLIENT-RA" will be applied to all other ports.

 ROUTER-RA has the inspection activities of what we want to expect.

CLIENT-RA has a single prefix-list with a deny any.

The device-role has been set to a " host ",  so the port should not expect any Route-Advertisement. I also applied a prefix-list matching clientports as a safeguard if one should  accidently change the device-role.

ROUTER-RA policy  has a prefix-list name test1 which matches the prefix of 2001:db8:98::/64 , & that we want our  clients in vlan 298 to receive

I created a 2nd prefix-list named  test2,  which we  will use to demonstrate the drop action upon receipt of a prefix that doesn't match the 2001:db8:97::/64.

On the access-switch we can monitor the RA guard in action via the following debug command;

debug ipv6 snooping raguard 
term mon


Applying the  policy to ports  gi 1/0/1-48 ( clients ) ,  and our uplink ports gi 1/0/49-52 ( routers );

Okay now for the fun :)

With the match prefix-list test2 ( 2001:db8:97::/64 ) , we can clearly see that RAguard in action dropping the offender prefix of  2001:db8:98::/64

If we change the match prefix to the test1 ( 2001:db8:98::/64 ), we will find the  RAguard will now allow the prefix that we have defined. We can also see that a client has gathered a ipv6 address from that prefix in the route-advertisement.

NOT E: btw, if a client-access-port receives a Route-Advertisement and with the device-role of  "host", this is the message  you will see.

Ken Felix
Freelance Network/Security Engineer
kfelix -a-t  socpuppets-d-o-t- com

No comments:

Post a Comment