Configuring Router Advertisement Guard



The IPv6 RA Guard feature requires the creation of a filter for addresses and prefixes in order to apply a security profile to RA messages.


To configure the RA Guard feature, follow these steps:

 

  1. Create an access list using the command: access-list-create.
  2. Create a prefix list using the command: prefix-list-create.
  3. Create an IPv6 security profile using the command: ipv6security-raguard-create.

 

This configuration installs two vFlow entries specific for RA Guard:


  • One vFlow entry drops RAs sent by devices with the role of host as assigned using the ipv6security-raguard-create command.
  • The second vFlow entry sends RAs to the CPU on ports configured with the role of router.


The router advertisements are received and examined, then the necessary action is taken based on the access and prefix lists, or on port and VLAN policies. A permitted router advertisement is flooded to its destination ports.

 

These are the commands to configure RA Guard:


CLI (network-admin@switch) >  access-list-create

 

name name-string

Specify a name for the access list.

scope scope 

Specify if the scope is local or fabric.

 

CLI (network-admin@switch) > access-list-delete name name-string

 

name name-string

Specify the name for the access list to delete.

 

CLI (network-admin@switch) > access-list-show

 

switch name scope

------ ---- -----

spine1 test local

 

 

CLI (network-admin@switch) > access-list-ip-add

 

name name-string

Specify a name for the access list.

ip ip-address

Specify the IP address for the access list.

 

CLI (network-admin@switch) > access-list-ip-delete name name-string ip ip-address

 

CLI (network-admin@switch) > access-list-ip-show

 

switch   name ip      

-------- ---- -------

spine1   test 1.1.1.4

 

CLI (network-admin@switch) > prefix-list-create

 

name name-string

Specify a name for the prefix list.

scope scope 

Specify if the scope is local or fabric.

 

CLI (network-admin@switch) > prefix-list-delete name name-string

 

CLI (network-admin@switch) > prefix-list-show

 

name name-string

Displays the name for the prefix list.

scope scope 

Displays if the scope is local or fabric.

 

CLI (network-admin@switch) > prefix-list-network-add

 

name name-string

Specify the name for the prefix network list.

network ip-address

Specify the IP address for the network.

netmask netmask

Specify the netmask.

 

CLI (network-admin@switch) > prefix-list-network-delete name name-string

 

CLI (network-admin@switch) > prefix-list-network-show

 

name name-string

Displays the name for the prefix network list.

network ip-address

Displays the IP address for the network.

netmask netmask

Displays the netmask.

 

CLI (network-admin@switch) > ipv6security-raguard-create

 

name name-string

Specify the RA policy name.

device host|router

Specify the type of device as host or router.

router-priority low|medium|high

Specify the router priority as low, medium, or high.

access-list name-string

Specify the access list name.

prefix-list name-string

Specify the prefix list name.

 

CLI (network-admin@switch) > ipv6security-raguard-delete

 

name name-string

Specify the RA policy name.

 

CLI (network-admin@switch) > ipv6security-raguard-modify

 

name name-string

Specify the RA policy name.

device host|router

Specify the type of device as host or router.

router-priority low|medium|high

Specify the router priority as low, medium, or high.

access-list name-string

Specify the access list name.

prefix-list name-string

Specify the prefix list name.

 

CLI (network-admin@switch) > ipv6security-raguard-show

 

name name-string

Displays the RA policy name.

device host|router

Displays the type of device as host or router.

router-priority low|medium|high

Displays the router priority as low, medium, or high.

access-list name-string

Displays the access list name.

prefix-list name-string

Displays the prefix list name.

 

CLI (network-admin@switch) > ipv6security-raguard-port-add

 

name name-string

Specify the name of the RA Guard policy to add ports.

ports port-list

Specify the list of ports to add to the policy.

 

CLI (network-admin@switch) > ipv6security-raguard-port-remove

 

name name-string

Specify the name of the RA Guard policy to remove ports.

ports port-list

Specify the list of ports to remove from the policy.

 

CLI (network-admin@switch) > ipv6security-raguard-port-show

 

name name-string

Displays the name of the RA Guard policy.

ports port-list

Displays the list of ports.

 

CLI (network-admin@switch) > ipv6security-raguard-vlan-add

 

name name-string

Specify the name of the RA Guard policy to add VLANs.

vlans vlan-id

Specify the VLANs to add to the policy.

 

CLI (network-admin@switch) > ipv6security-raguard-vlan-remove

 

name name-string

Specify the name of the RA Guard policy to remove VLANs.

vlans vlan-id

Specify the VLANs to remove from the policy.

 

CLI (network-admin@switch) > ipv6security-raguard-vlan-show

 

name name-string

Displays the name of the RA Guard policy to add VLANs.

vlans vlan-id

Displays the VLANs to add to the policy.

north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south