54-39
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 54 Configuring Network Security with ACLs
Configuring RA Guard
Note Be aware that only RA (Router Advertisement) and REDIR (Router Redirected packets) counters are
supported in 12.2(54)SG.
Switch# show ipv6 nd raguard policy RA_GUARD
Policy RA_GUARD configuration:
device-role router
Policy RA_GUARD is applied on the following targets:
Target Type Policy Feature Target range
Gi 1/1 PORT RA_GUARD RA guard vlan all
Switch#
Note With Cisco Release IOS XE 3.4.0SG and IOS 15.1(2)SG, the show ipv6 nd raguard policy command
replaces the show ipv6 first-hop policies command.
Usage Guidelines
Observe the following restrictions:
• It is an ingress feature; only IPv6 Router-Advertisement and Router-Redirect packets entering
through the port are filtered.
• RA Guard does not offer protection in environments where IPv6 traffic is tunneled.
• Starting with IOS XE 3.4.0SG/15.1(2)SG, RA Guard is supported in software. In prior releases, this
Feature is supported only in hardware; packets are not punted to software except under resource
exhaustion (for example, TCAM memory exhaustion).
• RA Guard is purely an Layer 2 port based feature and can be configured only on switchports. It
works irrespective of whether IPv6 routing is enabled. It is supported on switchports and VLANs.
• RA Guard is supported on trunk ports and VLANs; filtering is performed on packets arriving from
all the allowed VLANs.
• Starting with IOS XE 3.4.0SG/15.1(2)SG, RA Guard is not supported on EtherChannel. In prior
releases, RA Guard is supported on EtherChannel; the RA Guard configuration (whether present or
not) on the EtherChannel overrides the RA Guard configuration on the member ports.
• RA Guard is supported on ports that belong to PVLANs (for example, isolated secondary host ports,
community secondary host ports, promiscuous primary host ports, (primary/secondary) trunk ports.
Primary VLAN features are inherited and merged with port features.
• Starting with IOS XE 3.4.0SG/15.1(2)SG, RA Guard is supported on SUP-6, SUP6L-E, 4948E,
SUP-7E, SUP7L-E, SUP8-E, 4500X-32, and 4500X-16 platforms. In prior releases, because of
hardware limitations, it may not be possible for Catalyst 4900M, Catalyst 4948E, Catalyst 4948L-E,
Supervisor Engine 6-E, Supervisor Engine 6L-E, Supervisor Engine 7-E and Supervisor Engine
7L-E to collect statistics for RA Guard in hardware. If so, an error message is displayed.
The show ipv6 snooping counter interface command displays the estimated counters
.
Note Beginning with Cisco IOS Release 15.0(2)SG, per port RA Guard ACL statistics are supported
and displayed when you enter a show ipv6 snooping counters interface command. (Previous to
this release, you enter the show ipv6 first-hop counters interface command.)
To Next Page
Loading...
Need help?
General
