cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

832
Views
0
Helpful
3
Replies

IPv6 FHS how to filter only RA but keep RS

Hi,

 

if we have a switch has to be IPv6 ND RA for specific Vlan, and we have to filter unauthorized RAs on that vlan,

but we still need RSs to be permitted for those host which need to do solicitation for the active router on that link (which is the Switch in this case),

 

I dont see an option to filter only RA and keep RS,

 

 


vlan configuration 2
ipv6 nd raguard


SW1#show ipv6 snooping capture-policy vlan 2
HW Target vlan 2 HW policy signature 0000001C policies#:1 rules 3 sig 0000001C
SW policy default feature RA guard

Rule RS Protocol ICMPV6 mask 00000004 action PUNT match 133 #feat:1
feature RA guard
Rule RA Protocol ICMPV6 mask 00000008 action PUNT match 134 #feat:1
feature RA guard
Rule REDIR Protocol ICMPV6 mask 00000010 action PUNT match 137 #feat:1
feature RA guard

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IPv6 FHS how to filter only RA but keep RS

Hi Mohammed,

 

RA guard should not block router solicitation messages (RS). If you configure the default policy, all ports in vlan 2 will be considered host ports and RA will be blocked on all of them.

 

Regards,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
3 REPLIES 3
Cisco Employee

Re: IPv6 FHS how to filter only RA but keep RS

Hi Mohammed,

 

RA guard should not block router solicitation messages (RS). If you configure the default policy, all ports in vlan 2 will be considered host ports and RA will be blocked on all of them.

 

Regards,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Re: IPv6 FHS how to filter only RA but keep RS

Thank you Ritter,

 

just wondering why it shows me action PUNT for 133 ??

Cisco Employee

Re: IPv6 FHS how to filter only RA but keep RS

This is just so that the router solicitation message can also be inspected. I am not sure what the use case is though.

 

Regards,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards