Support for Router Advertisement (RA) Guard


The IPv6 RA Guard feature provides support for allowing the network administrator to block or reject unwanted or rogue RA guard messages arriving at the network device platform. RAs are used by devices to announce themselves on the link. The IPv6 RA Guard feature analyzes these RAs and filters out RAs sent by unauthorized devices. In host mode, all RA and router redirect messages are not allowed on the port. The RA Guard feature compares configuration information on the Layer 2 (L2) device with the information found in the received RA frame. Once the L2 device has validated the content of the RA frame and router redirect frame against the configuration, it forwards the RA to the unicast or multicast destination. If the RA frame content is not validated, the RA is dropped.


Note: Internal ports and cluster ports are not blacklisted.




 

Figure 1 -  Route Advertisement (RA) Configuration


In Figure 1, the Layer 2 device receives a RA from the router and floods the RA on the ports. The attacker host, attempting to gain control over the network, sends a misleading RA with different prefixes, link-local or global IP addresses.The host assumes the attacker to be the router, based on priority or arrival order. When you configure RA Guard, you can disallow any RAs sent from ports connected to host ports using RA policies. The RA sent by the router, the source IP address, from the port and prefixes are whitelisted by the policies defined by the configuration.


To configure the RA Guard feature, follow these steps:


  1. Create an access list using the command, access-list-create.
  2. Create a prefix list using the command, prefix-list-create.
  3. Create the IPv6 security profile using the command, ipv6security-raguard-create.

 

This creates two vFlows for RA Guard:


  • One vFlow drops RAs sent by devices with the role host as assigned using the ipv6security-raguard-create command.
  • The second vFlow sends RAs to the CPU on qualified ports or VLANs with the action, to-cpu, and the device role as router.


The RAs are received and examined and the necessary action is taken based on the access and prefix lists or port and VLAN policies. The RA is now accepted and flooded back to all ports.


There are new commands to support this feature:


CLI (network-admin@Spine1) >  access-list-create


name name-string

Specify a name for the access list.

scope scope 

Specify if the scope is local or fabric.


CLI (network-admin@Spine1) >  access-list-delete name name-string


name name-string

Specify the name for the access list to delete.

scope scope 

Specify if the scope is local or fabric.


CLI (network-admin@Spine1) >  access-list-show


switch   name scope

-------- ---- -----

dorado03 test local

 



CLI (network-admin@Spine1) >  access-list-ip-add


name name-string

Specify a name for the access list.

ip ip-address

Specify the IP address for the access list.



CLI (network-admin@Spine1) >  access-list-ip-delete name name-string ip ip-address

 


CLI (network-admin@Spine1) >  access-list-ip-show


switch   name ip      

-------- ---- -------

dorado03 test 1.1.1.4

 


CLI (network-admin@Spine1) >  prefix-list-create


name name-string

Specify a name for the prefix list.

scope scope 

Specify if the scope is local or fabric.



CLI (network-admin@Spine1) >  prefix-list-delete name name-string



CLI (network-admin@Spine1) >  prefix-list-show


name name-string

Displays the name for the prefix list.

scope scope 

Displays if the scope is local or fabric.



CLI (network-admin@Spine1) >  prefix-list-network-add


name name-string

Specify the name for the prefix network list.

network ip-address

Specify the IP address for the network.

netmask netmask

Specify the netmask.



CLI (network-admin@Spine1) >  prefix-list-network-delete name name-string



CLI (network-admin@Spine1) >  prefix-list-network-show


name name-string

Displays the name for the prefix network list.

network ip-address

Displays the IP address for the network.

netmask netmask

Displays the netmask.



CLI (network-admin@Spine1) >  ipv6security-raguard-create


name name-string

Specify the RA policy name.

device host|router

Specify the type of device as host or router.

router-priority low|medium|high

Specify the router priority as low, medium, or high.

access-list name-string

Specify the access list name.

prefix-list name-string

Specify the prefix list name.



CLI (network-admin@Spine1) >  ipv6security-raguard-delete


name name-string

Specify the RA policy name.



CLI (network-admin@Spine1) >  ipv6security-raguard-modify


name name-string

Specify the RA policy name.

device host|router

Specify the type of device as host or router.

router-priority low|medium|high

Specify the router priority as low, medium, or high.

access-list name-string

Specify the access list name.

prefix-list name-string

Specify the prefix list name.



CLI (network-admin@Spine1) >  ipv6security-raguard-show


name name-string

Displays the RA policy name.

device host|router

Displays the type of device as host or router.

router-priority low|medium|high

Displays the router priority as low, medium, or high.

access-list name-string

Displays the access list name.

prefix-list name-string

Displays the prefix list name.



CLI (network-admin@Spine1) >  ipv6security-raguard-port-add


name name-string

Specify the name of the RA Guard policy to add ports.

ports port-list

Specify the list of ports to add to the policy.



CLI (network-admin@Spine1) >  ipv6security-raguard-port-remove


name name-string

Specify the name of the RA Guard policy to remove ports.

ports port-list

Specify the list of ports to remove from the policy.



CLI (network-admin@Spine1) >  ipv6security-raguard-port-show


name name-string

Displays the name of the RA Guard policy.

ports port-list

Displays the list of ports.



CLI (network-admin@Spine1) >  ipv6security-raguard-vlan-add


name name-string

Specify the name of the RA Guard policy to add VLANs.

vlans vlan-id

Specify the VLANs to add to the policy.



CLI (network-admin@Spine1) >  ipv6security-raguard-vlan-remove


name name-string

Specify the name of the RA Guard policy to remove VLANs.

vlans vlan-id

Specify the VLANs to remove from the policy.



CLI (network-admin@Spine1) >  ipv6security-raguard-vlan-show


name name-string

Displays the name of the RA Guard policy to add VLANs.

vlans vlan-id

Displays the VLANs to add to the policy.