RA guard configuration example
Network requirements
As shown in Figure 141, GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 of Device B are in VLAN 10.
Configure RA guard on Device B to filter forged and unwanted RA messages.
Configure an RA policy in VLAN 10 for GigabitEthernet 1/0/2 to filter all RA messages received from the unknown device.
Specify host as the role of the host. All RA messages received on GigabitEthernet 1/0/1 are dropped.
Specify router as the role of the Device A. All RA messages received on GigabitEthernet 1/0/3 are forwarded.
Figure 141: Network diagram
Configuration procedure
# Create an RA guard policy named policy1.
<DeviceB> system-view [DeviceB] ipv6 nd raguard policy policy1
# Set the maximum router preference to high for the RA guard policy.
[DeviceB-raguard-policy-policy1] if-match router-preference maximum high
# Specify on as the M flag match criterion for the RA guard policy.
[DeviceB-raguard-policy-policy1] if-match autoconfig managed-address-flag on
# Specify on as the O flag match criterion for the RA guard policy.
[DeviceB-raguard-policy-policy1] if-match autoconfig other-flag on
# Set the maximum advertised hop limit to 120 for the RA guard policy.
[DeviceB-raguard-policy-policy1] if-match hop-limit maximum 120
# Set the minimum advertised hop limit to 100 for the RA guard policy.
[DeviceB-raguard-policy-policy1] if-match hop-limit minimum 100 [DeviceB-raguard-policy-policy1] quit
# Assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to VLAN 10.
[DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type access [DeviceB-GigabitEthernet1/0/1] port access vlan 10 [DeviceB-GigabitEthernet1/0/1] quit [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] port link-type access [DeviceB-GigabitEthernet1/0/2] port access vlan 10 [DeviceB-GigabitEthernet1/0/2] quit
# Configure GigabitEthernet 1/0/3 to trunk VLAN 10.
[DeviceB] interface gigabitethernet 1/0/3 [DeviceB-GigabitEthernet1/0/3] port link-type trunk [DeviceB-GigabitEthernet1/0/3] port trunk permit vlan 10 [DeviceB-GigabitEthernet1/0/3] quit
# Apply the RA guard policy policy1 to VLAN 10.
[DeviceB] vlan 10 [DeviceB-vlan10] ipv6 nd raguard apply policy policy1 [DeviceB-vlan10] quit
# Specify host as the role of the device attached to GigabitEthernet 1/0/1.
[DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ipv6 nd raguard role host [DeviceB-GigabitEthernet1/0/1] quit
# Specify router as the role of the device attached to GigabitEthernet 1/0/3.
[DeviceB] interface gigabitethernet 1/0/3 [DeviceB-GigabitEthernet1/0/3] ipv6 nd raguard role router [DeviceB-GigabitEthernet1/0/3] quit
Verifying the configuration
# Verify that the device forwards or drops RA messages received on GigabitEthernet 1/0/2 based on the RA guard policy. (Details not shown.)
# Verify that the device drops RA messages received on GigabitEthernet 1/0/1. (Details not shown.)
# Verify that the device forwards RA messages received on GigabitEthernet 1/0/3 to other ports in VLAN 10. (Details not shown.)