Users Guide
This feature is applicable only for an environment where all messages between IPv6 end devices traverse through an RA guard-
enabled Layer 2 (L2) switch. This feature is not supported if the end devices communicate directly without an RA guard-capable
L2 device.
Limitations
● RA guard validation is not applicable for IPv6-tunneled RA packets.
● This feature is supported only in the ingress direction and not supported at egress.
● OS10 does not validate IPv6 unicast RA packets that include extension headers and IPv6 unicast RA fragmented packets.
Configuration notes
● If you enable the IPv6 RA guard and port security feature on the same interface, ensure that you do not use the flood
option.
● IPv6 RA guard policy takes precedence over the Access Control List (ACL) that is applied on the interface.
Configure IPv6 RA guard
This section describes how to configure IPv6 RA guard.
Enable the IPv6 RA guard feature globally. Create a policy and specify a list of parameters to validate against the contents of
the RA guard packets. Apply the policy to the specific interfaces.
1. Enable IPv6 RA guard.
OS10(config)# ipv6 nd ra-guard enable
2. Create an IPv6 RA guard policy.
OS10(config)# ipv6 nd ra-guard policy ra-guard-test-policy
3. Configure the device role to apply the IPv6 RA guard policy to an interface.
OS10(conf-ra_guard_policy_list)# device-role router
4. If this command is set to off, the system verifies the advertised managed configuration parameter is set to off in the RA
packet and the other way round.
If this flag is set to off, OS10 skips the validation process.
OS10(conf-ra_guard_policy_list)# managed-config-flag on
5. (Optional) Create an IPv6 prefix, access, or MAC list. This list specifies the condition that is validated against the RA guard
packet that is received. You can optionally use an existing IPv6 prefix, access, or MAC list.
OS10(config)# ipv6 prefix-list example_prefix_list deny 10::/64
OS10(config)# ipv6 access-list example-access-list
OS10(config-ipv6-acl)# permit udp any any capture session 1
OS10(config-ipv6-acl)# exit
OS10(config)# mac access-list example-maclist
OS10(config-mac-acl)# permit 00:00:00:00:11:11 00:00:11:11:11:11 any vlan 1
OS10(config-mac-acl)# permit 00:00:00:00:11:11 00:00:11:11:11:11 any cos 7
OS10(config-mac-acl)# exit
Layer 3
905