IPV6 RA Gaurd configuration and verification

Aruba Employee
Requirement:
  • IPv6 RA Guard is configured as part of the port level security configuration, port-security profile can be attached to any Layer 2 interface
  • Enabling RA Guard will drop the RA packets received on the interface and port can be shutdown based on interface configuration
     


Solution:
  • A port can be automatically re-enabled by setting the auto-recovery option
  • A port can be manually re-enabled by using the clear command
  • The following RA messages are not filtered by enabling RA-Guard.

             a. Unicast RA-Messages with Multiple Extension headers
             b. Unicast RA-Messages Fragmented

  • RA packets are allowed by default.

 



Configuration:


Command to enable IPv6 RA Guard and the auto-recovery option


host) (config) #interface-profile port-security-profile <profile-name>

(host) (Port security profile "<profile-name>") # ipv6-ra-guard action drop
                                                                                                  (or)
(host) (Port security profile "<profile-name>") # ipv6-ra-guard action shutdown  
                                                                                                   (or)
host) (Port security profile "<profile-name>") # ipv6-ra-guard action shutdown  auto-recovery-time
 
(host) (gigabitethernet “<interface-number>“) # port-security-profile “<profile-name>”

 

(BC-Corvina54) #show interface-profile port-security-profile

Port security profile List
--------------------------
Name      References  Profile Status
----      ----------  --------------
default   0
RA-Guard  1



Verification


IPv6 RA-Guard Configuration Commands

 

  • Viewing Port-security Profile Configuration


BC-Corvina54) # show port-security interface gigabitethernet 0/0/1

Interface Port Security Info
----------------------------
Port Security Feature                 Status
----------------------                -------
IPv6 RA Guard Action                  Shutdown
IPv6 RA Guard Auto Recovery Time      30 seconds
MAC Limit                             N/A
MAC Limit Action                      N/A
MAC Limit Auto Recovery Time          N/A
Trust DHCP                            Yes
Port Loop Protect                     N/A
Port Loop Protect Auto Recovery Time  N/A

 

  • Viewing the IPv6 RA-Guard port error


BC-Corvina54) #show port-error-recovery

Layer-2 Interface Error Information
-----------------------------------
Interface  Error                 Error seen time            Recovery time
---------  -----                 ---------------            -------------
GE0/0/1    Drop (IPv6 RA Guard)  2012-04-14 13:55:31 (PST)  No Auto Recovery

 

(BC-Corvina54) #show port-error-recovery

Layer-2 Interface Error Information
-----------------------------------
Interface  Error                     Error seen time            Recovery time
---------  -----                     ---------------            -------------
GE0/0/1    Shutdown (IPv6 RA Guard)  2012-04-18 01:16:45 (PST)  No Auto Recovery

 

(BC-Corvina54) #show port-error-recovery

Layer-2 Interface Error Information
-----------------------------------
Interface  Error                     Error seen time            Recovery time
---------  -----                     ---------------            -------------
GE0/0/1    Shutdown (IPv6 RA Guard)  2012-04-18 01:18:22 (PST)  2012-04-18 01:19:04 (PST)


Viewing the IPv6 RA-Guard error at the interface level

 

(BC-Corvina54) #show interface gigabitethernet 0/0/1

GE0/0/1 is administratively Up, Link is Down, Line protocol is Down
Hardware is Gigabit Ethernet, Interface is Connected to Cisco-IPv6Router, Address is 00:0b:86:6a:8a:c3
Encapsulation ARPA, Loopback not set
Configured: duplex (Auto), Speed (Auto), FC (Off), Autoneg (On)
Auto negotiation in progress
Interface index: 2
MTU 1514 bytes
Link flaps: 12
Flags: Access, Trusted
Port shutdown reason : Rouge RA packet received <---------
Link status last changed:       0d 00:00:00 ago
Last update of counters:        0d 00:00:00 ago
Last clearing of counters:      0d 00:00:00 ago

 

  • Viewing the IPv6 RA-Guard Log messages


(BC-Corvina54) # show log security all

Apr 14 10:16:32 :128005:  <ERRS> |l2m|  Received rouge RA packet on interface gigabitethernet0/0/1 on vlan 25, from src IP fe80::ce00:dff:fe7c:0, and dest IP ff02::1, dropped the packet

 

 

Version history
Revision #:
2 of 2
Last update:
‎11-25-2015 04:06 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: