RA Guard

Table 1. IPv6 Router Advertisement (RA) Guard product support

Feature

Product

Release introduced

IPv6 Router Advertisement (RA) Guard

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

VSP 4450 Series

VOSS 5.0

VSP 4900 Series

VOSS 8.1

VSP 7200 Series

VOSS 5.0

VSP 7400 Series

VOSS 8.0

VSP 8200 Series

VOSS 5.0

VSP 8400 Series

VOSS 5.0

VSP 8600 Series

Not Supported

XA1400 Series

Not Supported

IPv6 hosts can configure themselves automatically when connected to a routed IPv6 network through ICMPv6 router discovery messages. When the host is connected to the network for the first time, it sends a link-local router solicitation multicast request for its configuration parameters. If the host is configured correctly, routers respond to the request with a Router Advertisement (RA) packet. The RA packet contains network-layer configuration parameters.

In addition to filtering RAs, RA Guard introduces the concept of router authorization proxy. Instead of each node on the link analyzing RAs and making an individual decision, a legitimate node-in-the-middle performs the analysis on behalf of all other nodes on the link.

Stateless and statefull RA Guard functions are available. The switch supports only the stateless RA Guard function.

Stateless RA Guard examines incoming RAs and decides whether to forward or block them based on the information found in the message or in the Layer 2 device configuration. The following list identifies the typical information available in the received frames that are used for RA validation:

After the Layer 2 device successfully validates the RA packet content against the configuration, the RA is forwarded to its destination, whether unicast or multicast. If the validation fails, the RA is dropped at the Layer 2 device.