Solved: IPv6 FHS how to filter only RA but keep RS

mohammed hashim · ‎12-14-2017

Hi,

if we have a switch has to be IPv6 ND RA for specific Vlan, and we have to filter unauthorized RAs on that vlan,

but we still need RSs to be permitted for those host which need to do solicitation for the active router on that link (which is the Switch in this case),

I dont see an option to filter only RA and keep RS,

vlan configuration 2
ipv6 nd raguard

SW1#show ipv6 snooping capture-policy vlan 2
HW Target vlan 2 HW policy signature 0000001C policies#:1 rules 3 sig 0000001C
SW policy default feature RA guard

Rule RS Protocol ICMPV6 mask 00000004 action PUNT match 133 #feat:1
feature RA guard
Rule RA Protocol ICMPV6 mask 00000008 action PUNT match 134 #feat:1
feature RA guard
Rule REDIR Protocol ICMPV6 mask 00000010 action PUNT match 137 #feat:1
feature RA guard

Harold Ritter · ‎12-15-2017

Hi Mohammed,

RA guard should not block router solicitation messages (RS). If you configure the default policy, all ports in vlan 2 will be considered host ports and RA will be blocked on all of them.

Regards,

View solution in original post

Harold Ritter · ‎12-15-2017

Hi Mohammed,

RA guard should not block router solicitation messages (RS). If you configure the default policy, all ports in vlan 2 will be considered host ports and RA will be blocked on all of them.

Regards,

mohammed hashim · ‎12-15-2017

Thank you Ritter,

just wondering why it shows me action PUNT for 133 ??

Harold Ritter · ‎12-15-2017

This is just so that the router solicitation message can also be inspected. I am not sure what the use case is though.

Regards,