Configuring Router Advertisement Guard
The IPv6 RA Guard feature requires the creation of a filter for addresses and prefixes in order to apply a security profile to RA messages.
To configure the RA Guard feature, follow these steps:
- Create an access list using the command: access-list-create.
- Create a prefix list using the command: prefix-list-create.
- Create an IPv6 security profile using the command: ipv6security-raguard-create.
This configuration installs two vFlow entries specific for RA Guard:
- One vFlow entry drops RAs sent by devices with the role of host as assigned using the ipv6security-raguard-create command.
- The second vFlow entry sends RAs to the CPU on ports configured with the role of router.
The router advertisements are received and examined, then the necessary action is taken based on the access and prefix lists, or on port and VLAN policies. A permitted router advertisement is flooded to its destination ports.
These are the commands to configure RA Guard:
CLI (network-admin@switch) > access-list-create
|
name name-string |
Specify a name for the access list. |
|
scope scope |
Specify if the scope is local or fabric. |
CLI (network-admin@switch) > access-list-delete name name-string
|
name name-string |
Specify the name for the access list to delete. |
CLI (network-admin@switch) > access-list-show
switch name scope
------ ---- -----
spine1 test local
CLI (network-admin@switch) > access-list-ip-add
|
name name-string |
Specify a name for the access list. |
|
ip ip-address |
Specify the IP address for the access list. |
CLI (network-admin@switch) > access-list-ip-delete name name-string ip ip-address
CLI (network-admin@switch) > access-list-ip-show
switch name ip
-------- ---- -------
spine1 test 1.1.1.4
CLI (network-admin@switch) > prefix-list-create
|
name name-string |
Specify a name for the prefix list. |
|
scope scope |
Specify if the scope is local or fabric. |
CLI (network-admin@switch) > prefix-list-delete name name-string
CLI (network-admin@switch) > prefix-list-show
|
name name-string |
Displays the name for the prefix list. |
|
scope scope |
Displays if the scope is local or fabric. |
CLI (network-admin@switch) > prefix-list-network-add
|
name name-string |
Specify the name for the prefix network list. |
|
network ip-address |
Specify the IP address for the network. |
|
netmask netmask |
Specify the netmask. |
CLI (network-admin@switch) > prefix-list-network-delete name name-string
CLI (network-admin@switch) > prefix-list-network-show
|
name name-string |
Displays the name for the prefix network list. |
|
network ip-address |
Displays the IP address for the network. |
|
netmask netmask |
Displays the netmask. |
CLI (network-admin@switch) > ipv6security-raguard-create
|
name name-string |
Specify the RA policy name. |
|
device host|router |
Specify the type of device as host or router. |
|
router-priority low|medium|high |
Specify the router priority as low, medium, or high. |
|
access-list name-string |
Specify the access list name. |
|
prefix-list name-string |
Specify the prefix list name. |
CLI (network-admin@switch) > ipv6security-raguard-delete
|
name name-string |
Specify the RA policy name. |
CLI (network-admin@switch) > ipv6security-raguard-modify
|
name name-string |
Specify the RA policy name. |
|
device host|router |
Specify the type of device as host or router. |
|
router-priority low|medium|high |
Specify the router priority as low, medium, or high. |
|
access-list name-string |
Specify the access list name. |
|
prefix-list name-string |
Specify the prefix list name. |
CLI (network-admin@switch) > ipv6security-raguard-show
|
name name-string |
Displays the RA policy name. |
|
device host|router |
Displays the type of device as host or router. |
|
router-priority low|medium|high |
Displays the router priority as low, medium, or high. |
|
access-list name-string |
Displays the access list name. |
|
prefix-list name-string |
Displays the prefix list name. |
CLI (network-admin@switch) > ipv6security-raguard-port-add
|
name name-string |
Specify the name of the RA Guard policy to add ports. |
|
ports port-list |
Specify the list of ports to add to the policy. |
CLI (network-admin@switch) > ipv6security-raguard-port-remove
|
name name-string |
Specify the name of the RA Guard policy to remove ports. |
|
ports port-list |
Specify the list of ports to remove from the policy. |
CLI (network-admin@switch) > ipv6security-raguard-port-show
|
name name-string |
Displays the name of the RA Guard policy. |
|
ports port-list |
Displays the list of ports. |
CLI (network-admin@switch) > ipv6security-raguard-vlan-add
|
name name-string |
Specify the name of the RA Guard policy to add VLANs. |
|
vlans vlan-id |
Specify the VLANs to add to the policy. |
CLI (network-admin@switch) > ipv6security-raguard-vlan-remove
|
name name-string |
Specify the name of the RA Guard policy to remove VLANs. |
|
vlans vlan-id |
Specify the VLANs to remove from the policy. |
CLI (network-admin@switch) > ipv6security-raguard-vlan-show
|
name name-string |
Displays the name of the RA Guard policy to add VLANs. |
|
vlans vlan-id |
Displays the VLANs to add to the policy. |