Configure RA Guard in RA Guard Mode

About this task

Configures RA Guard in the RA Guard configuration mode.

Procedure

  1. Enter RA Guard Configuration mode.

    enable

    configure terminal

    ipv6 fhs ra-guard policy WORD<1-64>

  2. Configure the filter to match the IPv6 prefixes advertised in RA packets.

    match ra-prefix-list WORD<1–64>

  3. Remove RA Guard filtering for the advertised prefixes.

    no match ra-prefix-list

    OR

    default match ra-prefix-list

  4. Configure the filter to match the source MAC address of RA packets.

    match ra-macaddr-list WORD<1–64>

  5. Remove the source MAC address-based RA Guard filtering.

    no match ra-macaddr-list

    OR

    default match ra-macaddr-list

  6. Configure the filter to match source IPv6 address of RA packets.

    match ra-srcaddr-list WORD<1–64>

  7. Remove the source IPv6 address based RA Guard filtering.

    no match ra-srcaddr-list

    OR

    default match ra-srcaddr-list

  8. Enable managed address configuration flag verification in the advertised RA packet.

    managed-config-flag <none |on | off>

  9. Enable advertised hop count limit verification.

    hop-limit {maximum | minimum} <0–255>

  10. Enable the advertised default router-preference parameter value verification.

    router-preference maximum {none | high | low | medium}

Variable Definitions

The following table defines parameters to configure RA Guard policy.

Variable

Description

match ra-prefix-list WORD<1–64>

Verifies the advertised prefixes in RA packets against the configured authorized prefix list.

Note:

RA packet's sender IPv6 address is not validated if no IPv6 source access list is attached to the RA Guard policy.

If the list is attached and if RA packet's sender IPv6 address does not match any entry in that IPv6 prefix list, then the RA packet is dropped. To change this behavior, add a entry with ipv6 prefix“0::0/0” with Allow option. The default value changes from Drop to Allow.

{no | default} match ra-prefix-list

Removes the advertised prefix-based RA Guard filtering

match ra-macaddr-list WORD<1–64>

Verifies sender‘s source MAC address against the configured mac-access-list.

Note:

Advertised prefixes in RA packet are not validated if no IPv6 prefix list is attached to the RA Guard policy.

If the list is attached and if it does not match any MAC in the list, then the RA packet is dropped.

{no | default} match ra-macaddr-list

Removes the source MAC address-based RA Guard filtering for the specified MAC address access list names.

match ra-srcaddr-list WORD<1–64>

Verifies sender‘s source IPV6 address against the configured list.

Note:

Inspection is not done if the access-list is not attached.

If the list is attached and if it does not match any IPv6 in the list, then the RA packet is dropped. To change the behavior, add a dummy IPv6 “0:0:0:0:0:0” to the list with Allow option. The default value changes from Drop to Allow.

{no | default} match ra-srcaddr-list

Removes the source IPv6 address-based RA Guard filtering for the specified IPv6 address access list names.

managed-config-flag <none | on | off>

Verifies managed address configuration flag in the advertised RA packet.

By default, the value is none and check is bypassed.

hop-limit {maximum | minimum} <0–255>

Verifies the advertised hop count limit. The limit value range is from 0 to 255.

While changing the minimum or maximum value, ensure the maximum value is greater than the minimum value.

By default, the minimum and maximum limit are 0. In this case, the hop-limit check is bypassed.

router-preference maximum {none | high | low | medium}

Verifies if the advertised default router-preference parameter value is lower than or equal to a specified limit.

By default, the value is none and the check is bypassed.