51-38
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
OL-25340-01
Chapter 51 Configuring Network Security with ACLs
Configuring RA Guard
Usage Guidelines
Observe the following restrictions:
• It is an ingress feature; only IPv6 Router-Advertisement and Router-Redirect packets entering
through the port are filtered.
• RA Guard does not offer protection in environments where IPv6 traffic is tunneled.
• This feature is supported only in hardware; packets are not punted to software except under resource
exhaustion (for example, TCAM memory exhaustion).
• RA Guard is purely an Layer 2 port based feature and can be configured only on switchports. It
works irrespective of whether IPv6 routing is enabled. It is not supported on router interfaces and
VLANs.
• RA Guard is supported on trunk ports; filtering is performed on packets arriving from all the allowed
VLANs.
• RA Guard is supported on EtherChannel; the RA Guard configuration (whether present or not) on
the EtherChannel overrides the RA Guard configuration on the member ports.
• RA Guard is supported on ports that belong to PVLANs (for example, isolated secondary host ports,
community secondary host ports, promiscuous primary host ports, (primary/secondary) trunk ports.
Primary VLAN features are inherited and merged with port features.
• Because of hardware limitations, it may not be possible for Catalyst 4900M, Catalyst 4948E,
Catalyst 4948L-E, Supervisor Engine 6-E, Supervisor Engine 6L-E, Supervisor Engine 7-E and
Supervisor Engine 7L-E to collect statistics for RA Guard in hardware. If so, an error message is
displayed.
The show ipv6 snooping counter interface command displays the estimated counters
.
Note Beginning with Cisco IOS Release 15.0(2)SG, per port RA Guard ACL statistics are supported
and displayed when you enter a show ipv6 snooping counters interface command. (Previous to
this release, you enter the show ipv6 first-hop counters interface command.)
To Next Page
Loading...
