Skip to main content

IPv6 security – IPv6 First Hop Security - IPv6 RA Guard – part two.

In my last post I described ICMPv6 messages and one of them was Router Advertisement (RA). Today I would like to implement RA Guard feature.

Router Advertisement (RA) – ICMPv6 – type 134 - the message can be sent as a response on the Router Solicitation, and as unsolicited RA. The source address is local link address for example: fe80::2 and the destination is a multicast ff02::1, which represents “All Nodes Address”.

On Cisco switches we can apply policy which permits or drops this kind of packets. We have following options:
  • Policy type ‘host’ – RA messages are blocked by default
  • Policy type ‘router’ – with this type you can apply additional parameters like prefix control and ACL
  • Policy type ‘trusted port’- with this setting all RA messages are allowed
Let’s configure them and check how they behave.


                   Gi1/0/1   Gi1/0/2           
          /----\      \  ----- /       /----\ 
         |  R4  |-------| sw3 |-------|  R5  |
          \----/         -----         \----/ 
                           |\      
                           | Gi1/0/3        
                        /----\   
                       |  R6  |
                        \----/

R4 interface:

R4#sh ipv6 interface 
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::21E:4AFF:FE60:ED80 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:1:1::4, subnet is 2001:1:1::/64 
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:4
    FF02::1:FF60:ED80
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium
  Hosts use stateless autoconfig for addresses.
R4#

Confirmation that R4 sends ND messages:

R4#
%LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
ICMPv6-ND: L2 came up on FastEthernet0/0
IPv6-Addrmgr-ND: DAD request for FE80::21E:4AFF:FE60:ED80 on FastEthernet0/0
ICMPv6-ND: Sending NS for FE80::21E:4AFF:FE60:ED80 on FastEthernet0/0
R4#
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Solicit, Src=::, Dst=FF02::1:FF60:ED80
IPv6-Addrmgr-ND: DAD: FE80::21E:4AFF:FE60:ED80 is unique.
ICMPv6-ND: Sending NA for FE80::21E:4AFF:FE60:ED80 on FastEthernet0/0
ICMPv6-ND: L3 came up on FastEthernet0/0
IPv6-Addrmgr-ND: DAD request for 2001:1:1::4 on FastEthernet0/0
ICMPv6-ND: Sending NS for 2001:1:1::4 on FastEthernet0/0
ICMPv6-ND: Linklocal FE80::21E:4AFF:FE60:ED80 on FastEthernet0/0, Up
ICMPv6-ND: Created RA context for FE80::21E:4AFF:FE60:ED80
ICMPv6-ND: Request to send RA for FE80::21E:4AFF:FE60:ED80
ICMPv6-ND: Sending RA from FE80::21E:4AFF:FE60:ED80 to FF02::1 on FastEthernet0/0
R4#
ICMPv6-ND:     MTU = 1500
ICMPv6-ND:     prefix = 2001:1:1::/64 onlink autoconfig
ICMPv6-ND:           2592000/604800 (valid/preferred)
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Advert, Src=FE80::21E:4AFF:FE60:ED80, Dst=FF02::1
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Solicit, Src=::, Dst=FF02::1:FF00:4
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent R-Advert, Src=FE80::21E:4AFF:FE60:ED80, Dst=FF02::1
IPv6-Addrmgr-ND: DAD: 2001:1:1::4 is unique.
ICMPv6-ND: Sending NA for 2001:1:1::4 on FastEthernet0/0
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Advert, Src=2001:1:1::4, Dst=FF02::1
R4#

Now I apply policy on the switch port where R4 is attached. The port will be the trusted port what means it will pass all ND messages:

SW3:
!

ipv6 nd raguard policy POLICY-R4
 trusted-port
!
!
interface GigabitEthernet1/0/1
 switchport access vlan 11
 switchport mode access
 logging event spanning-tree
 ipv6 nd raguard attach-policy POLICY-R4
 spanning-tree portfast
end
!

