About Router Advertisement (RA) Guard
The IPv6 RA Guard feature allows a network administrator to block or reject unwanted or rogue RA guard messages by filtering them on switches before they reach their target(s).
Router advertisements are used by IPv6 devices to announce themselves on a link. The IPv6 RA Guard feature analyzes these RAs and filters them out when sent by unauthorized devices.
When a port is configured in host mode, all router advertisements and redirect messages are not allowed. The RA Guard feature compares configuration information on the switch with the information found in the received RA frame. Once the switch has validated the content of a router advertisement or of router redirect frame against the configuration, it forwards it to its unicast or multicast destination. If an RA frame content is not validated, the RA is dropped.
Note: Internal ports and cluster ports are not blacklisted.
Figure 15-2 - Router Advertisement (RA) Configuration
In Figure 12-6 above, the switch receives an RA from the router and floods the RA on the ports. The attacker, attempting to gain control over the network, sends a misleading RA with different prefixes, link-local or global IP addresses. Any receiving host would then assume the attacker to be the router, based on priority or arrival order.
By configuring RA Guard policies, the user can disallow any RAs sent from ports connected to untrusted devices. Instead, the RAs sent by a known good router, the source IP address and prefixes should be whitelisted by the RA Guard policies defined by the user. For more details and an example of configuration, refer to the Configuring Router Advertisement Guard section.