Wired Intelligent Edge (Campus Switching and Routing)

 View Only
last person joined: one year ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of HPE Aruba Networking switching devices, and find ways to improve security across your network.
Back to Library

What is the prevention mechanism against Rogue Router Advertisement attack in an Aruba Mobility Access Switch Environment? 

Jul 11, 2014 05:17 PM

RA Guard is a prevention mechanism against Rogue Router Advertisement attack that utilizes RA Snooping

The Router Advertisement (RA) Guard functionality analyzes the RAs and filters out RA packets sent by unauthorized devices. The RA guard feature is disabled by default. By enabling, the RA packets received on the interface are dropped and the port can be shutdown based on the interface configuration. The port can be reactivated after the configured time by configuring the auto-recovery option.

The following RA messages are filtered by enabling the RA guard:

  • RA message with no extension header
  • RA message with multiple extension headers
  • RA message fragmented
  • The following Unicast RA messages are not filtered by enabling the RA guard:
  • Unicast RA messages with multiple extension headers.
  • Unicast RA messages fragmented

This article applies to all Mobility Access Switches running a minimum of AOS version 7.1.3.0.

 

Environment: All the sample outputs in this article are from Aruba S2500 Mobility Access Switch running AOS version 7.3.0.0.

 

Configure the RA guard as part of the port level security configuration and attach to the interface.

(host)(config)# interface-profile port-security-profile <profile-name>
(host)(Port security profile "profile-name")#ipv6-ra-guard action {drop|shutdown}auto-recovery-time <recovery-time>

The following example shows how to enable the RA Guard functionality:

(ArubaS2500-24P)(config)# interface-profile port-security-profile ps1
(ArubaS2500-24P) (Port security profile "ps1") # ipv6-ra-guard action shutdown auto-recovery-time 60

To enable the Port Security functionality on an interface, you must attach a port-security profile to it. Use the following commands to associate a port-security profile with an interface:

For Gigabitethernet:

(host)(config) #interface gigabitethernet <slot/mod/port>
(host)(gigabitethernet "<slot/mod/port>") #port-security-profile <profile-name>

For Port-channel:

(host) (config) #interface port-channel <id>
(host) (port-channel "<id>") #port-security-profile <profile-name>

 

 

(ArubaS2500-24P) (config) #show interface-profile port-security-profile ps1

    Port security profile "ps1"
---------------------------------------
  Parameter                                        Value
  ---------                                        -----
IPV6 RA Guard Action                              Shutdown
IPV6 RA Guard Auto Recovery Time                 60 Seconds
MAC Limit                                           N/A
MAC Limit Action                                    N/A
MAC Limit Auto Recovery Time                        N/A
Trust DHCP                                          N/A
Port Loop Protect                                   N/A
Port Loop Protect Auto Recovery Time                N/A
Sticky MAC                                          N/A
IP Source Guard                                     N/A
Dynamic Arp Inspection                              N/A

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.