On the switch we check snooping messages:

SW3#sh ipv6 snooping messages  | i Gi1/0/1
 [02:18:10] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:18:26] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:18:42] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:21:45] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:24:46] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:27:47] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:30:28] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:33:19] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:36:04] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:38:43] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:41:58] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
 [02:45:09] VLAN 11, From Gi1/0/1 MAC 001E.4A60.ED80: NDP::RA, FE80::21E:4AFF:FE60:ED80, 
SW3#

policies:

SW3#sh ipv6 snooping policies 
Target               Type  Policy               Feature        Target range
Gi1/0/1              PORT  POLICY-R4            RA guard       vlan all
SW3#

and counters:

SW3#sh ipv6 snooping counters interface gig1/0/1
Received messages on Gi1/0/1:
Protocol        Protocol message
NDP             RA[17] 
DHCPv6          

Bridged messages from Gi1/0/1:
Protocol        Protocol message
NDP             RA[17] 
DHCPv6          

Dropped messages on Gi1/0/1:
Feature         Protocol Msg [Total dropped]
SW3#

As we see the ‘trusted-port’ setting pass all RAs (17pkt).
Now, on R5 I set ‘host’ type.

R5 interface:

R5#sh ipv6 interface 
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::213:19FF:FE37:4DF0 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:1:1::5, subnet is 2001:1:1::/64 
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:5
    FF02::1:FF37:4DF0
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium
  Hosts use stateless autoconfig for addresses.
R5#

Confirmation that R5 sends ND messages:

R5#
ICMPv6-ND: L2 came up on FastEthernet0/0
IPv6-Addrmgr-ND: DAD request for FE80::213:19FF:FE37:4DF0 on FastEthernet0/0
ICMPv6-ND: Sending NS for FE80::213:19FF:FE37:4DF0 on FastEthernet0/0
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Solicit, Src=::, Dst=FF02::1:FF37:4DF0
IPv6-Addrmgr-ND: DAD: FE80::213:19FF:FE37:4DF0 is unique.
ICMPv6-ND: Sending NA for FE80::213:19FF:FE37:4DF0 on FastEthernet0/0
ICMPv6-ND: L3 came up on FastEthernet0/0
IPv6-Addrmgr-ND: DAD request for 2001:1:1::5 on FastEthernet0/0
ICMPv6-ND: Sending NS for 2001:1:1::5 on FastEthernet0/0
ICMPv6-ND: Linklocal FE80::213:19FF:FE37:4DF0 on FastEthernet0/0, Up
ICMPv6-ND: Created RA context for FE80::213:19FF:FE37:4DF0
ICMPv6-ND: Request to send RA for FE80::213:19FF:FE37:4DF0
ICMPv6-ND: Sending RA from FE80::213:19FF:FE37:4DF0 to FF02::1 on FastEthernet0/0
ICMPv6-ND:     MTU = 1500
ICMPv6-ND:     prefix = 2001:1:1::/64 onlink autoconfig
ICMPv6-ND:           2592000/604800 (valid/preferred)
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Advert, Src=FE80::213:19FF:FE37:4DF0, Dst=FF02::1
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Solicit, Src=::, Dst=FF02::1:FF00:5
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent R-Advert, Src=FE80::213:19FF:FE37:4DF0, Dst=FF02::1
R5#
IPv6-Addrmgr-ND: DAD: 2001:1:1::5 is unique.
ICMPv6-ND: Sending NA for 2001:1:1::5 on FastEthernet0/0
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Advert, Src=2001:1:1::5, Dst=FF02::1
R5#

Configuration of switch port belongs to R5:

SW3:

!
ipv6 nd raguard policy POLICY-R5
 device-role host
!
!
interface GigabitEthernet1/0/2
 switchport access vlan 11
 switchport mode access
 logging event spanning-tree
 ipv6 nd raguard attach-policy POLICY-R5
 spanning-tree portfast
end
!

