- Index
- Preface
- Product Overview
- Virtual Switching Systems (VSS)
- Layer 2 LAN Port Configuration
- Flex Links
- EtherChannels
- IEEE 802.1ak MVRP and MRP
- VLAN Trunking Protocol (VTP)
- VLANs
- Private VLANs (PVLANs)
- Private Hosts
- IEEE 802.1Q Tunneling
- Layer 2 Protocol Tunneling
- Spanning Tree Protocols (STP, MST)
- Optional STP Features
- IP Unicast Layer 3 Switching
- Multiprotocol Label Switching (MPLS)
- MPLS VPN Support
- Ethernet over MPLS (EoMPLS)
- Virtual Private LAN Services (VPLS)
- Ethernet Virtual Connections (EVC)
- Layer 2 over Multipoint GRE (L2omGRE)
- IPv4 Multicast Layer 3 Features
- IPv4 Multicast IGMP Snooping
- IPv4 PIM Snooping
- IPv4 Multicast VLAN Registration (MVR)
- IPv4 IGMP Filtering
- IPv4 Router Guard
- IPv4 Multicast VPN Support
- IPv6 Multicast Layer 3 Features
- IPv6 MLD Snooping
- NetFlow Hardware Support
- Call Home
- System Event Archive (SEA)
- Backplane Platform Monitoring
- Local SPAN, RSPAN, and ERSPAN
- SNMP IfIndex Persistence
- Top-N Reports
- Layer 2 Traceroute Utility
- Mini Protocol Analyzer
- PFC QoS Overview
- PFC QoS Guidelines and Restrictions
- PFC QoS Classification, Marking, and Policing
- PFC QoS Policy Based Queueing
- PFC QoS Global and Interface Options
- AutoQoS
- MPLS QoS
- PFC QoS Statistics Data Export
- Cisco IOS ACL Support
- Cisco TrustSec (CTS)
- AutoSecure
- MAC Address-Based Traffic Blocking
- Port ACLs (PACLs)
- VLAN ACLs (VACLs)
- Policy-Based Forwarding (PBF)
- Denial of Service (DoS) Protection
- Control Plane Policing (CoPP)
- Dynamic Host Configuration Protocol (DHCP) Snooping
- IP Source Guard
- Dynamic ARP Inspection (DAI)
- Traffic Storm Control
- Unknown Unicast and Multicast Flood Control
- IEEE 802.1X Port-Based Authentication
- Configuring Web-Based Authentication
- Port Security
- Lawful Intercept
- Online Diagnostic Tests
- Migrating From a 12.2SX QoS Configuration
IPv4 Router Guard
•
Prerequisites for Router Guard
•Restrictions for Router Guard
•Information About Router Guard
•Default Settings for Router Guard
•How to Configure Router Guard
Note•For complete syntax and usage information for the commands used in this chapter, see these publications:
http://www.cisco.com/en/US/products/ps11845/prod_command_reference_list.html
•Cisco IOS Release 15.0SY supports only Ethernet interfaces. Cisco IOS Release 15.0SY does not support any WAN features or commands.
Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum
Prerequisites for Router Guard
None.
Restrictions for Router Guard
None.
Information About Router Guard
The Router Guard feature allows you to designate a specified port only as a multicast host port and not as a multicast router port. Multicast router control packets received on this port are dropped.
Any port can become a multicast router port if the switch receives one of the multicast router control packets, such as IGMP general query, PIM hello, or CGMP hello. When a port becomes a multicast router port, all multicast traffic (both known and unknown source traffic) is sent to all multicast router ports. This cannot be prevented without Router Guard.
When configured, the Router Guard feature makes the specified port a host port only. The port is prevented from becoming a router port, even if a multicast router control packets are received.
In addition, any control packets normally received from multicast routers, such as IGMP queries and PIM joins, will also be discarded by this filter.
A Router Guard command applies a user policy to a Layer 3 SVI interface, a Layer 2 port, or a particular VLAN on a Layer 2 trunk port. The Layer 2 port may be an access port or a trunk port.
The Router Guard feature does not require IGMP snooping to be enabled.
Router Guard is implemented only for IPv4.
Router Guard is typically used in access switches connected to end-user boxes in Ethernet-to-home deployment scenarios.
The IPv4 multicast Router Guard feature is SSO-compliant.
The following packet types are discarded if they are received on a port that has Router Guard enabled:
•IGMP query messages
•IPv4 PIMv2 messages
•IGMP PIM messages (PIMv1)
•IGMP DVMRP messages
•RGMP messages
•CGMP messages
When these packets are discarded, statistics are updated indicating that packets are being dropped due to Router Guard.
Router Guard can be configured globally and per-interface. The global configuration initiates Router Guard for all Layer 2 ports, which can be modified with the interface configuration commands, for example, on ports where multicast routers are connected.
Default Settings for Router Guard
None.
How to Configure Router Guard
•Enabling Router Guard Globally
•Disabling Router Guard on Ports
•Clearing Router Guard Statistics
•Displaying Router Guard Configuration
•Displaying Router Guard Interfaces
Enabling Router Guard Globally
To enable Router Guard globally, perform this task:
|
|
|
|---|---|
Router# router-guard ip multicast switchports |
Enables Router Guard globally. |
Disabling Router Guard on Ports
To disable Router Guard on a Layer 2 port to which a multicast router is connected, perform this task:
This example shows how to allow multicast router messages on trunk port Gigabit Ethernet 3/46, VLAN 20:
Router# configure terminal
Router(config)# interface gigabitethernet 3/46
Router(config-if)# no router-guard ip multicast vlan 20
Clearing Router Guard Statistics
To clear Router Guard statistics, perform one of these tasks:
This example shows how to clear statistics for one particular VLAN on a trunk port:
Router# clear router-guard ip multicast statistics interface interface_name vlan v
Verifying the Router Guard Configuration
•Displaying Router Guard Configuration
•Displaying Router Guard Interfaces
Displaying Router Guard Configuration
To display the global Router Guard configuration and the Router Guard configuration for a specific interface, perform these tasks:
This example shows how to display the interface command output for a port in access mode with Router Guard not active:
Router# show router-guard interface g3/48
Router Guard for IP Multicast:
Globally enabled for all switch ports
Enabled on this interface
Packets denied:
IGMP Queries:
PIMv2 Messages:
PIMv1 Messages:
DVMRP Messages:
RGMP Messages:
CGMP Messages:
This example shows how to display the interface command output for a port in trunk mode:
Router# show router-guard interface g3/48
Router Guard for IP Multicast:
Globally enabled for all switch ports
Disabled on this interface
This example shows how to verify that a trunk port is carrying VLANs 10 and 20:
Router# show router-guard interface g3/46
Router Guard for IP Multicast:
Globally enabled for all switch ports
Default: Enabled for all VLANs on this interface
VLAN 10:
Enabled on this VLAN
Packets denied:
IGMP Queries:
PIMv2 Messages:
PIMv1 Messages:
DVMRP Messages:
RGMP Messages:
CGMP Messages:
VLAN 20 :
Disabled on this VLAN
Note If the port is in the shutdown state, the status will not be displayed because it cannot be determined whether the port is in trunk mode or access mode. You can use the show running-config interface xxxx command to display the Router Guard configuration.
Displaying Router Guard Interfaces
To display a list of all interfaces for which Router Guard is disabled, perform this task:
Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum
Feedback