- Configure IPv6 RA Guard on SW3 for all current and future hosts in VLAN 11.
- Allow R4's FE80::4 link-local address to send RA messages but only for 2001::/64 prefix.
- R6 should not be affected by the above configurations.
- Configure R5 for SLAAC.
About Initial Configuration Files: For this task, you must load the initial configuration files for the section, which can be found in the Section 2 Introduction task or by clicking the Resources button.
If you have completed previous tasks in this section, the simplest way to revert back to initial configurations is by using the command
configure replace nvram:startup-configinstead of reloading the devices. This command, however, is not supported by the ASA.
IPv6 Neighbor Discovery Protocol (NDP) can be seen as a nonauthenticated application running on top of ICMPv6; it uses link-local addresses for source (required to accomplish its role), and it is multicast based for efficiency. It is a replacement for ARP protocol from IPv4, but it has additional functionalities:
- IPv6 router discovery
- IPv6 address autoconfiguration, also known as stateless address autoconfiguration (SLAAC)
- IPv6 address resolution, which replaces Address Resolution Protocol (ARP)
- IPv6 neighbor reachability, also known as neighbor unreachability detection (NUD)
- IPv6 duplicate address detection (DAD), which works for both link-local and global assigned through SLAAC
- IPv6 redirection, which is the ICMP redirect from IPv4
In IPv6 hosts can receive IP addresses by way of four methods:
- Manual/static configuration.
- Dynamic stateless autoconfiguration (through SLACC); this is similar to APIPA from IPv4, except that subnet is not fixed—it is routable and dynamically learned through RA (router advertisement) messages from available routers on the segment.
- Dynamic stateful DHCPv6 configuration; DHCPv6 is used for most IPv6 client configuration, except for default gateway.
- Dynamic stateless DHCPv6 configuration; SLAAC is used for IPv6 address configuration and DHCPv6 for other parameters, such as domain-name and DNS servers.
Several pieces of information can be found within RA messages, but the most important and relevant are:
- IPv6 global unicast prefixes (there can be one or more, required to be /64 for SLAAC).
- IPv6 global unicast address of the router (one for each advertised prefix).
- IPV6 SLAAC (autoconfiguration) flag, signaling hosts if the received information can be used for SLAAC.
For IPv6 /64 prefixes advertised with the SLAAC flag, hosts will autoconfigure with a unique IPv6 address (/64 host portion will be based on the MAC address and the FFFE string inserted in the middle) and set the default gateway to be the respective router. Based on this behavior, the segment is vulnerable to some attacks:
- Spoofed RA messages with false /64 prefixes for SLAAC; basically the prefix is spoofed.
- Spoofed RA messages with false advertiser information (router); basically the router is spoofed.
To protect the infrastructure from spoofed RA messages, a feature named IPv6 RA Guard can be configured on the layer2/layer3 switch where hosts and routers are attached. Basically you would want to restrict/drop receiving router type NDP messages (like router advertisement and redirects) on ports where hosts are connected. You can configure three types of RA Guard policies:
- host, where all inbound NDP messages are inspected and router type messages are dropped; this is the default state of a policy.
- router, where all inbound NDP messages are inspected but router type messages are allowed; optionally, you can restrict for which prefixes are RA messages allowed (achieved via prefix-list filtering) and which sources are allowed to send ICMPv6 Type 133, 134, and 137 (achieved via access-lists matching on link-local addresses).
- trust, where all inbound NDP messages are allowed and not inspected.
The RA Guard policies can be applied at the VLAN level or port level; if both are enabled, the port-level policy will take precedence over the VLAN-wide-level policy. In most real-life cases, it is faster to deploy a host policy at VLAN level and router/trust policy at port level, because there will be few router/trusted ports. To enable a Cisco router for SLAAC, the interface-level command
ipv6 address autoconfig is used. The interface-level command
ipv6 enable is used when you want the router to autoconfigure itself with just a link-local address on the interface (which does not require SLAAC).