In the below output we can see RA packets are dropped due to port settings:

SW3#sh ipv6 snooping messages  | i Gi1/0/2
 [02:29:30] VLAN 11, From Gi1/0/2 NDP::RA, FE80::213:19FF:FE37:4DF0, Drop reason=Message unauthorized on port
 [02:32:42] VLAN 11, From Gi1/0/2 NDP::RA, FE80::213:19FF:FE37:4DF0, Drop reason=Message unauthorized on port
 [02:35:28] VLAN 11, From Gi1/0/2 NDP::RA, FE80::213:19FF:FE37:4DF0, Drop reason=Message unauthorized on port
 [02:38:10] VLAN 11, From Gi1/0/2 NDP::RA, FE80::213:19FF:FE37:4DF0, Drop reason=Message unauthorized on port
 [02:40:50] VLAN 11, From Gi1/0/2 NDP::RA, FE80::213:19FF:FE37:4DF0, Drop reason=Message unauthorized on port
 [02:43:36] VLAN 11, From Gi1/0/2 NDP::RA, FE80::213:19FF:FE37:4DF0, Drop reason=Message unauthorized on port
 [02:46:38] VLAN 11, From Gi1/0/2 NDP::RA, FE80::213:19FF:FE37:4DF0, Drop reason=Message unauthorized on port
SW3#

Snooping policy applied on the R5’s switch port:

SW3#sh ipv6 snooping policies interface Gig1/0/2
Target               Type  Policy               Feature        Target range
Gi1/0/2              PORT  POLICY-R5            RA guard       vlan all
SW3#

We can monitors counters to learn how many messages are dropped:

SW3#sh ipv6 snooping counters interface Gig1/0/2
Received messages on Gi1/0/2:
Protocol        Protocol message
NDP             RA[8] 
DHCPv6          

Bridged messages from Gi1/0/2:
Protocol        Protocol message
NDP             
DHCPv6          

Dropped messages on Gi1/0/2:
Feature         Protocol Msg [Total dropped]
RA guard        NDP      RA  [8]
                reason:  Message unauthorized on port [8]

SW3#

If the port is set as a host (default), all RA messages are blocked.
Now I will test ‘router’ type and some additional policies.

R6 interface:

R6#sh ipv6 interface 
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::219:AAFF:FE00:B298 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:1:1::6, subnet is 2001:1:1::/64 
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:6
    FF02::1:FF00:B298
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium
  Hosts use stateless autoconfig for addresses.
R6#

Confirmation that R6 sends ND messages:

R6#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R6#
ICMPv6-ND: L2 came up on FastEthernet0/0
IPv6-Addrmgr-ND: DAD request for FE80::219:AAFF:FE00:B298 on FastEthernet0/0
ICMPv6-ND: Sending NS for FE80::219:AAFF:FE00:B298 on FastEthernet0/0
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Solicit, Src=::, Dst=FF02::1:FF00:B298
IPv6-Addrmgr-ND: DAD: FE80::219:AAFF:FE00:B298 is unique.
ICMPv6-ND: Sending NA for FE80::219:AAFF:FE00:B298 on FastEthernet0/0
ICMPv6-ND: L3 came up on FastEthernet0/0
ICMPv6: Sent type 58, Src=FE80::219:AAFF:FE00:B298, Dst=FF02::16
IPv6-Addrmgr-ND: DAD request for 2001:1:1::6 on FastEthernet0/0
ICMPv6-ND: Sending NS for 2001:1:1::6 on FastEthernet0/0
ICMPv6-ND: Linklocal FE80::219:AAFF:FE00:B298 on FastEthernet0/0, Up
ICMPv6-ND: Created RA context for FE80::219:AAFF:FE00:B298
ICMPv6-ND: Request to send RA for FE80::219:AAFF:FE00:B298
ICMPv6-ND: Sending RA from FE80::219:AAFF:FE00:B298 to FF02::1 on FastEthernet0/0
ICMPv6-ND:     MTU = 1500
R6#
ICMPv6-ND:     prefix = 2001:1:1::/64 onlink autoconfig
ICMPv6-ND:           2592000/604800 (valid/preferred)
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Advert, Src=FE80::219:AAFF:FE00:B298, Dst=FF02::1
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Solicit, Src=::, Dst=FF02::1:FF00:6
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent R-Advert, Src=FE80::219:AAFF:FE00:B298, Dst=FF02::1
IPv6-Addrmgr-ND: DAD: 2001:1:1::6 is unique.
ICMPv6-ND: Sending NA for 2001:1:1::6 on FastEthernet0/0
ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
ICMPv6: Sent N-Advert, Src=2001:1:1::6, Dst=FF02::1
R6#

