Wired Networks

What is the prevention mechanism against Rogue Router Advertisement attack in an Aruba Mobility Access Switch Environment?

RA Guard is a prevention mechanism against Rogue Router Advertisement attack that utilizes RA Snooping

The Router Advertisement (RA) Guard functionality analyzes the RAs and filters out RA packets sent by unauthorized devices. The RA guard feature is disabled by default. By enabling, the RA packets received on the interface are dropped and the port can be shutdown based on the interface configuration. The port can be reactivated after the configured time by configuring the auto-recovery option.

The following RA messages are filtered by enabling the RA guard:

  • RA message with no extension header
  • RA message with multiple extension headers
  • RA message fragmented
  • The following Unicast RA messages are not filtered by enabling the RA guard:
  • Unicast RA messages with multiple extension headers.
  • Unicast RA messages fragmented

This article applies to all Mobility Access Switches running a minimum of AOS version 7.1.3.0.

 

Environment: All the sample outputs in this article are from Aruba S2500 Mobility Access Switch running AOS version 7.3.0.0.

 

Configure the RA guard as part of the port level security configuration and attach to the interface.

(host)(config)# interface-profile port-security-profile <profile-name>
(host)(Port security profile "profile-name")#ipv6-ra-guard action {drop|shutdown}auto-recovery-time <recovery-time>


The following example shows how to enable the RA Guard functionality:

(ArubaS2500-24P)(config)# interface-profile port-security-profile ps1
(ArubaS2500-24P) (Port security profile "ps1") # ipv6-ra-guard action shutdown auto-recovery-time 60


To enable the Port Security functionality on an interface, you must attach a port-security profile to it. Use the following commands to associate a port-security profile with an interface:

For Gigabitethernet:

(host)(config) #interface gigabitethernet <slot/mod/port>
(host)(gigabitethernet "<slot/mod/port>") #port-security-profile <profile-name>


For Port-channel:

(host) (config) #interface port-channel <id>
(host) (port-channel "<id>") #port-security-profile <profile-name>

 

 

(ArubaS2500-24P) (config) #show interface-profile port-security-profile ps1

    Port security profile "ps1"
---------------------------------------
  Parameter                                        Value
  ---------                                        -----
IPV6 RA Guard Action                              Shutdown
IPV6 RA Guard Auto Recovery Time                 60 Seconds
MAC Limit                                           N/A
MAC Limit Action                                    N/A
MAC Limit Auto Recovery Time                        N/A
Trust DHCP                                          N/A
Port Loop Protect                                   N/A
Port Loop Protect Auto Recovery Time                N/A
Sticky MAC                                          N/A
IP Source Guard                                     N/A
Dynamic Arp Inspection                              N/A

Version history
Revision #:
1 of 1
Last update:
‎07-11-2014 02:17 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.