RA Guard Policy Configuration

Configure RA Guard to block or reject unwanted or rogue RA messages that arrive at the network device platform. You can view, create or delete RA Guard policy.

Create RA Guard Policy

About this task

Use this procedure to create a RA Guard policy to block or reject unwanted or rogue RA messages that arrive at the network device platform.

Procedure

  1. In the navigation pane, expand Configuration > IPv6.
  2. Click FHS.
  3. Click the RA Guard Policy tab.
  4. Click Insert.
  5. Configure the parameters for the RA Guard policy.
  6. Click Insert.
  7. Optional: Click Refresh to update the results.

RA Guard Policy Field Descriptions

Use the data in the following table to use the RA Guard Policy tab.

Name

Description

PolicyName

Specifies the name of the RA Guard policy to be created or modified.

SrcAddrList

Specify the IPv6 access list name to verify the sender IPv6 address in the RA packets against the attached IPv6 access list.

Note:

The source address in the RA packet is not validated if the access-list is not attached.

If the list is attached and the IPv6 source address in RA packet does not match any IPv6-prefix in the list, then the RA packet is dropped. To change this behavior, add an entry in the IPv6 access list with prefix 0::0/0 with access type as allow. The default value changes from drop to allow.

PrefixList

Specify the IPv6 prefix list name to verify the advertised prefixes in the RA packet against the attached IPv6 prefix list.

Note:

Advertised prefixes are not validated if the access-list is not attached.

If the list is attached and the advertised prefix in the RA packet does not match any IPv6-prefix in the list, then the RA packet is dropped. To change this behavior, add an entry in the IPv6 access list with prefix 0::0/0 with access type as allow. The default value changes from drop to allow.

MacAddrList

Specify the MAC list name to verify the sender source MAC address against the attached MAC access list.

Note:

The source MAC address in the RA packet is not validated if the access-list is not attached.

If the list is attached and the source MAC address in the RA packet does not match any MAC address in the list, then the RA packet is dropped.

ManagedConfigFlag

Select the managed configuration flag to verify managed address configuration in the advertised RA packet.

By default, none is selected and managed configuration flag validation is skipped.

RouterPrefMax

Select the router preference maximum to verify the if the advertised default router preference parameter value is lower than or equal to a specified limit.

By default, none is selected and router preference validation is skipped.

HopLimitMin

Specify the minimum hop limit to verify the advertised hop count limit.

The value range is from 0 to 255

By default, minimum hop limit is 0.

HopLimitMax

Specify the maximum hop limit to verify the advertised hop count limit.

The value range is from 0 to 255

By default, the maximum hop limit is 0 and If both HopLimitMin and HopLimitMax are set to 0, then the hop limit parameter in the RA packet is not validated.

View RA Guard Policy

About this task

Use this procedure to display configured RA Guard policies.

Procedure

  1. In the navigation pane, expand Configuration > IPv6.
  2. Click FHS.
  3. Click the RA Guard Policy tab.

RA Guard Policy Field Descriptions

Use the data in the following table to use the RA Guard Policy tab.

Name

Description

PolicyName

Specifies the name of the RA Guard policy to be created or modified.

SrcAddrList

Specify the IPv6 access list name to verify the sender IPv6 address in the RA packets against the attached IPv6 access list.

Note:

The source address in the RA packet is not validated if the access-list is not attached.

If the list is attached and the IPv6 source address in RA packet does not match any IPv6-prefix in the list, then the RA packet is dropped. To change this behavior, add an entry in the IPv6 access list with prefix 0::0/0 with access type as allow. The default value changes from drop to allow.

PrefixList

Specify the IPv6 prefix list name to verify the advertised prefixes in the RA packet against the attached IPv6 prefix list.

Note:

Advertised prefixes are not validated if the access-list is not attached.

If the list is attached and the advertised prefix in the RA packet does not match any IPv6-prefix in the list, then the RA packet is dropped. To change this behavior, add an entry in the IPv6 access list with prefix 0::0/0 with access type as allow. The default value changes from drop to allow.

MacAddrList

Specify the MAC list name to verify the sender source MAC address against the attached MAC access list.

Note:

The source MAC address in the RA packet is not validated if the access-list is not attached.

If the list is attached and the source MAC address in the RA packet does not match any MAC address in the list, then the RA packet is dropped.

ManagedConfigFlag

Select the managed configuration flag to verify managed address configuration in the advertised RA packet.

By default, none is selected and managed configuration flag validation is skipped.

RouterPrefMax

Select the router preference maximum to verify the if the advertised default router preference parameter value is lower than or equal to a specified limit.

By default, none is selected and router preference validation is skipped.

HopLimitMin

Specify the minimum hop limit to verify the advertised hop count limit.

The value range is from 0 to 255

By default, minimum hop limit is 0.

HopLimitMax

Specify the maximum hop limit to verify the advertised hop count limit.

The value range is from 0 to 255

By default, the maximum hop limit is 0 and If both HopLimitMin and HopLimitMax are set to 0, then the hop limit parameter in the RA packet is not validated.

Delete an RA Guard Policy

About this task

Use this procedure to delete the created RA Guard policy.

Note

Note

If this policy is already attached to an interface, then you cannot delete this policy.

Procedure

  1. In the navigation pane, expand Configuration > IPv6.
  2. Click FHS.
  3. Click the RA Guard Policy tab.
  4. Select a row from the RA Guard policies to delete.
  5. Click Delete.