Cisco has a feature simply called
ipv6 nd raguard.
RAguard allows for you to inspect and drop route-advertisements from rouge devices. This security feature protects SLACC enabled clients from picking up rogue gateways.
We will explore a very basic configuration that I have used for access-layer security,
1st
The topology
2nd
The Ipv6 router-configuration for the 6509 cisco ;
NOTE: I decreased the rt-advertisement to speed up debug log messages for this blog RT-ADV interval will be 4 seconds
3rd
The local switch RAguard policies for this blog ;
Let stop explain the RAguard policies that I've configured.
The policy named
" ROUTER-RA" will be applied to a router-port , where as "
CLIENT-RA" will be applied to all other ports.
ROUTER-RA has the inspection activities of what we want to expect.
CLIENT-RA has a single prefix-list with a deny any.
The device-role has been set to a " host ", so the port should not expect any Route-Advertisement. I also applied a prefix-list matching clientports as a safeguard if one should
accidently change the device-role.
ROUTER-RA policy has a prefix-list name
test1 which matches the prefix of 2001:db8:
98::/64 , & that we want our clients in vlan 298 to receive
I created a 2nd prefix-list named
test2, which we will use to demonstrate the drop action upon receipt of a prefix that doesn't match the 2001:db8:
97::/64.
On the access-switch we can monitor the RA guard in action via the following debug command;
debug ipv6 snooping raguard
term mon
4th
Applying the policy to ports gi 1/0/1-48 ( clients ) , and our uplink ports gi 1/0/49-52 ( routers );
Okay now for the fun :)
With the match prefix-list
test2 ( 2001:db8:97::/64 ) , we can clearly see that RAguard in action dropping the offender prefix of
2001:db8:98::/64
If we change the match prefix to the
test1 ( 2001:db8:98::/64 ), we will find the RAguard will now allow the prefix that we have defined. We can also see that a client has gathered a ipv6 address from that prefix in the route-advertisement.
NOT E: btw, if a client-access-port receives a Route-Advertisement and with the device-role of "host", this is the message you will see.
Ken Felix
Freelance Network/Security Engineer
kfelix -a-t socpuppets-d-o-t- com