- IPv6 Addressing and Basic Connectivity
- IPv6 Unicast Routing
- IPv6 Anycast Address
- IPv6 Switching: Cisco Express Forwarding and Distributed Cisco Express Forwarding Support
- IPv6 Services: AAAA DNS Lookups over an IPv4 Transport
- IPv6 MTU Path Discovery
- ICMP for IPv6
- IPv6 ICMP Rate Limiting
- ICMP for IPv6 Redirect
- IPv6 Neighbor Discovery
- IPv6 Neighbor Discovery Cache
- IPv6 Default Router Preference
- IPv6 Stateless Autoconfiguration
- IPv6 Generic Prefix
- IPv6 Support on BVI Interfaces
- IPv6 RA Guard
- Telnet Access over IPv6
- IPv6 Support for TFTP
- SSH Support Over IPv6
- SNMP over IPv6
- IPv6 MIBs
- IPv6 Embedded Management Components
- IPv6 CNS Agents
- IPv6 HTTP(S)
- IP SLAs for IPv6
- IPv6 RFCs
IPv6 RA Guard
The IPv6 RA Guard feature provides support for allowing the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network device platform.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for IPv6 RA Guard
-
The IPv6 RA guard feature does not offer protection in environments where IPv6 traffic is tunneled.
- This feature is supported only in hardware when the Ternary Content Addressable memory (TCAM) is programmed.
- This feature can be configured on a switch port interface in the ingress direction.
- This feature supports host mode and router mode.
- This feature is supported only in the ingress direction; it is not supported in the egress direction.
- This feature is supported on EtherChannel, but not on EtherChannel port members.
- This feature is not supported on trunk ports with merge mode.
- This feature is supported on auxiliary VLANs and private VLANs (PVLANs). In the case of PVLANs, primary VLAN features are inherited and merged with port features.
- Packets dropped by the RA guard feature can be spanned.
- If the platform ipv6 acl icmp optimize neighbor-discovery command is configured, the RA guard feature cannot be configured and an error message will be displayed. This command adds default global Internet Control Message Protocol (ICMP) entries that will override the RA guard ICMP entries.
Information About IPv6 RA Guard
IPv6 Global Policies
IPv6 global policies provide storage and access policy database services. IPv6 neighbor discovery (ND) inspection and the IPv6 Router Advertisement (RA) Guard are IPv6 global policies features. Every time an ND inspection or RA guard is configured globally, the policy attributes are stored in the software policy database. The policy is then applied to an interface, and the software policy database entry is updated to include this interface to which the policy is applied.
IPv6 RA Guard
The IPv6 RA Guard feature provides support for allowing the network administrator to block or reject unwanted or rogue router advertisement (RA) guard messages that arrive at the network device platform. RAs are used by devices to announce themselves on the link. The IPv6 RA Guard feature analyzes these RAs and filters out RAs that are sent by unauthorized devices. In host mode, all RA and router redirect messages are disallowed on the port. The RA guard feature compares configuration information on the Layer 2 (L2) device with the information found in the received RA frame. Once the L2 device has validated the content of the RA frame and router redirect frame against the configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped.
How to Configure IPv6 RA Guard
Configuring the IPv6 RA Guard Policy
DETAILED STEPS
Configuring the IPv6 RA Guard on a Specified Interface
DETAILED STEPS
Configuration Examples for IPv6 RA Guard
Example: IPv6 RA Guard Configuration
Device(config)# interface fastethernet 3/13
Device(config-if)# ipv6 nd raguard attach-policy
Device# show running-config interface fastethernet 3/13
Building configuration...
Current configuration : 129 bytes
!
interface FastEthernet3/13
switchport
switchport access vlan 222
switchport mode access
access-group mode prefer port
ipv6 nd raguard
end
Example: IPv6 ND Inspection and RA Guard Configuration
This example provides information about an interface on which both the neighbor discovery (ND) inspection and router advertisement (RA) guard features are configured:
Device# show ipv6 snooping capture-policy interface ethernet 0/0
Hardware policy registered on Ethernet 0/0
Protocol Protocol value Message Value Action Feature
ICMP 58 RS 85 punt RA Guard
punt ND Inspection
ICMP 58 RA 86 drop RA guard
punt ND Inspection
ICMP 58 NS 87 punt ND Inspection
ICM 58 NA 88 punt ND Inspection
ICMP 58 REDIR 89 drop RA Guard
punt ND Inspection
Additional References
Related Documents
| Related Topic | Document Title |
|---|---|
| IPv6 addressing and connectivity |
IPv6 Configuration Guide |
| Cisco IOS commands |
|
| IPv6 commands |
Cisco IOS IPv6 Command Reference |
| Cisco IOS IPv6 features |
Cisco IOS IPv6 Feature Mapping |
Standards and RFCs
| Standard/RFC | Title |
|---|---|
| RFCs for IPv6 |
IPv6 RFCs |
MIBs
| MIB |
MIBs Link |
|---|---|
| No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
| Description | Link |
|---|---|
| The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for IPv6 RA Guard
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
| Table 1 | Feature Information for IPv6 RA Guard |
| Feature Name | Releases | Feature Information |
|---|---|---|
| IPv6 RA Guard |
12.2(33)SXI4 12.2(50)SY 12.2(54)SG 15.0(2)SG 15.2(4)S 15.2(4)M Cisco IOS XE Release 3.2SG |
The IPv6 RA Guard feature provides support for allowing the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network device platform. The following commands were introduced or modified: debug ipv6 snooping raguard, device-role, hop-limit, ipv6 nd raguard attach-policy, ipv6 nd raguard policy, managed-config-flag, match ipv6 access-list, match ra prefix-list, other-config-flag, router-preference maximum, show ipv6 nd raguard policy. |
Glossary
- CA--certification authority.
- CGA--cryptographically generated address.
- CPA--certificate path answer.
- CPR--certificate path response.
- CPS--certification path solicitation. The solicitation message used in the addressing process.
- CRL--certificate revocation list.
- CS--certification server.
- CSR--certificate signing request.
- DAD--duplicate address detection. A mechanism that ensures two IPv6 nodes on the same link are not using the same address.
- DER--distinguished encoding rules. An encoding scheme for data values.
- nonce--An unpredictable random or pseudorandom number generated by a node and used once. In SeND, nonces are used to assure that a particular advertisement is linked to the solicitation that triggered it.
- non-SeND node--An IPv6 node that does not implement SeND but uses only the Neighbor Discovery protocol without security.
- NUD--neighbor unreachability detection. A mechanism used for tracking neighbor reachability.
- PACL--port-based access list.
- PKI--public key infrastructure.
- RA--router advertisement.
- RD--Router discovery allows the hosts to discover what devices exist on the link and what subnet prefixes are available. Router discovery is a part of the Neighbor Discovery protocol.
- Router Authorization Certificate--A public key certificate.
- SeND node--An IPv6 node that implements SeND.
- trust anchor--An entity that the host trusts to authorize devices to act as devices. Hosts are configured with a set of trust anchors to protect device discovery.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
Feedback