This topic is to discuss the following lesson:
You are using real gear or vios?
Hello Heriberto
As far as I know for most of Reneâs labs he uses Ciscoâs VIRL.
Laz
Hi, so Iâm trying to understand whats going on with this so Iâve created the test setup int CML2 and looking at the commands should the command be
show ipv6 route nd instead of
show ipv6 route static ?
as when I type in show ipv6 route static I donât see any entries
but if I type in
H1#sh ipv6 route nd
IPv6 Routing Table - default - 6 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO
ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
RL - RPL, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
la - LISP alt, lr - LISP site-registrations, ld - LISP dyn-eid
lA - LISP away, a - Application
ND ::/0 [2/0]
via FE80::5054:FF:FE10:83BD, GigabitEthernet0/1
NDp 2001:DB8:0:1::/64 [2/0]
via GigabitEthernet0/1, directly connected
NDp 2001:DB8:BAD:BAD::/64 [2/0]
via GigabitEthernet0/1, directly connected
H1#
Andy
Hello Andy
Yes, you seem to be correct. The default route that will appear in H1 should be learned via NDP from either the legitimate or the hijacker router, and should not appear as a static route. I will let Rene know about this to modify the contentâŚ
Thanks again!
Laz
1 Like
Hello,
I am trying to implement RAguard attach-policy on the interface but I get this message:
% Hardware failure
I am labbing on vIOS VIRL image with EVE-NG, is that due to the virtual appliance that doesnât support the feature or am I missing something ?
Does it work for someone ?
Thank you
Mathieu.
Hello Mathieu
Hmm, thatâs strange. I tried labbing this up in CML and it worked fine for me. I tried searching for similar circumstances that others may have faced for this command, but I was unable to find any additional information. Can you attempt to recreate the same scenario on GNS3 to see if you get a similar result? Check it out and let us knowâŚ
I hope this has been helpful!
Laz
Hello @lagapidis thank you for your reply and sorry I had no time to test on gns3.
I need to deploy a new instance. I will try ASAP
Cheers
1 Like
So here is a related question⌠I have a router that is taking in a trunk from my switch. This trunk has 4 vlans going over it (all in different VRF-lite entries on the router if that matters). Does applying this policy on a trunk do anything? Does it affect all vlans or is it an access port only policy? If only an access port policy, then how do I apply the server policy to the router port?
Marcos
Hello Marcos
You can apply this command to a trunk port, and it will apply the feature to all VLANs on the trunk. Looking at the command reference (see below) you can see that there are additional keywords that you can use to specify on which VLAN you want the policy to be applied. If you donât specify a VLAN it will apply it to all of them. Take a look at this command reference for details:
I hope this has been helpful!
Laz
Hi Rene,
I downloaded the RA-Guard lab from your Github and it is running on CML 2.9.1. The switch that sits between the devices is an IOSvL2 switch. The topic did not mention certain steps as this switchport needs to be made a routed port in order to get the ândâ sub-commands. Also, the command ipv6 nd raguard attach-policy HOSTS cannot be applied as the only options that seem available are as below:
SW1(config-if)#ipv6 nd ra ?
dns DNS
dns-search-list DNS Search List
hop-limit IPv6 RA hop-limit value
interval Set IPv6 Router Advertisement Interval
lifetime Set IPv6 Router Advertisement Lifetime
mtu IPv6 RA MTU Option
solicited Set solicited Router Advertisement response method
suppress Suppress IPv6 Router Advertisements
I tried with the suppress command and it does the trick. However, since the lifetime is 1800sec, it doesnât choose the default route pointing to R1 straightaway. I had to manually clear the IPV6 neighbor for this to take effect.