SW3: ipv6 prefix-list RA_PREFIX permit 2001::/64 ! ipv6 access-list RA_SOURCE permit ipv6 host FE80::4 any ! ipv6 nd raguard policy HOST_INSPECT device-role host ! ipv6 nd raguard policy HOST_NON_INSPECT trusted-port ! ipv6 nd raguard policy ROUTER device-role router match ra prefix-list RA_PREFIX match ipv6 access-list RA_SOURCE ! vlan configuration 11 ipv6 nd raguard attach-policy HOST_INSPECT ! interface GigabitEthernet1/0/1 ipv6 nd raguard attach-policy ROUTER ! interface GigabitEthernet1/0/3 ipv6 nd raguard attach-policy HOST_NON_INSPECT R5: interface FastEthernet0/0 ipv6 address autoconfig default
Verify that R4 sends RA messages:
R4#show ipv6 interface fastEthernet0/0 FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::4 No Virtual link-local address(es): Global unicast address(es): 2001::4, subnet is 2001::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:2 FF02::1:FF00:4 FF05::1:3 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) ND advertised reachable time is 0 (unspecified) ND advertised retransmit interval is 0 (unspecified) ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds ND advertised default router preference is Medium Hosts use stateless autoconfig for addresses. ! ! R4#show ipv6 interface fastEthernet0/0 prefix IPv6 Prefix Advertisements FastEthernet0/0 Codes: A - Address, P - Prefix-Advertisement, O - Pool U - Per-user prefix, D - Default N - Not advertised, C - Calendar PD default [LA] Valid lifetime 2592000, preferred lifetime 604800 AD 2001::/64 [LA] Valid lifetime 2592000, preferred lifetime 604800
Verify that IPv6 RA Guard is enabled globally and policies are attached to both port and VLAN level:
SW3#show ipv6 snooping features Feature name priority state RA guard 192 READY ! ! SW3#show ipv6 snooping policies Target Type Policy Feature Target range Gi1/0/1 PORT ROUTER RA guard vlan all Gi1/0/3 PORT HOST_NON_INSPECT RA guard vlan all vlan 11 VLAN HOST_INSPECT RA guard vlan all
Further verify that IPv6 RA Guard is enabled; note that ICMPv6 Type 133 (router solicitation), 134 (router advertisement), and 137 (neighbor redirect) are punted for inspection:
SW3#show ipv6 snooping capture-policy HW Policy DB: HW Policy 0000001C #targets:3 Target Gi1/0/1 type 0 handle 1 Target Gi1/0/3 type 0 handle 3 Target vlan 11 type 1 handle B0000 Target DB: HW Target Gi1/0/1 HW policy signature 0000001C policies#:1 rules#:3 sig 0000001C SW policy ROUTER feature RA guard Rule RS Protocol ICMPV6 mask 00000004 action PUNT match 133 #feat:1 feature RA guard Rule RA Protocol ICMPV6 mask 00000008 action PUNT match 134 #feat:1 feature RA guard Rule REDIR Protocol ICMPV6 mask 00000010 action PUNT match 137 #feat:1 feature RA guard HW Target Gi1/0/3 HW policy signature 0000001C policies#:1 rules#:3 sig 0000001C SW policy HOST_NON_INSPECT feature RA guard Rule RS Protocol ICMPV6 mask 00000004 action PUNT match 133 #feat:1 feature RA guard Rule RA Protocol ICMPV6 mask 00000008 action PUNT match 134 #feat:1 feature RA guard Rule REDIR Protocol ICMPV6 mask 00000010 action PUNT match 137 #feat:1 feature RA guard HW Target vlan 11 HW policy signature 0000001C policies#:1 rules#:3 sig 0000001C SW policy HOST_INSPECT feature RA guard Rule RS Protocol ICMPV6 mask 00000004 action PUNT match 133 #feat:1 feature RA guard Rule RA Protocol ICMPV6 mask 00000008 action PUNT match 134 #feat:1 feature RA guard Rule REDIR Protocol ICMPV6 mask 00000010 action PUNT match 137 #feat:1 feature RA guard
Verify that R5 received RA messages from both R4 and R6 (because R6's port is configured as trusted so no RA Guard inspections are performed):
R5#show ipv6 routers Router FE80::6 on FastEthernet0/0, last update 0 min Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500 HomeAgentFlag=0, Preference=Medium Reachable time 0 (unspecified), Retransmit time 0 (unspecified) Prefix 2001::/64 onlink autoconfig Valid lifetime 2592000, preferred lifetime 604800 Router FE80::4 on FastEthernet0/0, last update 0 min Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500 HomeAgentFlag=0, Preference=Medium Reachable time 0 (unspecified), Retransmit time 0 (unspecified) Prefix 2001::/64 onlink autoconfig Valid lifetime 2592000, preferred lifetime 604800 ! ! R5#show ipv6 neighbors IPv6 Address Age Link-layer Addr State Interface FE80::4 11 0019.0653.2a18 STALE Fa0/0 FE80::6 11 0017.5aed.28b0 STALE Fa0/0
Verify that R5 has been automatically assigned an IPv6 global address through SLAAC; the default route has also been installed through SLAAC:
R5#show ipv6 interface brief fastEthernet0/0 FastEthernet0/0 [up/up] FE80::217:E0FF:FE4A:9678 2001::217:E0FF:FE4A:9678 ! ! R5#show ipv6 route static IPv6 Routing Table - default - 4 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary D - EIGRP, EX - EIGRP external, NM - NEMO, ND - Neighbor Discovery O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 S ::/0 [2/0] via FE80::6, FastEthernet0/0
For testing, enable logging for packet drops and configure the port toward R6 in host mode, so that RA messages will be dropped:
SW3: ipv6 snooping logging packet drop ! interface GigabitEthernet1/0/3 ipv6 nd raguard attach-policy HOST_INSPECT
On SW3's console, messages similar to the following will be logged (each 200 seconds), signaling the problem that R6's RA messages are now dropped:
%SISF-4-PAK_DROP: Message dropped A=FE80::6 G=- V=11 I=Gi1/0/3 P=NDP::RA Reason=Message unauthorized on port %SISF-4-PAK_DROP: Message dropped A=FE80::6 G=- V=11 I=Gi1/0/3 P=NDP::RA Reason=Message unauthorized on port %SISF-4-PAK_DROP: Message dropped A=FE80::6 G=- V=11 I=Gi1/0/3 P=NDP::RA Reason=Message unauthorized on port