3.2.1.1 Configure RA Guard - interfaces

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The IPv6 RA Guard feature provides support for allowing the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network device platform. RAs are used by devices to announce themselves on the link. The IPv6 RA Guard feature analyzes these RAs and filters out RAs that are sent by unauthorized devices. In host mode, all RA and router redirect messages are disallowed on the port. The RA guard feature compares configuration information on the Layer 2 (L2) device with the information found in the received RA frame. Once the L2 device has validated the content of the RA frame and router redirect frame against the configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped.

Rationale:

Packets are classified into one of three DHCP type messages. If a packet arriving from DHCP server is a Relay Forward or a Relay Reply, only the device role is checked. In addition, IPv6 DHCP Guard doesn't apply the policy for a packet sent out by the local relay agent running on the switch.

Impact:

With RA Guard in it's default 'not configured' state, a malicious actor can send IPv6 RA (Router Advertisement) packets, and present their station as a valid router. This places the attacker in a position where they can send specific traffic to a malicious site (usually to steal credentials). Also an attacker in this position can eavesdrop on or modify traffic in transit, before forwarding it on.

Solution

In the example below, the RA Guard policy is created, then applied to a VLAN.
Example

switch(config)# ipv6 nd raguard policy RAGuardPol01
switch(config-ra-guard)# device-role router
switch(config-ra-guard)# hop-limit minimum 3
switch(config-ra-guard)# managed-config-flag on
switch(config-ra-guard)# other-config-flag on
switch(config-ra-guard)# router-preference maximum high
switch(config-ra-guard)# trusted-port

Configuring RA Guard on an interface
Example
switch(config)#vlan configuration 10
switch(config-if) ipv6 nd raguard attach-policy RAGuardPol01

Default Value:

By default, RA Guard is not enabled:

switch# sho ipv6 nd raguard policy

RA guard feature not active

See Also

https://workbench.cisecurity.org/files/3102