Feature |
Product |
Release introduced |
---|---|---|
IPv6 Router Advertisement (RA) Guard |
5420 Series |
VOSS 8.4 |
5520 Series |
VOSS 8.2.5 |
|
VSP 4450 Series |
VOSS 5.0 |
|
VSP 4900 Series |
VOSS 8.1 |
|
VSP 7200 Series |
VOSS 5.0 |
|
VSP 7400 Series |
VOSS 8.0 |
|
VSP 8200 Series |
VOSS 5.0 |
|
VSP 8400 Series |
VOSS 5.0 |
|
VSP 8600 Series |
Not Supported |
|
XA1400 Series |
Not Supported |
IPv6 hosts can configure themselves automatically when connected to a routed IPv6 network through ICMPv6 router discovery messages. When the host is connected to the network for the first time, it sends a link-local router solicitation multicast request for its configuration parameters. If the host is configured correctly, routers respond to the request with a Router Advertisement (RA) packet. The RA packet contains network-layer configuration parameters.
In addition to filtering RAs, RA Guard introduces the concept of router authorization proxy. Instead of each node on the link analyzing RAs and making an individual decision, a legitimate node-in-the-middle performs the analysis on behalf of all other nodes on the link.
Stateless and statefull RA Guard functions are available. The switch supports only the stateless RA Guard function.
Stateless RA Guard examines incoming RAs and decides whether to forward or block them based on the information found in the message or in the Layer 2 device configuration. The following list identifies the typical information available in the received frames that are used for RA validation:
Port on which the frame is received
Source IPv6 address
Prefix list which RA carries
Link-Layer address of the sender
After the Layer 2 device successfully validates the RA packet content against the configuration, the RA is forwarded to its destination, whether unicast or multicast. If the validation fails, the RA is dropped at the Layer 2 device.