Filter
Top Products
47-44
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 47 Configuring Network Security with ACLs
Configuring RA Guard
obtained from the observed source address of the Router-Advertisement (RA) message. However, in
some networks, invalid RAs are observed. This may happen because of misconfigurations or a malicious
attacks on the network.
Devices acting as rogue routers may send illegitimate RAs.When using IPv6 within a single Layer 2
network segment, you can enable Layer 2 devices to drop rogue RAs before they reach end-nodes.
RA Guard examines incoming Router-Advertisement and Router-Redirect packets and decides whether
to switch or block them based solely on information found in the message and in the Layer 2 device
configuration.
You can configure RA Guard in two modes (host and router) based on the device connected to the port.
• Host mode—All the Router-Advertisement and Router-Redirect messages are disallowed on the
port.
• Router mode—All messages (RA/RS/Redirect) are allowed on the port; only host mode is
supported.
You can configure Catalyst 4500 host ports to allow or disallow RA messages. Once a port is configured
to disallow the Router-Advertisement and Router-Redirect packets, it filters the content of the received
frames on that port and blocks Router-Advertisement or Router-Redirect frames.
When RA Guard is configured on a port, the following packets are dropped in hardware:
• Router-Advertisement packets —IPv6 ICMP packets with ICMP type = 134
• Router-Redirect packets—IPv6 ICMP packets with ICMP type = 137
Per port RA Guard ACL statistics are supported and displayed when you enter a show ipv6 snooping
counters interface command. The statistics output displays the number of packets that have been
dropped per port due to the RA Guard.
Note Beginning with Cisco IOS Release 15.0(2)SG, per port RA Guard ACL statistics are supported and
displayed when you enter a show ipv6 snooping counters interface command. (Previous to this release,
you enter the show ipv6 first-hop counters interface command.)
Deployment
Figure 47-10 illustrates a deployment scenario for RA Guard. We drop RA packets from ports that are
connected to hosts and permit RA packets from ports connected to the Router.