51-35
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
OL-25340-01
Chapter 51 Configuring Network Security with ACLs
Configuring RA Guard
applied to the ingress traffic from Host A, the VACL is applied on the traffic and finally, and the input
Router ACL is applied to the traffic that needs routing. (that is, the merged results of the input PACL,
VACL, and input Router ACL are applied to the traffic).
Configuring RA Guard
This section includes these topics:
• Introduction, page 51-35
• Deployment, page 51-36
• Configuring RA Guard, page 51-36
• Examples, page 51-37
• Usage Guidelines, page 51-38
Introduction
When deploying IPv6 networks, routers are configured to use IPv6 Router Advertisements to convey
configuration information to hosts onlink. Router Advertisement is a critical part of the
autoconfiguration process. The conveyed information includes the implied default router address
obtained from the observed source address of the Router-Advertisement (RA) message. However, in
some networks, invalid RAs are observed. This may happen because of misconfigurations or a malicious
attacks on the network.
Devices acting as rogue routers may send illegitimate RAs.When using IPv6 within a single Layer 2
network segment, you can enable Layer 2 devices to drop rogue RAs before they reach end-nodes.
Beginning with Cisco IOS Release 54(SG)SG on Supervisor Engine 6-E (and 6L-E); Cisco IOS XE
Release 3.3.0SG on Supervisor Engine 7-E; and Cisco IOS XE Release 3.2.0XO on Supervisor Engine
7L-E, Catalyst 4500 Series Switch supports RA Guard. This feature examines incoming
Router-Advertisement and Router-Redirect packets and decides whether to switch or block them based
solely on information found in the message and in the Layer 2 device configuration.
You can configure RA Guard in two modes (host and router) based on the device connected to the port.
• Host mode—All the Router-Advertisement and Router-Redirect messages are disallowed on the
port.
• Router mode—All messages (RA/RS/Redirect) are allowed on the port; only host mode is
supported.
You can configure Catalyst 4500 host ports to allow or disallow RA messages. Once a port is configured
to disallow the Router-Advertisement and Router-Redirect packets, it filters the content of the received
frames on that port and blocks Router-Advertisement or Router-Redirect frames.
When RA Guard is configured on a port, the following packets are dropped in hardware:
• Router-Advertisement packets —IPv6 ICMP packets with ICMP type = 134
• Router-Redirect packets—IPv6 ICMP packets with ICMP type = 137
Per port RA Guard ACL statistics are supported and displayed when you enter a show ipv6 snooping
counters interface command. The statistics output displays the number of packets that have been
dropped per port due to the RA Guard.
To Next Page
Loading...
Need help?
General
