Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Stateless IPv6 Router Advertisement Guard

Stateless IPv6 Router Advertisement (RA) guard enables the switch to examine incoming RA messages and filter them based on a predefined set of criteria. If the switch validates the content of the RA message, it forwards the RA message to its destination; otherwise, the RA message is dropped.

Before you can enable IPv6 RA guard, you must configure a policy with the criteria to be used for validating RA messages received on an interface. You can configure the policy to either accept or discard RA messages on the basis of whether they meet the criteria. The criteria are compared to information included in the RA messages. If the criteria for the policy includes source addresses or address prefixes, you must configure a list of the addresses before configuring the policy.

Configuring a Discard Policy for RA Guard

You can configure a discard policy to drop RA messages from predefined sources. You must first configure a list or lists of the source addresses or address prefixes, and then associate them with a policy. The following lists can be associated with discard policy:

  • source-ip-address-list

  • source-mac-address-list

  • prefix-list-name

Note:

You can include more than one type of list in a discard policy. If the information contained in a received RA message matches any one of the list parameters, then that RA message is discarded.

To configure a discard policy for RA guard:

  1. Define one or more lists of disallowed source addresses or address prefixes that RA guard will use to filter incoming RA messages. Add one address or address prefix per line in the configuration.
    • To define a list of IPv6 source addresses:

    • To define a list of IPv6 address prefixes:

    • To define a list of MAC source addresses:

  2. Configure the policy name:
  3. Specify the discard action:
  4. Associate the policy with the list or lists defined in Step 1. For example, to discard RA messages that match a source MAC address in the list:

Configuring an Accept Policy for RA Guard

You can configure an accept policy to forward RA messages on the basis of certain criteria. You can configure either match lists of source address or address prefixes as the criteria, or you can configure other match conditions, such as hop limit, configuration flags, or router preference as the criteria.

The following lists can be associated with an accept policy by using the match-list option:

  • source-ip-address-list

  • source-mac-address-list

  • prefix-list-name

Note:

You can associate more than one type of match list with an accept policy. If the match-all suboption is configured, then a received RA message must match all configured match lists in order to be forwarded; otherwise, it is discarded. If the match-any option is configured, then a received RA message must match any one of the configured match lists in order to be forwarded; if it does not match any of the configured lists, then it is discarded.

The following match conditions can be configured using the match-option option:

  • hop-limit—Configure the RA guard policy to verify the minimum or maximum hop count for an incoming RA message.

  • managed-config-flag—Configure the RA guard policy to verify that the managed address configuration flag of an incoming RA message is set.

  • other-config-flag—Configure the RA guard policy to verify that the other configuration flag of an incoming RA message is set.

  • router-preference-maximum—Configure the RA guard policy to verify that the default router preference parameter value of an incoming RA message is lower than or equal to a specified limit.

Note:

The match-list and match-option options are used only in accept policies, not in discard policies.

To configure an accept policy for RA guard by using the match-list option:

  1. Define one or more lists of authorized source addresses or address prefixes that RA guard will use to filter incoming RA messages. Add one address or address prefix per line in the configuration.
    • To define a list of IPv6 source addresses:

    • To define a list of IPv6 address prefixes:

    • To define a list of MAC source addresses:

  2. Specify the policy name:
  3. Specify the accept action:
  4. Specify whether RA guard must meet the criteria in all lists or in any of the lists configured in 1:
    • To match on all lists:

    • To match on any of the lists:

  5. Associate the accept policy with the list or lists configured in Step 1. For example:

To configure an accept policy for RA guard using the match-option option:

  1. Specify the policy name:

  2. Specify the accept action:

  3. Specify the match conditions by using the match-option option. For example, to specify a match on the maximum number of hops:

Enabling Stateless RA Guard on an Interface

You can enable stateless RA guard on an interface. You must first configure a policy, which is applied to incoming RA messages on the interface or interfaces. After you apply a policy to an interface, you must also enable RA guard on the corresponding VLAN; otherwise, the policy applied to the interface does not have any impact on received RA packets.

To enable stateless RA guard on an interface:

  1. Apply a policy to an interface:
  2. Configure the stateless option on the interface:
  3. Enable stateless RA guard on the corresponding VLAN:

Enabling Stateless RA Guard on a VLAN

You can enable stateless RA guard on a per-VLAN basis or for all VLANs. You must first configure a policy, which is used to validate incoming RA messages in the learning state.

To enable stateless RA guard on a specific VLAN:

  1. Apply a policy to a VLAN.
  2. Configure the stateless option on the VLAN:

To enable stateless RA guard on all VLANs:

  1. Apply a policy to all VLANs.

    Note:

    If a policy has been configured for a specific VLAN using the command set forwarding-options access-security router-advertisement-guard vlans vlan-name policy policy-name, that policy takes priority over the policy applied globally to all VLANs.

  2. Configure the stateful option on all VLANs:

Configuring an Interface as Trusted or Blocked to Bypass Inspection by RA Guard

You can configure an interface as trusted or blocked to bypass inspection of RA messages by RA guard. When an RA message is received on a trusted or blocked interface, it is not subject to validation against the configured policy. A trusted interface forwards all RA messages. A blocked interface discards all RA messages.

  • To configure an interface as trusted:
  • To configure an interface as blocked: