RA Guard is a prevention mechanism against Rogue Router Advertisement attack that utilizes RA SnoopingThe Router Advertisement (RA) Guard functionality analyzes the RAs and filters out RA packets sent by unauthorized devices. The RA guard feature is disabled by default. By enabling, the RA packets received on the interface are dropped and the port can be shutdown based on the interface configuration. The port can be reactivated after the configured time by configuring the auto-recovery option.The following RA messages are filtered by enabling the RA guard:
This article applies to all Mobility Access Switches running a minimum of AOS version 7.1.3.0.
Environment: All the sample outputs in this article are from Aruba S2500 Mobility Access Switch running AOS version 7.3.0.0.
Configure the RA guard as part of the port level security configuration and attach to the interface.(host)(config)# interface-profile port-security-profile <profile-name>(host)(Port security profile "profile-name")#ipv6-ra-guard action {drop|shutdown}auto-recovery-time <recovery-time>The following example shows how to enable the RA Guard functionality:(ArubaS2500-24P)(config)# interface-profile port-security-profile ps1(ArubaS2500-24P) (Port security profile "ps1") # ipv6-ra-guard action shutdown auto-recovery-time 60To enable the Port Security functionality on an interface, you must attach a port-security profile to it. Use the following commands to associate a port-security profile with an interface:For Gigabitethernet:(host)(config) #interface gigabitethernet <slot/mod/port>(host)(gigabitethernet "<slot/mod/port>") #port-security-profile <profile-name>For Port-channel:(host) (config) #interface port-channel <id>(host) (port-channel "<id>") #port-security-profile <profile-name>
(ArubaS2500-24P) (config) #show interface-profile port-security-profile ps1 Port security profile "ps1"--------------------------------------- Parameter Value --------- -----IPV6 RA Guard Action ShutdownIPV6 RA Guard Auto Recovery Time 60 SecondsMAC Limit N/AMAC Limit Action N/AMAC Limit Auto Recovery Time N/ATrust DHCP N/APort Loop Protect N/APort Loop Protect Auto Recovery Time N/ASticky MAC N/AIP Source Guard N/ADynamic Arp Inspection N/A
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.