KB.15.15

Restricting IPv6 Router Advertisements

The RA Guard feature restricts the ports (or trunks) that can accept IPv6 Router Advertisements

(RAs). Additionally, ICMPv6 router redirects are blocked on the configured ports.

Only physical ports and trunk ports are supported. Dynamic ports, dynamic trunks, and mesh ports

are not supported.

NOTE: IPv6 RAs are ICMPv6 type 134 messages and may be sent to either the “all nodes”

multicast address (FF02:0:0:0:0:0:0:1) or to the address of the device itself as a result of an IPv6

router solicitation. IPv6 router redirect messages are ICMPv6 type 137 messages. They are sent

to the source address of the packet that triggered the redirect.

Configuring RA Guard

Syntax

[no]ipv6 ra-guard ports <port-list> log

Enables or disable RA Guard on the specified ports, which blocks IPv6 router

advertisements and router redirects.

The no form of the command disables RA Guard.

[log]: Enables debug logging of RA and redirects packets to debug output.

Figure 16 Enabling RA Guard

Operating Notes

• When a logical trunk port is enabled, all members of the trunk are enabled for RA Guard.

Likewise, when a logical trunk port is disabled, (no ipv6 raguardports <trunk-port>), all

members of the trunk are disabled for RA.

• When ports are configured for RA Guard, hardware resources are allocated. If there are not

enough hardware resources, this message displays:

Commit failed

• When debug logging is enabled (ipv6 ra-guard ports <port-list> log), the RA and redirect

packets are sent to the CPU, which can be CPU-intensive. This message displays:

The log option uses a lot of CPU and should be used only for short

periods of time.

• The debug security ra-guard command is used to filter and display RA Guard debug log

messages.

To display configuration and statistical information aboutRAGuard, enter the show ipv6 ra-guard

command.

Figure 17 Output Showing Configuration and Statistics for RA Guard

VLAN or tunnel context ND configuration 195