Operating notes for RA guard
When a logical trunk port is enabled, all members of the trunk are enabled for RA Guard. Likewise, when a logical trunk port is disabled (
no ipv6 ra-guard ports <trunk-port>
), all members of the trunk are disabled for RA.- When ports are configured for RA Guard, hardware resources are allocated. If there are not enough hardware resources, this message displays:
Commit failed
- When debug logging is enabled (
ipv6 ra-guard ports <port-list> log
), the RA and redirect packets are sent to the CPU, which can be CPU-intensive. This message displays:The log option uses a lot of CPU and should be used only for short periods of time.
The
debug security ra-guard
command is used to filter and display RA Guard debug log messages.
Use the
show ipv6 ra-guard
command to display configuration and statistical information about RA Guard.
Configuration and statistics for RA Guard
Switch (config)# show ipv6 ra-guard IPv6 RA Guard Information Port Block RAs Blocked Redirs Blocked Log ----- ------ ----------- -------------- --- 1 No 0 0 No 2 No 0 0 No 3 No 0 0 No 4 No 0 0 No 5 No 0 0 No 6 Yes 123 450 Yes 7 No 0 0 No 8 No 0 0 No
When RA Guard is enabled, there will be one or two lines displayed in the running config file.
Running config file showing line for RA-Guard
Switch(config)# show running-config Running configuration: ; Jxxxxx Configuration Editor; Created on release #xx.16.xx.0000 ; Ver #02.01.0f:0c hostname "Switch" module 1 type Jxxxxx module 2 type Jxxxxx module 3 type Jxxxxx no stack auto-join vlan 1 name "DEFAULT_VLAN" untagged 1-4, 7-48, A1-A4 ipv6 address fe80::2 link-local ip address dhcp-bootp ipv6 enable no untagged 5-6 exit vlan 2 name "VLAN2" untagged 5-6 ip address 10.10.10.1 255.255.255.0 exit power-over-ethernet pre-std-detect sflow 3 destination 3fff::3 ipv6 unicast-routing ipv6 ra-guard ports 6 log 11 RA Guard is enabled on port 6; logging is enabled.