IPv6 ND Inspection

ReneMolenaar · May 14, 2018, 1:13pm

This topic is to discuss the following lesson:

EUNLITManagedService · July 30, 2018, 10:58am

Seems to be a typo:
“R1 and R2 are two legitimate devices with IPv6 addresses. I will use R3 to spoof an IPv6 address, SW1 is where we configure ND inspection.”

In the network diagram you have H1 and H2 instead of R1 and R2

lagapidis · August 3, 2018, 2:42pm

Hello Elias

Thanks for pointing that out. I’ll let Rene know…

Laz

raghu_kummar · January 25, 2022, 5:30pm

Hi Community !

I am finding most of the IPV6 first hop security topics (RAGUARD,DHCPGUARD,ND INSPECTION etc) NOT working with Cisco VIRL switch version as below.
Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Version 15.2(CML_NIGHTLY_20180619)FLO_DSGS7

This is a very important MUST PRACTICE topic on the ENARSI exam. please suggest suitable VIRL Cisco image.

lagapidis · January 28, 2022, 6:37am

Hello Raghu

You are correct. It seems that this particular switch version is behaving strangely. It has the ipv6 nd command available, but if you add anything after that, it says “unrecognized command.”

SW1(config)#inter gig 0/1

SW1(config-if)#ipv6 n?
nd  next-hop-self  

SW1(config-if)#ipv6 nd ?
% Unrecognized command
SW1(config-if)#ipv6 nd

Based on this Cisco learning network thread, others have faced similar situations. Still, others are able to implement RA Guard on this image. According to this documentation, it seems that IPv6 is not supported by this image (even though some of the commands appear!!):

One option is to use the NS-OX v which supports it. The commands are almost the same and the logic is the same. Alternatively, you can try downgrading to the previous IOSvL2 version as some threads state that this may resolve the issue.

Let us know how you get along!

I hope this has been helpful!

Laz

raghu_kummar · January 28, 2022, 6:03pm

Hi Lazaros,

Could you please share the procedure to downgrade cisco Virl Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Version 15.2(CML_NIGHTLY_20180619)

Raghunath

lagapidis · February 1, 2022, 12:02pm

Hello Raghu

Looking a little deeper, I see that someone using vIOS_L2 version 15.2(4.0.55)E was able to get the IPv6 nd ? commands to work. You can see this in the following Cisco learning network thread:

https://learningnetwork.cisco.com/s/question/0D53i00001KWs8U/ipv6-first-hop-security-on-layer-2-switch

I suggest you go to the CML site where you can download the various vIOS versions available. But you will need a CML subscription to do so.

For detailed information about how to install the vIOS images, you will have to view Cisco’s CML support pages found here:

I hope this has been helpful!

Laz

abughassen.tounsi · July 29, 2023, 12:28pm

Thanks for your explanation,

please , what about this section
Let’s get rid of R3 and clean up the policy before we continue: second command

I think , it’s missing "no "

lagapidis · July 31, 2023, 9:24am

Hello Abu

Yes you are correct, thanks for pointing that out! I will let Rene know to make the correction…

Laz

ReneMolenaar · August 8, 2023, 12:01pm

In this case, it should be shutdown because I’m getting rid of R3 before we continue.