62-50
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 62 Configuring Network Security with ACLs
Configuring RA Guard
Introduction
When deploying IPv6 networks, routers are configured to use IPv6 Router Advertisements to convey
configuration information to hosts onlink. Router Advertisement is a critical part of the
autoconfiguration process. The conveyed information includes the implied default router address
obtained from the observed source address of the Router-Advertisement (RA) message. However, in
some networks, invalid RAs are observed. This may happen because of misconfigurations or a malicious
attacks on the network.
Devices acting as rogue routers may send illegitimate RAs.When using IPv6 within a single Layer 2
network segment, you can enable Layer 2 devices to drop rogue RAs before they reach end-nodes.
Beginning with Cisco IOS Release 54(SG)SG on Supervisor Engine 6-E (and 6L-E); Cisco IOS XE
Release 3.3.0SG on Supervisor Engine 7-E; Cisco IOS XE Release 3.2.0XO on Supervisor Engine 7L-E,
and Cisco IOS XE Release 3.2.0XO on Supervisor Engine 8-E, the Catalyst 4500 Series Switch supports
RA Guard. This feature examines incoming Router-Advertisement and Router-Redirect packets and
decides whether to switch or block them based solely on information found in the message and in the
Layer 2 device configuration.
You can configure RA Guard in two modes (host and router) based on the device connected to the port.
• Host mode—All the Router-Advertisement and Router-Redirect messages are disallowed on the
port.
• Router mode—All messages (RA/RS/Redirect) are allowed on the port; only host mode is
supported.
You can configure Catalyst 4500 host ports to allow or disallow RA messages. Once a port is configured
to disallow the Router-Advertisement and Router-Redirect packets, it filters the content of the received
frames on that port and blocks Router-Advertisement or Router-Redirect frames.
When RA Guard is configured on a port, the following packets are dropped in hardware:
• Router-Advertisement packets —IPv6 ICMP packets with ICMP type = 134
• Router-Redirect packets—IPv6 ICMP packets with ICMP type = 137
Per port RA Guard ACL statistics are supported and displayed when you enter a show ipv6 snooping
counters interface command. The statistics output displays the number of packets that have been
dropped per port due to the RA Guard.
Note Beginning with Cisco IOS Release 15.0(2)SG, per port RA Guard ACL statistics are supported and
displayed when you enter a show ipv6 snooping counters interface command. (Previous to this release,
you enter the show ipv6 first-hop counters interface command.)
Deployment
Figure 62-10 illustrates a deployment scenario for RA Guard. We drop RA packets from ports that are
connected to hosts and permit RA packets from ports connected to the Router.
To Next Page
Loading...
Need help?
General
