Configuring IPv6 RA guard

  • (Optional) Configure the IPv6 prefix list using the ipv6 prefix-list command (for a Layer 3 device) to associate a prefix list to an RA guard policy.
  • Configure the enable acl-per-port-per-vlan command before you define an RA guard policy.

Configuring IPv6 RA guard includes the following steps:

  1. Define an RA guard whitelist using the ipv6 raguard whitelist command. Add IPv6 addresses of all the sources from which the RA packets can be forwarded. You can create a maximum of 64 whitelists and each whitelist can have a maximum of 128 IPv6 address entries.
  2. Define an RA guard policy using the ipv6 raguard policy command. You can configure a maximum of 256 RA guard policies.
  3. Configure ports as trusted, untrusted, or host ports using the raguard command in the interface configuration mode.
  4. Associate a whitelist with an RA guard policy using the whitelist command in the RA guard policy configuration mode. You can associate only one whitelist with an RA guard policy. If you do not associate a whitelist with an RA guard policy, all RA packets are dropped.
  5. (Optional) (Only for Layer 3 devices) Associate an already defined prefix list with the RA guard policy using the prefix-list command in the RA guard policy configuration mode. You must provide the name of an IPv6 prefix list already configured using the ipv6 prefix-list command. Associate a prefix-list with an RA guard policy using the prefix-list command.
  6. (Optional) Set the preference for RA packets using the preference-maximum command in the RA guard policy configuration mode.
  7. Apply the RA guard policy to a VLAN using the ipv6 raguard vlan command in the global configuration mode. You can associate only one RA guard policy with a VLAN.
  8. (Optional) Enable logging using the logging command in the RA guard policy configuration mode. If logging is enabled, you can verify the logs like RAs dropped, permitted, count for dropped packets, and reasons for the drop. Logging increases the CPU load and, for higher traffic rates, RA packets drop due to congestion if they are received at the line rate.
  9. (Optional) Verify the RA guard configuration using the show ipv6 raguard command.
  10. (Optional) Clear the RA packet counter using the clear ipv6 raguard command.
  11. (Optional) Verify the RA packet counts using the show ipv6 raguard counts command. Logging has to be enabled to verify the counts.