cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1493
Views
0
Helpful
3
Replies

IPv6 FHS how to filter only RA but keep RS

mohammed hashim
Level 1
Level 1

Hi,

 

if we have a switch has to be IPv6 ND RA for specific Vlan, and we have to filter unauthorized RAs on that vlan,

but we still need RSs to be permitted for those host which need to do solicitation for the active router on that link (which is the Switch in this case),

 

I dont see an option to filter only RA and keep RS,

 

 


vlan configuration 2
ipv6 nd raguard


SW1#show ipv6 snooping capture-policy vlan 2
HW Target vlan 2 HW policy signature 0000001C policies#:1 rules 3 sig 0000001C
SW policy default feature RA guard

Rule RS Protocol ICMPV6 mask 00000004 action PUNT match 133 #feat:1
feature RA guard
Rule RA Protocol ICMPV6 mask 00000008 action PUNT match 134 #feat:1
feature RA guard
Rule REDIR Protocol ICMPV6 mask 00000010 action PUNT match 137 #feat:1
feature RA guard

1 Accepted Solution

Accepted Solutions

Harold Ritter
Cisco Employee
Cisco Employee

Hi Mohammed,

 

RA guard should not block router solicitation messages (RS). If you configure the default policy, all ports in vlan 2 will be considered host ports and RA will be blocked on all of them.

 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

3 Replies 3

Harold Ritter
Cisco Employee
Cisco Employee

Hi Mohammed,

 

RA guard should not block router solicitation messages (RS). If you configure the default policy, all ports in vlan 2 will be considered host ports and RA will be blocked on all of them.

 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Thank you Ritter,

 

just wondering why it shows me action PUNT for 133 ??

This is just so that the router solicitation message can also be inspected. I am not sure what the use case is though.

 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: