The IPv6 RA Guard feature provides support for allowing the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network device platform. RAs are used by devices to announce themselves on the link. The IPv6 RA Guard feature analyzes these RAs and filters out RAs that are sent by unauthorized devices. In host mode, all RA and router redirect messages are disallowed on the port. The RA guard feature compares configuration information on the Layer 2 (L2) device with the information found in the received RA frame. Once the L2 device has validated the content of the RA frame and router redirect frame against the configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped. Rationale: Packets are classified into one of three DHCP type messages. If a packet arriving from DHCP server is a Relay Forward or a Relay Reply, only the device role is checked. In addition, IPv6 DHCP Guard doesn't apply the policy for a packet sent out by the local relay agent running on the switch. Impact: With RA Guard in it's default 'not configured' state, a malicious actor can send IPv6 RA (Router Advertisement) packets, and present their station as a valid router. This places the attacker in a position where they can send specific traffic to a malicious site (usually to steal credentials). Also an attacker in this position can eavesdrop on or modify traffic in transit, before forwarding it on.
Solution
In the example below, the RA Guard policy is created, then applied to a VLAN. Example switch(config)# ipv6 nd raguard policy RAGuardPol01 switch(config-ra-guard)# device-role router switch(config-ra-guard)# hop-limit minimum 3 switch(config-ra-guard)# managed-config-flag on switch(config-ra-guard)# other-config-flag on switch(config-ra-guard)# router-preference maximum high switch(config-ra-guard)# trusted-port Configuring RA Guard on an interface Example switch(config)#vlan configuration 10 switch(config-if) ipv6 nd raguard attach-policy RAGuardPol01 Default Value: By default, RA Guard is not enabled: switch# sho ipv6 nd raguard policy RA guard feature not active