Configuring ipv6 ra guard – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual
Page 363
the VLAN the ports are a part of. By default, all interfaces are configured as host ports. On a host port,
all the RAs are dropped with a policy configured on the VLAN. Trusted ports are those that receive RAs
within the network. Trusted ports allow received RAs to pass through without checking.
Depending on the configured policy settings, an RA packet is either forwarded through the interface or
dropped. If you do not configure an RA guard policy on an untrusted or host port, all RAs are forwarded.
Configuration notes and feature limitations for IPv6 RA guard
• MAC filters and MAC-based VLANs are not supported with IPv6 RA guard.
• If an IPv6 ACL matching an ICMPv6 type RA packet is configured on an interface that is part of an
RA guard-enabled VLAN, RA guard policy configuration takes precedence.
• IPv6 RA guard does not offer protection in environments where IPv6 traffic is tunneled.
• IPV6 RA guard can be configured on a switch port interface in the ingress direction and is supported
only in the ingress direction; it is not supported in the egress direction.
Configuring IPv6 RA guard
• (Optional) Configure the IPv6 prefix list using the ipv6 prefix-list command (for a Layer 3 device) to
associate a prefix list to an RA guard policy. For more information, see the FastIron Ethernet Switch
Layer 3 Routing Configuration Guide .
• Configure the enable acl-per-port-per-vlan command before you define an RA guard policy. For
more information, see the FastIron Ethernet Switch Security Configuration Guide .
Configuring IPv6 RA guard includes the following steps:
1. Define an RA guard whitelist using the ipv6 raguard whitelist command. Add IPv6 addresses of all
the sources from which the RA packets can be forwarded. You can create a maximum of 64
whitelists and each whitelist can have a maximum of 128 IPv6 address entries.
2. Define an RA guard policy using the ipv6 raguard policy command. You can configure a maximum
of 256 RA guard policies.
3. Configure ports as trusted, untrusted, or host ports using the raguard command in the interface
configuration mode.
4. Associate a whitelist with an RA guard policy using the whitelist command in the RA guard policy
configuration mode. You can associate only one whitelist with an RA guard policy. If you do not
associate a whitelist with an RA guard policy, all RA packets are dropped.
5. (Optional) (Only for Layer 3 devices) Associate an already defined prefix list with the RA guard policy
using the prefix-list command in the RA guard policy configuration mode. You must provide the
name of an IPv6 prefix list already configured using the ipv6 prefix-list command. Associate a
prefix-list with an RA guard policy using the prefix-list command.
6. (Optional) Set the preference for RA packets using the preference-maximum command in the RA
guard policy configuration mode.
7. Apply the RA guard policy to a VLAN using the ipv6 raguard vlan command in the global
configuration mode. You can associate only one RA guard policy with a VLAN.
8. (Optional) Enable logging using the logging command in the RA guard policy configuration mode. If
logging is enabled, you can verify the logs like RAs dropped, permitted, count for dropped packets,
and reasons for the drop. Logging increases the CPU load and, for higher traffic rates, RA packets
drop due to congestion if they are received at the line rate.
9. (Optional) Verify the RA guard configuration using the show ipv6 raguard command.
Configuration notes and feature limitations for IPv6 RA guard
FastIron Ethernet Switch Security Configuration Guide
363
53-1003088-03