[ietf86-tech] Disabled VLAN 351 (guestroom 5103, wired)

Bjoern A. Zeeb bzeeb-lists at lists.zabbadoz.net
Mon Mar 11 22:54:00 PDT 2013 

Hi,

at this point I conclude that I would want a PC and get rid of the Juniper
or I'll just be demanding and not helpful anymore but wasting more
time on this is making me grumpy now.   The much I love Juniper, the
more I fix a FreeBSD (kernel).

This is the 3rd night with guests and the 3rd night in a debugging
session and I was not able to find a way to filter rouge RAs on the
irb (bridge) stuff.  The proper filters can only be generated in
family inet6 but not in family bridge and fimaly inet6 cannot be
applied to any useful interface in this configuration.

At least I now know the 12.3 Firewall Filters Configuration Guide
for Ipv6 very well;-)   I'd much rather have learnt how to get DHCPv6
back from the Juniper which I still do not know.


Given whoever has two teredo announcers on the weird in his room,
which made most areas completely unuasble for me, and given the
Juniper cannot change RA prefs from medium to high at least,
the only way to stop this is to disable the VLAN.



05:32:15.934903 64:00:f1:ae:d7:1f > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 118: (class 0xe0, hlim 255, next-header ICMPv6 (58) payload length: 64) fe80::6600:f1ff:feae:d71f > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 64
 	hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s
 	  source link-address option (1), length 8 (1): 64:00:f1:ae:d7:1f
 	    0x0000:  6400 f1ae d71f
 	  mtu option (5), length 8 (1):  1500
 	    0x0000:  0000 0000 05dc
 	  prefix info option (3), length 32 (4): 2001::/64, Flags [onlink, auto], valid time 2592000s, pref. time 604800s
 	    0x0000:  40c0 0027 8d00 0009 3a80 0000 0000 2001
 	    0x0010:  0000 0000 0000 0000 0000 0000 0000
05:32:15.935011 f8:66:f2:6a:51:4a > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 118: (class 0xe0, hlim 255, next-header ICMPv6 (58) payload length: 64) fe80::fa66:f2ff:fe6a:514a > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 64
 	hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s
 	  source link-address option (1), length 8 (1): f8:66:f2:6a:51:4a
 	    0x0000:  f866 f26a 514a
 	  mtu option (5), length 8 (1):  1500
 	    0x0000:  0000 0000 05dc
 	  prefix info option (3), length 32 (4): 2001::/64, Flags [onlink, auto], valid time 2592000s, pref. time 604800s
 	    0x0000:  40c0 0027 8d00 0009 3a80 0000 0000 2001
 	    0x0010:  0000 0000 0000 0000 0000 0000 0000



bz at RtrA> show bridge mac-table f8:66:f2:6a:51:4a

MAC flags (S -static MAC, D -dynamic MAC, L -locally learned, C -Control MAC
            SE -Statistics enabled, NM -Non configured MAC, R -Remote PE MAC)

Routing instance : default-switch
  Bridging domain : BD_NONE, VLAN : none
    MAC                 MAC      Logical          NH     RTR
    address             flags    interface        Index  ID
    f8:66:f2:6a:51:4a   D        ge-1/1/3.351

bz at RtrA> show bridge mac-table 64:00:f1:ae:d7:1f

MAC flags (S -static MAC, D -dynamic MAC, L -locally learned, C -Control MAC
            SE -Statistics enabled, NM -Non configured MAC, R -Remote PE MAC)

Routing instance : default-switch
  Bridging domain : BD_NONE, VLAN : none
    MAC                 MAC      Logical          NH     RTR
    address             flags    interface        Index  ID
    64:00:f1:ae:d7:1f   D        ge-1/1/3.351



bz at RtrA# deactivate interfaces ge-1/1/3 unit 351

[edit]
bz at RtrA# show | compare 
[edit interfaces ge-1/1/3]
!     inactive: unit 351 { ... }

[edit]
bz at RtrA# commit check 
configuration check succeeds

[edit]
bz at RtrA# commit 
commit complete

[edit]
bz at RtrA#


Confirmed that this helps running

ndp -rn
ndp -Rn
ndp -rn
rtsol en0
ndp -rn
sleep 1800   # or maybe not that long just writing this email
ndp -rn

on OSX.



According to the spreadsheet this is Room 5103.    The person can still
use the Hotel wifi, in which case we'll have the entire problem there
and will NOT be able to stop it wihtout nuking large chunks of the network
offline.

Unless we will be able to filter this, the next windows box or
whatever will just do this again and again...


Jim, Warren,  tomorrow night I need to get work done, and I want sleep,
this will be your business.   Let me know if I can help however during
the day.


/bz

-- 
Bjoern A. Zeeb                                  Charles Haddon Spurgeon:
"Friendship is one of the sweetest joys of life.  Many might have failed
   beneath the bitterness of their trial  had they not found a friend."

More information about the ietf86-tech mailing list