Settings of switch port which belongs to R6:

SW3#sh run all | b POLICY-R6
ipv6 nd raguard policy POLICY-R6
 device-role router
 match ra prefix-list R6-PRF
!
!
interface GigabitEthernet1/0/3
 switchport access vlan 11
 switchport mode access
 logging event spanning-tree
 ipv6 nd raguard attach-policy POLICY-R6
 spanning-tree portfast
!
ipv6 prefix-list R6-PRF seq 5 permit 2001:1:1::/64
SW3#

We can see snooping messages coming from R6:

SW3#sh ipv6 snooping messages  | i Gi1/0/3
 [02:41:14] VLAN 11, From Gi1/0/3 MAC 0019.AA00.B298: NDP::RA, FE80::219:AAFF:FE00:B298, 
 [02:41:30] VLAN 11, From Gi1/0/3 MAC 0019.AA00.B298: NDP::RA, FE80::219:AAFF:FE00:B298, 
 [02:41:46] VLAN 11, From Gi1/0/3 MAC 0019.AA00.B298: NDP::RA, FE80::219:AAFF:FE00:B298, 
 [02:45:03] VLAN 11, From Gi1/0/3 MAC 0019.AA00.B298: NDP::RA, FE80::219:AAFF:FE00:B298, 
 [02:47:34] VLAN 11, From Gi1/0/3 MAC 0019.AA00.B298: NDP::RA, FE80::219:AAFF:FE00:B298, 
SW3#

Confirmation the proper policy is applied on the correct interface:

SW3#sh ipv6 snooping policies interface Gig1/0/3
Target               Type  Policy               Feature        Target range
Gi1/0/3              PORT  POLICY-R6            RA guard       vlan all
SW3#

When we check counters we see the ND messages are allowed on SW3:

SW3#sh ipv6 snooping counters interface Gig1/0/3
Received messages on Gi1/0/3:
Protocol        Protocol message
NDP             RA[5] 
DHCPv6          

Bridged messages from Gi1/0/3:
Protocol        Protocol message
NDP             RA[5] 
DHCPv6          

Dropped messages on Gi1/0/3:
Feature         Protocol Msg [Total dropped]
SW3#

Let’s change now the prefix list to match non-existing prefix:

SW3#sh ipv6 prefix-list 
ipv6 prefix-list R6-PRF: 1 entries
   seq 5 permit 2002:1:1::/64
SW3#

and check if R6 is still able to send RAs:

SW3#sh ipv6 snooping counters interface Gig1/0/3
Received messages on Gi1/0/3:
Protocol        Protocol message
NDP             RA[7] 
DHCPv6          

Bridged messages from Gi1/0/3:
Protocol        Protocol message
NDP             RA[6] 
DHCPv6          

Dropped messages on Gi1/0/3:
Feature         Protocol Msg [Total dropped]
RA guard        NDP      RA  [1]
                reason:  Unauthorized prefix in prefix list [1]

SW3#

As we see R6 stopped sending RAs due to unauthorized prefix.
Let’s see what we can learn about the network from the following debug output:

SW3# debug ipv6 snooping raguard     
#
SW3#
SISF[RAG]: Gi1/0/1 vlan 11 RA Guard setting sec level to GUARD
SISF[RAG]: Gi1/0/1 vlan 11 RA received by RA guard on Gi1/0/1 from FE80::21E:4AFF:FE60:ED80
SISF[RAG]: Gi1/0/1 vlan 11         option 1 : ND_OPT_SOURCE_LINKADDR
SISF[RAG]: Gi1/0/1 vlan 11         option 3 : ND_OPT_PREFIX_INFORMATION
SISF[RAG]: Gi1/0/1 vlan 11         option 5 : ND_OPT_MTU
SISF[RAG]: Gi1/0/1 vlan 11 Trusted port

