Feature |
Product |
Release introduced |
---|---|---|
IPv6 Router Advertisement (RA) Guard |
5320 Series |
Fabric Engine 8.6 |
5420 Series |
VOSS 8.4 |
|
5520 Series |
VOSS 8.2.5 |
|
5720 Series |
Fabric Engine 8.7 |
|
7520 Series |
Fabric Engine 8.10 |
|
7720 Series |
Fabric Engine 8.10 |
|
VSP 4900 Series |
VOSS 8.1 |
|
VSP 7400 Series |
VOSS 8.0 |
IPv6 hosts can configure themselves automatically when connected to a routed IPv6 network through ICMPv6 router discovery messages. When the host is connected to the network for the first time, it sends a link-local router solicitation multicast request for its configuration parameters. If the host is configured correctly, routers respond to the request with a Router Advertisement (RA) packet. The RA packet contains network-layer configuration parameters.
In addition to filtering RAs, RA Guard introduces the concept of router authorization proxy. Instead of each node on the link analyzing RAs and making an individual decision, a legitimate adversary-in-the-middle performs the analysis on behalf of all other nodes on the link.
Stateless and statefull RA Guard functions are available. The switch supports only the stateless RA Guard function.
Stateless RA Guard examines incoming RAs and decides whether to forward or block them based on the information found in the message or in the Layer 2 device configuration. The following list identifies the typical information available in the received frames that are used for RA validation:
Port on which the frame is received
Source IPv6 address
Prefix list which RA carries
Link-Layer address of the sender
After the Layer 2 device successfully validates the RA packet content against the configuration, the RA is forwarded to its destination, whether unicast or multicast. If the validation fails, the RA is dropped at the Layer 2 device.