51-36
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
OL-25340-01
Chapter 51 Configuring Network Security with ACLs
Configuring RA Guard
Note Beginning with Cisco IOS Release 15.0(2)SG, per port RA Guard ACL statistics are supported and
displayed when you enter a show ipv6 snooping counters interface command. (Previous to this release,
you enter the show ipv6 first-hop counters interface command.)
Deployment
Figure 51-10 illustrates a deployment scenario for RA Guard. We drop RA packets from ports that are
connected to hosts and permit RA packets from ports connected to the Router.
Figure 51-10 Typical RA Guard Deployment
Configuring RA Guard
To configure RA Guard, perform this step:
Host A
Router
Catalyst 4500
Series Switch
253725
Host B
Block incoming
RA
Block
incoming
RA
Allow incoming
RA
Command Purpose
Step 1
Switch# configure terminal
Enters global configuration mode.
Step 1
Switch(config)# interface interface
Enters interface mode.
Step 2
Switch(config-if)# [no] ipv6 nd
raguard
Enables RA Guard on the switch.
Step 3
Switch(config-if)# end
Returns to privileged EXEC mode.
Step 4
Switch# show ipv6 first-hop
policies interface
Shows the list of interfaces on which RA Guard has been enabled. The
interface option allows you to determine whether RA Guard is configured
on an interface.
Step 5
Switch# show ipv6 first-hop
counters interface
Shows the number of packets dropped per port due to RA Guard. The
counters can be displayed for a particular interface by using the interface
option.
Note If counters are not enabled for the port, the counter value is zero.
Step 6
Switch# clear ipv6 snooping
counters interface
Clears RA Guard counters on a particular interface.
The counters on all interfaces are cleared if the interface option is absent.
To Next Page
Loading...