 
SISF[RAG]: Gi1/0/2 vlan 11 RA Guard setting sec level to GUARD
SISF[RAG]: Gi1/0/2 vlan 11 RA received by RA guard on Gi1/0/2 from FE80::213:19FF:FE37:4DF0
SISF[RAG]: Gi1/0/2 vlan 11         option 1 : ND_OPT_SOURCE_LINKADDR
SISF[RAG]: Gi1/0/2 vlan 11         option 3 : ND_OPT_PREFIX_INFORMATION
SISF[RAG]: Gi1/0/2 vlan 11         option 5 : ND_OPT_MTU
SISF[RAG]: Gi1/0/2 vlan 11 !Not a router port: all router messages disallowed
SISF[RAG]: Gi1/0/2 vlan 11 ! DROP ROUTER-ADVERT  src FE80::213:19FF:FE37:4DF0 dst FF02::1 reason = 3

 
SISF[RAG]: Gi1/0/3 vlan 11 RA Guard setting sec level to GUARD
SISF[RAG]: Gi1/0/3 vlan 11 RA received by RA guard on Gi1/0/3 from FE80::219:AAFF:FE00:B298
SISF[RAG]: Gi1/0/3 vlan 11         option 1 : ND_OPT_SOURCE_LINKADDR
SISF[RAG]: Gi1/0/3 vlan 11         option 3 : ND_OPT_PREFIX_INFORMATION
SISF[RAG]: Gi1/0/3 vlan 11         option 5 : ND_OPT_MTU
SISF[RAG]: Gi1/0/3 vlan 11      RA with prefix option 2001:1:1:: len 64
SISF[RAG]: Gi1/0/3 vlan 11 !RA prefix not in prefix-list
SISF[RAG]: Gi1/0/3 vlan 11 ! DROP ROUTER-ADVERT  src FE80::219:AAFF:FE00:B298 dst FF02::1 reason = 5

Let’s change back the prefix list for R6:

SW3#
SISF[RAG]: Gi1/0/3 vlan 11 RA Guard setting sec level to GUARD
SISF[RAG]: Gi1/0/3 vlan 11 RA received by RA guard on Gi1/0/3 from FE80::219:AAFF:FE00:B298
SISF[RAG]: Gi1/0/3 vlan 11         option 1 : ND_OPT_SOURCE_LINKADDR
SISF[RAG]: Gi1/0/3 vlan 11         option 3 : ND_OPT_PREFIX_INFORMATION
SISF[RAG]: Gi1/0/3 vlan 11         option 5 : ND_OPT_MTU
SISF[RAG]: Gi1/0/3 vlan 11      RA with prefix option 2001:1:1:: len 64
SW3#
 
Conclusion: we can easily apply policies to control which device in our network can send ND messages. You have to remember in the default policy the default type is ‘host’ what means all ND packets are dropped. In my next post I will test next security feature.
Labels:

Comments

Post a Comment

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an
8 comments
Read more

MAC Authentication Bypass

One of the method to control your network is using MAB feature. It is helpful in case you have devices without dot1x functionality. Today I will try to implement basic configuration and analyze log messages. There is only one switch SW1 and one device attached to port Fa1/0/2.   ! aaa new - model aaa authentication dot1x default group radius ! ! int Fas1 / 0 / 2 authentication host - mode single - host authentication port - control auto mab ! I haven’t configured ACS yet but let’s see what error message I receive:   SW1 ( config - if ) # mab - ev ( Fa1 / 0 / 2 ): Received MAB context create from AuthMgr mab - ev ( Fa1 / 0 / 2 ): Created MAB client context 0x1100000F mab : initial state mab_initialize has enter mab - ev ( Fa1 / 0 / 2 ): Sending create new context event to EAP from MAB for 0x1100000F ( 0000.0000 . 0000 ) mab - sm ( Fa1 / 0 / 2 ): Received event 'MAB_START' on handle 0x1100000F mab : during state mab_initia
Post a Comment
Read more

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo
1 comment
Read more