Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to suppress the IPv6 Router Advertisement with the Neighbor Discovery timers tuned

0

0

Article ID: KB27592 KB Last Updated: 30 Jun 2013Version: 2.0
Summary:

This article provides information on how to suppress the IPv6 Router Advertise (RA), even when the IPv6 Neighbor Discovery (ND) timer is tuned with these configuration commands:

set protocols router-advertisement interface ge-1/0/0.0 reachable-time 36000
set protocols router-advertisement interface ge-1/0/0.0 retransmit-timer 5000



Symptoms:

The goal is to have Neighbor Discovery tuned but no Router Advertisement sent out of that interface. If there is a delay in getting the Neighbor Solicitation and Neighbor Advertisement in a network, then the "Reachable time" and "Retransmit timer" need to be tuned in order to avoid any IPv6 packets getting dropped in transit.

Definitions:
Reachable time [default 0]: Time that a node identifies a neighbor as reachable after receiving a reachability confirmation, in milliseconds.
Retransmit timer [default 0] : Time between retransmitted Neighbor Solicitation messages, in milliseconds.


Below is command output showing Router Advertisements:

> monitor traffic interface ge-1/0/0.0 no-resolve size 1900
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on ge-1/0/0.0, capture size 1900 bytes

05:05:09.991400 Out IP6 fe80::212:1eff:fe1b:7e > ff02::1: ICMP6, router advertisement, length 24 05:11:12.993140 Out IP6 fe80::212:1eff:fe1b:7e > ff02::1: ICMP6, router advertisement, length 24 05:16:44.994865 Out IP6 fe80::212:1eff:fe1b:7e > ff02::1: ICMP6, router advertisement, length 24


> show system statistics icmp6 | match router    

                 3 router advertisment

> show system statistics icmp6 | match router    

                 4 router advertisment


>  show system statistics icmp6 |no-more 

icmp6:
         0 Calls to icmp_error
         0 Errors not generated because old message was icmp error
         0 Errors not generated because rate limitation
         Output histogram: 
                 5 router advertisment <---- incrementing
                 12 neighbor solicitation
                 4 neighbor advertisement
         0 Messages with bad code fields
         0 Messages < minimum length
         0 Bad checksums
         0 Messages with bad length
                 0 No route
                 0 Administratively prohibited
                 0 Beyond scope
                 0 Address unreachable
                 0 Port unreachable
                 0 packet too big
                 0 Time exceed transit
                 0 Time exceed reassembly
                 0 Erroneous header field
                 0 Unrecognized next header
                 0 Unrecognized option
                 0 redirect
                 0 Unknown
         0 Message responses generated
         0 Messages with too many ND options

Cause:

When the Reachable time and Retransmit timer for an interface are tuned, by default the router will send the IPv6 Router Advertisement out of that interface.


Solution:

Junos does not have an explicit command to suppress IPv6 Router Advertisement. IPv6 RA is sent out via the ICMP-TYPE 134. In order to suppress the IPv6 Router Advertisement, a filter that will block this ICMPv6 -type 134 needs to be configured and applied to the interface.

For example:
set firewall family inet6 filter test term 1 from icmp-type 134
set firewall family inet6 filter test term 1 from icmp-code 0
set firewall family inet6 filter test term 1 then count count-1
set firewall family inet6 filter test term 1 then discard
set firewall family inet6 filter test term 2 then accept

set interfaces ge-1/0/0.0 family inet6 filter output test 


> show firewall filter test                    

Filter: test                                                   
Counters:
Name                                                Bytes              Packets
count-1                                               384                    6


For more information about the IPv6 Firewall filter match condition, refer to Standard Firewall Filter Match Conditions for IPv6 Traffic.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search