H1#sh ipv6 routers
Router FE80::5054:FF:FE97:F81A on GigabitEthernet0/1, last update 9 min
Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
HomeAgentFlag=0, Preference=High
Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
Prefix 2001:DB8:BAD:BAD::/64 onlink autoconfig
Valid lifetime 2592000, preferred lifetime 604800
Router FE80::5054:FF:FE12:3452 on GigabitEthernet0/1, last update 0 min
Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
HomeAgentFlag=0, Preference=Medium
Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
Prefix 2001:DB8:0:1::/64 onlink autoconfig
Valid lifetime 2592000, preferred lifetime 604800
H1#clear ipv6 neighbors
H1#sh ipv6 routers
Router FE80::5054:FF:FE12:3452 on GigabitEthernet0/1, last update 0 min
Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
HomeAgentFlag=0, Preference=Medium
Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
Prefix 2001:DB8:0:1::/64 onlink autoconfig
Valid lifetime 2592000, preferred lifetime 604800
Router FE80::5054:FF:FE97:F81A on GigabitEthernet0/1, last update 9 min
Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
HomeAgentFlag=0, Preference=High
Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
Prefix 2001:DB8:BAD:BAD::/64 onlink autoconfig
Valid lifetime 2592000, preferred lifetime 604800
H1#sh ipv6 route
IPv6 Routing Table - default - 6 entries
ND ::/0 [2/0]
via FE80::5054:FF:FE12:3452, GigabitEthernet0/1
NDp 2001:DB8:0:1::/64 [2/0]
via GigabitEthernet0/1, directly connected
L 2001:DB8:0:1:5054:FF:FE94:CD25/128 [0/0]
via GigabitEthernet0/1, receive
NDp 2001:DB8:BAD:BAD::/64 [2/0]
via GigabitEthernet0/1, directly connected
L 2001:DB8:BAD:BAD:5054:FF:FE94:CD25/128 [0/0]
via GigabitEthernet0/1, receive
L FF00::/8 [0/0]
via Null0, receive
H1#
Also, another thing is that I can actually configure the policy on SW1 as per the lesson but it cannot be applied to the interface towards H2 as there is no option as mentioned earlier!
Hello Jeffin
Thanks for taking the time to share this with us, it is invaluable. Let me share my thoughts with you about your approach.
First of all, you issued the ipv6 nd ra ? context sensitive help command which gives you ouput that is different from the intended ipv6 nd raguard... command. The specific command you are displaying here has to do with router advertisement control:
SW3(config-if)#ipv6 nd ?
advertisement-interval Send an advertisement interval option in RA's
autoconfig Automatic Configuration
cache Cache entry
dad Duplicate Address Detection
destination-guard Query destination-guard switch table
managed-config-flag Hosts should use DHCP for address config
na Neighbor Advertisement control
ns-interval Set advertised NS retransmission interval
nud Neighbor Unreachability Detection
other-config-flag Hosts should use DHCP for non-address config
prefix Configure IPv6 Routing Prefix Advertisement
ra Router Advertisement control
reachable-time Set advertised reachability time
router-preference Set default router preference value
Maybe you wanted to issue the ipv6 nd ra? context sensitive help command, without a space before the â?â. That would include the ipv6 nd raguard command. Also note that the raguard command and its features are strictly a Layer 2 mechanism, so they would not work on a routed port. The ra command subset (router advertisement control) in your output, including the suppress keyword, is a completely different feature.
The command ipv6 nd ra suppress tells that interface to stop sending Router Advertisements. It does NOT inspect incoming RA packets from other devices, block or filter RAs arriving on that interface, or provide the same security function as RA Guard.
In any case, I went into CML, and I confirm that the IPv6 commands dealing with raguard were not available on the switch (vios_l2-ADVENTERPRISEK9-M) in interface configuration mode. It looks like the problem is that the specific image does not support these features. RA Guard requires specific hardware/IOS feature support, and the IOSvL2 image used in CML does not fully implement it.
This is expected behavior. When you stop the rogue RAs, either via suppress or any other method, the rogue router just goes âsilent.â H1 doesnât receive any new RAs, but it doesnât know itâs gone, it simply waits for the timer to expire. Running clear ipv6 neighbors forces the cache to flush, triggering immediate route re-evaluation as you observed.
Unfortunately, it seems the specific image is insufficient to apply these features. I hope that sharing this information will be helpful for you to further understand the concepts involved.
I hope this has been helpful!
Laz
Thank you Laz. Much appreciated for thr time taken to explain.
I did try the option you mentioned without the space between ra and ?. It did not give me the required command subsets. So itâs indeed the issue with the ios platform my switch is using then.
Since I downloaded this lab from Reneâs Github folder, I assumed i could use all commands Rene uses on the labs shown when explaining concepts. I will try with a different switch image and see if that helps.
Thanks again and hope you have a great weekend!
Cheers
Jeffin
Hello Jeffin
Thanks for confirming. I will let @ReneMolenaar know to take a look and weigh in on this as well, since you did get the lab from Reneâs Github, and weâll see what he says⌠In the meantime, let us know your progress with your experimentation.
Thanks again!
Laz