IPv6 RA Guard
The IPv6 RA Guard feature provides support for allowing the network administrator to block or reject unwanted or rogue router advertisement (RA) guard messages that arrive at the network device platform.
Restrictions for IPv6 RA Guard
-
The IPv6 RA Guard feature does not offer protection in environments where IPv6 traffic is tunneled.
-
This feature is supported only in hardware when the ternary content addressable memory (TCAM) is programmed.
-
This feature can be configured on a switch port interface in the ingress direction.
-
This feature supports host mode and router mode.
-
This feature is supported only in the ingress direction; it is not supported in the egress direction.
-
This feature is not supported on EtherChannel and EtherChannel port members.
-
This feature is not supported on trunk ports with merge mode.
-
This feature is supported on auxiliary VLANs.
-
Packets dropped by the IPv6 RA Guard feature can be spanned.
Information About IPv6 RA Guard
IPv6 Global Policies
IPv6 global policies provide storage and access policy database services. IPv6 ND inspection and IPv6 RA guard are IPv6 global policies features. Every time an ND inspection or RA guard is configured globally, the policy attributes are stored in the software policy database. The policy is then applied to an interface, and the software policy database entry is updated to include this interface to which the policy is applied.
IPv6 RA Guard
The IPv6 RA Guard feature provides support for allowing the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network device platform. RAs are used by devices to announce themselves on the link. The IPv6 RA Guard feature analyzes these RAs and filters out RAs that are sent by unauthorized devices. In host mode, all RA and router redirect messages are disallowed on the port. The RA guard feature compares configuration information on the Layer 2 (L2) device with the information found in the received RA frame. Once the L2 device has validated the content of the RA frame and router redirect frame against the configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped.
In the wireless deployment RAs coming on wireless ports are dropped as routers cannot reside on these interfaces.
How to Configure IPv6 RA Guard
Configuring the IPv6 RA Guard Policy on the Device
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
| Step 3 |
ipv6 nd raguard policy policy-name Example: |
Defines the RA guard policy name and enters RA guard policy configuration mode. |
| Step 4 |
device-role {host | router} Example: |
Specifies the role of the device attached to the port. |
| Step 5 |
hop-limit {maximum | minimum limit} Example: |
|
| Step 6 |
managed-config-flag {on | off} Example: |
|
| Step 7 |
match ipv6 access-list ipv6-access-list-name Example: |
(Optional) Enables verification of the sender's IPv6 address in inspected messages from the configured authorized device source access list.
|
| Step 8 |
match ra prefix-list ipv6-prefix-list-name Example: |
(Optional) Enables verification of the advertised prefixes in inspected messages from the configured authorized prefix list.
|
| Step 9 |
other-config-flag {on | off} Example: |
(Optional) Enables verification of the advertised “other” configuration parameter. |
| Step 10 |
router-preference maximum {high | low | medium} Example: |
(Optional) Enables verification that the advertised default router preference parameter value is lower than or equal to a specified limit. |
| Step 11 |
trusted-port Example: |
|
| Step 12 |
exit Example: |
Exits RA guard policy configuration mode and returns to global configuration mode. |
Configuring IPv6 RA Guard on an Interface
SUMMARY STEPS
- enable
- configure terminal
- interface type number
- ipv6 nd raguard attach-policy [policy-name [vlan {add | except | none | remove | all } vlan [vlan1, vlan2, vlan3 ...]]]
- exit
- show ipv6 nd raguard policy [policy-name ]
- debug ipv6 snooping raguard [filter | interface | vlanid ]
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
| Step 3 |
interface type number Example: |
Specifies an interface type and number, and places the device in interface configuration mode. |
| Step 4 |
ipv6 nd raguard attach-policy [policy-name [vlan {add | except | none | remove | all } vlan [vlan1, vlan2, vlan3 ...]]] Example: |
Applies the IPv6 RA Guard feature to a specified interface. |
| Step 5 |
exit Example: |
Exits interface configuration mode. |
| Step 6 |
show ipv6 nd raguard policy [policy-name ] Example: |
Displays the RA guard policy on all interfaces configured with the RA guard. |
| Step 7 |
debug ipv6 snooping raguard [filter | interface | vlanid ] Example: |
Enables debugging for IPv6 RA guard snooping information. |
Configuration Examples for IPv6 RA Guard
Example: IPv6 RA Guard Configuration
Device(config)# interface fastethernet 3/13
Device(config-if)# ipv6 nd raguard attach-policy
Device# show running-config interface fastethernet 3/13
Building configuration...
Current configuration : 129 bytes
!
interface FastEthernet3/13
switchport
switchport access vlan 222
switchport mode access
access-group mode prefer port
ipv6 nd raguard
end Example: Configuring IPv6 ND Inspection and RA Guard
This example provides information about an interface on which both the Neighbor Discovery Inspection and RA Guard features are configured:
Device# show ipv6 snooping capture-policy interface ethernet 0/0
Hardware policy registered on Ethernet 0/0
Protocol Protocol value Message Value Action Feature
ICMP 58 RS 85 punt RA Guard
punt ND Inspection
ICMP 58 RA 86 drop RA guard
punt ND Inspection
ICMP 58 NS 87 punt ND Inspection
ICM 58 NA 88 punt ND Inspection
ICMP 58 REDIR 89 drop RA Guard
punt ND Inspection 
Feedback