IPV6 security RAguard config Key points

IPV6 RAguard – router advertisement guard

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-3se/3850/ip6f-xe-3se-3850-book/ip6-ra-guard.html

Configuration

Key points

-Need the link local address that RA is coming from

-Need the payload prefix that it will be advertising

Configure interface role  – monitor | router | switch

Configuring the IPv6 RA Guard Policy on the Device

SUMMARY STEPS

  1.    enable
  2.    configure terminal
  3.    ipv6 nd raguard policy policy-name
  4.    device-role {host | router}
  5.    hop-limit {maximum | minimum limit}
  6.   managed-config-flag {on | off}
  7.    match ipv6 access-list ipv6-access-list-name
  8.    match ra prefix-list ipv6-prefix-list-name
  9.   other-config-flag {on | off}
  10.    router-preference maximum {high | low | medium}
  11.   trusted-port

12.   exit

Example: IPv6 RA Guard Configuration

Device(config)# interface fastethernet 3/13
Device(config-if)# ipv6 nd raguard attach-policy
Device# show running-config interface fastethernet 3/13
 
Building configuration... 
Current configuration : 129 bytes 
! 
interface FastEthernet3/13 
 switchport 
 switchport access vlan 222 
 switchport mode access 
 access-group mode prefer port 
 ipv6 nd raguard 
end

Verify

Device# show ipv6 snooping capture-policy interface ethernet 0/0

Hardware policy registered on Ethernet 0/0 
Protocol     Protocol value   Message   Value     Action    Feature 
ICMP         58               RS        85        punt      RA Guard 
                                                  punt      ND Inspection 
ICMP         58               RA        86        drop      RA guard 
                                                  punt      ND Inspection 
ICMP         58               NS        87        punt      ND Inspection 
ICM          58               NA        88        punt      ND Inspection 
ICMP         58               REDIR     89        drop      RA Guard 
                                                  punt      ND Inspection
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s