I tried to install the IPSec VPN client on the Windows Server 2012 but I when I tried to run the client I got the error message:

"Reason 442: failed to enable Virtual Adapter"

I found one fix for Windows 7 (where you have to disable the “Internet Connection Sharing” on the services list) but it didn’t work for Windows Server 2012. To fix the issue on the server platform you have to find following registry key and change the field “DisplayName” for:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CvirtA

from:

@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows

to:

Cisco Systems VPN Adapter for 64-bit Windows

Today I would like to do some tests with the DHCPv6. Like with IP version 4, we can run DHCP server on routers or switches.

               Gi1/0/1   Gi1/0/2           
      /----\      \  ----- /       /----\ 
     |  R1  |-------| sw1 |-------|  R2  |
      \----/         -----         \----/ 
   DHCP SERVER         |\      
                       | Gi1/0/3        
                    /----\   
                   |  R3  |
                    \----/         
                 DHCP CLIENT

In my example R1 will work as a DHCP Server and R3 as a client. First I will configure R3:

!
interface FastEthernet0/0
 no ip address
 ipv6 address dhcp
 ipv6 enable
 no sh
end
!

Then R1:

!
ipv6 dhcp pool DHCP-POOL
 address prefix 2001::/64
 link-address 2001::100/64
 domain-name test.com
!
!
interface FastEthernet0/0
 no ip address
 ipv6 address 2001::100/64
 ipv6 enable
 ipv6 dhcp server

Similar to IPv4, where we can create a binding table with all hosts connected, for IPv6 we can enable the IPv6 Binding Table. The table is populated by ND, DHCP registration process or static entries.

               Gi1/0/1   Gi1/0/2           
      /----\      \  ----- /       /----\ 
     |  R4  |-------| sw1 |-------|  R5  |
      \----/         -----         \----/ 
                       |\      
                       | Gi1/0/3        
                    /----\   
                   |  R6  |
                    \----/

I enable IPv6 and apply ND policy with port role as a ‘router’.
R4:

R4sh ipv6 interface 
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::223:4FF:FE8E:5E08 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:10:10:10::4, subnet is 2001:10:10:10::/64 
  Joined group address(es):
    FF02::1

Sometimes we have to perform the same change on many devices and instead of spending on it couple of hours we can use script to automate our task.
The easiest option is using VBScript, which can be used with CRT (popular telnet/ssh client). Below you can find an example of script which you can copy* and save as a script file. From CRT menu click ‘Script’->‘Run’ and select the file. I added some comments for those who are not familiar with the Visual Basic.

“ $language = "VBScript"
 $interface = "1.0"

GTAC_USERNAME = "username"  <--set here the correct value
GTAC_SPASSWORD = "password" <--set here the correct value
G_ENABLEPASSWORD = "enable-password" <--set here the correct value
Sub Main
Dim IP(11)            <-- in my example we have list of 11 devices

 IP(0)="57.196.12.38"
 IP(1)="57.196.12.39"
…                              <- complete the list of your devices

In my last post I described ICMPv6 messages and one of them was Router Advertisement (RA). Today I would like to implement RA Guard feature.

Router Advertisement (RA) – ICMPv6 – type 134 -
the message can be sent as a response on the Router Solicitation, and as unsolicited RA. The source address is local link address for example: fe80::2 and the destination is a multicast ff02::1, which represents “All Nodes Address”.

On Cisco switches we can apply policy which permits or drops this kind of packets. We have following options:

• Policy type ‘host’ – RA messages are blocked by default
• Policy type ‘router’ – with this type you can apply additional parameters like prefix control and ACL
• Policy type ‘trusted port’- with this setting all RA messages are allowed

Let’s configure them and check how they behave.

                   Gi1/0/1   Gi1/0/2           
          /----\      \

Before we start to configure security features we have to learn about the IPv6 protocol and messages sent across the network. Many IPv6 messages relay on the ICMP protocol.
We will talk about following ICMP packet types:

• Echo request – ICMPv6 – type 128
• Echo reply – ICMPv6 – type 129
• Router Solicitation – ICMPv6 – type 133
• Router Advertisement (RA) – ICMPv6 – type 134
• Neighbor Solicitation (NS)– ICMPv6 – type 135
• Neighbor Advertisement – ICMPv6 – type 136

Let’s first check when we can see the messages and what they are responsible for. I have two routers R1 and R2. They have IPv6 enabled:

R1:
!
ipv6 unicast-routing
!
interface GigabitEthernet0/0
 ipv6 address 2001:1:1::1/64
 ipv6 enable
!

R2:
!
ipv6 unicast-routing
!
interface GigabitEthernet0/0
 ipv6 address 2001:1:1::2/64
 ipv6 enable
!

R1sh ipv6 interface
GigabitEthernet0/0 is up, line protocol is up
  IPv6 is

In the last post I presented Dynamic ARP Inspection, the feature which extends DHCP Snooping security feature on the Cisco switches. Today I’m going to talk about IP Source Guard, the next feature that restricts traffic from hosts not presented in the DHCP Snooping binding table (dynamic or static entries). The feature can validate IP or IP and MAC addresses.

I’m going to test the feature on the below example:

                     DHCP SERVER 
                        /----\
                       |  R1  |
                        \----/
                           | / fa1/0/9                    
                        -------         
                        | SW1 |   
                        |_____|
             fa1/0/11- /      \ -fa1/0/13
                      /        \       
                     /          \
                    /            \
              /----\

When we enable DHCP Snooping (in my previous post) we should also consider Dynamic ARP Inspection. This feature protects against ARP poisoning.

Let’s test this feature on below example:

                     DHCP SERVER 
                        /----\
                       |  R1  |
                        \----/
                           | / fa1/0/9                    
                        -------         
                        | SW1 |   
                        |_____|
             fa1/0/11- /      \ -fa1/0/13
                      /        \       
                     /          \
                    /            \
              /----\               /----\
             |  R2  |             |  R3  |
              \----/               \----/
            DHCP CLIENT1         DHCP CLIENT2 

Initial configuration of R1:

!
interface GigabitEthernet0/0
 description link to SW1 Fas

One of the security features that protect DHCP is DHCP Snooping. The main reasons to implement it:

• Protect the network against rogue DHCP servers
• Limit number of requests sent by DHCP clients

Let’s test DHCP process on below case without DHCP Snooping.

                     DHCP SERVER 
                        /----\
                       |  R1  |
                        \----/
                           | / fa1/0/9                    
                        -------         
                        | SW1 |   
                        |_____|
              fa1/0/4- /      \ -fa1/0/8
                      /        \       
                     /          \
                    /            \
              /----\               /----\
             | ASA1 |             | ASA2 |
              \----/               \----/
            DHCP CLIENT1         DHCP CLIENT2 

R1 (dhcp server):

a) BPDU Guard – it’s a feature that prevents access ports from participating in the spanning tree process. You can enable the feature globally or on an interface:

ASW1(config)spanning-tree portfast bpduguard default

Below we can see what happens when we enable the interface and then we plug switch to this port:

*Mar  3 16:16:44.459: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Mar  3 16:16:44.853: %LINK-3-UPDOWN: Interface FastEthernet0/24, changed state to up
*Mar  3 16:16:44.904: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/24 with BPDU Guard enabled. Disabling port.
*Mar  3 16:16:44.904: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/24, putting Fa0/24 in err-disable state
*Mar  3 16:16:44.912: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar  3 16:16:46.909: %LINK-3-UPDOWN: Interface