Operating notes for RA guard

  • When a logical trunk port is enabled, all members of the trunk are enabled for RA Guard. Likewise, when a logical trunk port is disabled (no ipv6 ra-guard ports <trunk-port> ), all members of the trunk are disabled for RA.

  • When ports are configured for RA Guard, hardware resources are allocated. If there are not enough hardware resources, this message displays:
    Commit failed
  • When debug logging is enabled (ipv6 ra-guard ports <port-list> log ), the RA and redirect packets are sent to the CPU, which can be CPU-intensive. This message displays:
    The log option uses a lot of CPU and should be used only for short periods of time.
  • The debug security ra-guard command is used to filter and display RA Guard debug log messages.

Use the show ipv6 ra-guard command to display configuration and statistical information about RA Guard.

Configuration and statistics for RA Guard

Switch (config)# show ipv6 ra-guard

 IPv6 RA Guard Information

  Port   Block  RAs Blocked Redirs Blocked Log
  -----  ------ ----------- -------------- ---
  1      No     0           0              No 
  2      No     0           0              No 
  3      No     0           0              No 
  4      No     0           0              No 
  5      No     0           0              No 
  6      Yes    123         450            Yes 
  7      No     0           0              No 
  8      No     0           0              No 

When RA Guard is enabled, there will be one or two lines displayed in the running config file.

Running config file showing line for RA-Guard

Switch(config)# show running-config

Running configuration:

; Jxxxxx Configuration Editor; Created on release #xx.16.xx.0000
; Ver #02.01.0f:0c

hostname "Switch"
module 1 type Jxxxxx
module 2 type Jxxxxx
module 3 type Jxxxxx
no stack auto-join
vlan 1
   name "DEFAULT_VLAN"
   untagged 1-4, 7-48, A1-A4
   ipv6 address fe80::2 link-local
   ip address dhcp-bootp
   ipv6 enable
   no untagged 5-6
   exit
vlan 2
   name "VLAN2"
   untagged 5-6
   ip address 10.10.10.1 255.255.255.0
   exit
power-over-ethernet pre-std-detect
sflow 3 destination 3fff::3
ipv6 unicast-routing
ipv6 ra-guard ports 6 log 1
      
1 RA Guard is enabled on port 6; logging is enabled.