RA guard configuration example

Network requirements

As shown in Figure 143, GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 of Device B are in VLAN 10.

Configure RA guard on Device B to filter forged and unwanted RA messages.

Figure 142: Network diagram

Configuration procedure

# Create an RA guard policy named policy1.

<DeviceB> system-view
[DeviceB] ipv6 nd raguard policy policy1

# Set the maximum router preference to high for the RA guard policy.

[DeviceB-raguard-policy-policy1] if-match router-preference maximum high

# Specify on as the M flag match criterion for the RA guard policy.

[DeviceB-raguard-policy-policy1] if-match autoconfig managed-address-flag on

# Specify on as the O flag match criterion for the RA guard policy.

[DeviceB-raguard-policy-policy1] if-match autoconfig other-flag on

# Set the maximum advertised hop limit to 120 for the RA guard policy.

[DeviceB-raguard-policy-policy1] if-match hop-limit maximum 120

# Set the minimum advertised hop limit to 100 for the RA guard policy.

[DeviceB-raguard-policy-policy1] if-match hop-limit minimum 100
[DeviceB-raguard-policy-policy1] quit

# Assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to VLAN 10.

[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port link-type access
[DeviceB-GigabitEthernet1/0/1] port access vlan 10
[DeviceB-GigabitEthernet1/0/1] quit
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port link-type access
[DeviceB-GigabitEthernet1/0/2] port access vlan 10
[DeviceB-GigabitEthernet1/0/2] quit

# Configure GigabitEthernet 1/0/3 to trunk VLAN 10.

[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] port link-type trunk
[DeviceB-GigabitEthernet1/0/3] port trunk permit vlan 10
[DeviceB-GigabitEthernet1/0/3] quit

# Apply the RA guard policy policy1 to VLAN 10.

[DeviceB] vlan 10 
[DeviceB-vlan10] ipv6 nd raguard apply policy policy1
[DeviceB-vlan10] quit

# Specify host as the role of the device attached to GigabitEthernet 1/0/1.

[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ipv6 nd raguard role host
[DeviceB-GigabitEthernet1/0/1] quit

# Specify router as the role of the device attached to GigabitEthernet 1/0/3.

[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] ipv6 nd raguard role router
[DeviceB-GigabitEthernet1/0/3] quit

Verifying the configuration

# Verify that the device forwards or drops RA messages received on GigabitEthernet 1/0/2 based on the RA guard policy. (Details not shown.)

# Verify that the device drops RA messages received on GigabitEthernet 1/0/1. (Details not shown.)

# Verify that the device forwards RA messages received on GigabitEthernet 1/0/3 to other ports in VLAN 10. (Details not shown.)