The routing switches covered by this guide support IPv6 RA configuration and transmission based on RFC 4861, “Neighbor Discovery for IP Version 6 (IPv6)” and RFC 4862, “IPv6 Stateless Address Autoconfiguration”.
IPv6 RAs on a VLAN provide the neighbor discovery policy the system administrator has configured for devices running in IPv6 host mode with address autoconfiguration enabled. RAs also enable hosts on a VLAN to build a list of default (reachable) routers on that VLAN.
An IPv6 routing switch configured as a member of a given VLAN transmits RAs for use by hosts on the VLAN. It also transmits unscheduled RAs in response to router solicitations received from IPv6 hosts on the VLAN. The values a host receives in an RA are applied to settings that have not already been configured on the host by the system operator. (Values in an RA can also replace host settings that were learned from a previous RA.)
When IPv6 unicast routing is enabled, RAs are transmitted by default on VLANs enabled for IPv6 and configured with an IPv6 link-local address, unless RA transmission has been explicitly suppressed. RA configuration includes:
Advertisement Value | Default | Page | |
---|---|---|---|
managed flag (M-bit) | Not set | VLAN context Neighbor Discovery (ND) configuration | |
other-config-flag (O-bit) | Not set | VLAN context Neighbor Discovery (ND) configuration | |
prefix | The prefix of any global unicast IPv6 address configured on the VLAN interface[a] | Configuring the global unicast prefix and lifetime for hosts on a VLAN | |
length | N/A; based on existing configuration | — | |
valid lifetime | 2,592,000 seconds (30 days) | — | |
preferred lifetime | 604,800 seconds (7 days) | — | |
autoconfig (A-bit) | Set (host autoconfig enabled) | — | |
on-link (L-bit) | Set (use prefix on subject VLAN) | — | |
RA transmission interval | — | ||
maximum | 600 seconds | Configuring the range for intervals between RA transmissions on a VLAN | |
minimum | 200 seconds | Configuring the range for intervals between RA transmissions on a VLAN | |
current hop limit | 64 | Setting or changing the hop-limit for host-generated packets | |
default lifetime | 1800 seconds (3 x max. transmission interval) | Setting or changing the default router lifetime | |
reachable time | Unspecified (0) | Changing the reachable time duration for neighbors | |
retransmission timer | Unspecified (0) | Setting or changing the neighbor discovery retransmit timer | |
[a] Default operation excludes prefixes of stateless autoconfigured addresses. |
-
Enabling IPv6 unicast routing on a routing switch initiates transmission of RAs on active, IPv6-enabled VLANs unless RA transmission has been suppressed.
-
A host response to an RA depends on how the host implements IPv6. Generally, settings in an RA received by a host replaces settings received from an earlier RA. Settings configured directly on a host by an operator may override values received in an RA for the same settings.
-
When a host receives a default "unspecified" value in an RA, the host applies either its own current setting for that value, or the defaults specified in RFC 4861 or other applicable RFCs, depending on how IPv6 is implemented in the host.
-
The M-bit and O-bit flags enable RAs to be configured either to act as the sole source of host addressing and related settings, or to direct the host to use a DHCPv6 server for some or all such settings.
-
Is there a role for a DHCPv6 server in host configuration on a given VLAN, and what host services and policy will be configured?
Affects M-bit and O-bit options (page VLAN context Neighbor Discovery (ND) configuration)
-
What is the ND policy that should be advertised?
Includes hop-limit for host-generated traffic, the default router period, neighbor reachable time, and retransmit time for neighbor solicitations.
-
What prefixes should be advertised, and what prefixes should be suppressed?
Prefixes configured on the routing switch VLAN interface will be included in RAs on that VLAN unless specifically denied.
-
What should be the maximum and minimum intervals (in seconds) for transmitting RAs?
-
Are there any VLANs on the routing switch where RAs should be suppressed?
-
Will multiple routing devices be used to send RAs on a VLAN?
When IPv6 unicast routing is enabled on the routing switch, RAs are transmitted on all IPv6-enabled VLANs unless explicitly suppressed globally or per-VLAN.
The following steps provide a general outline of the steps for configuring the routing switch for non-default RA operation on all IPv6-enabled VLANs:
-
Enable IPv6 unicast routing. (This must be enabled to allow configuration of other routing protocols).
(This command enables RA transmission on any VLAN where RAs are not specifically suppressed.)
-
Configure the desired per-VLAN RA operation:
-
Use the M-bit and O-bit settings to specify the source for IPv6 host configuration; see page VLAN context Neighbor Discovery (ND) configuration:
-
Configure global unicast prefix assignments; see Configuring the global unicast prefix and lifetime for hosts on a VLAN:
-
Specify any prefixes not configured on the routing switch VLAN interface that should be transmitted in RAs to IPv6 hosts on the VLAN.
-
Deny any prefixes configured on the routing switch VLAN interface that should not be transmitted in RAs to IPv6 hosts on the VLAN. (Default: Global unicast prefixes configured on the routing switch VLAN interface are included in RAs.)
-
-
Configure the maximum and minimum interval for transmitting RAs on the VLAN; see page Configuring the range for intervals between RA transmissions on a VLAN.
NOTE: The routing switch also transmits RAs when it receives router solicitations from a host. Autoconfiguration must be enabled on the host before it will generate router solicitations on the VLAN.
-
Configure the ND policy for hosts on the VLAN to use:
-
hop-limit (default: 64; see page Setting or changing the hop-limit for host-generated packets)
-
Default router lifetime (default: 1800 seconds; see page Setting or changing the default router lifetime)
-
Reachable time duration to advertise for confirmed neighbors (default: unspecified (0); see page Changing the reachable time duration for neighbors)
-
Retransmit time to advertise for neighbor solicitations (default: unspecified (0); see page Setting or changing the neighbor discovery retransmit timer)
-
-
Configure per-VLAN RA suppression for any VLAN on which you do not want the routing switch to transmit RAs. (See Viewing the RA configuration.)
-
Multiple routing switches transmitting RAs on the same VLAN can provide redundancy. Typically, a host identifies the first router from which it receives an RA as the default router. The host uses any RAs received later from other routers to identify backup default routers.
While advertised prefixes can be different, the per-VLAN RA policy should be the same for all routers transmitting RAs on a given VLAN. This includes the following parameters:
-
managed-config-flag (M-bit)
-
other-config-flag (O-bit)
-
default router lifetime
-
hop-limit
-
reachable-time for neighbors
-
retransmit time for neighbor solicitations
Syntax:
Global config command to suppress transmission of IPv6 RAs on all VLANs configured on the routing switch. Overrides RAs enabled per-VLAN.
The
no
form of the command globally disables RA suppression. Note that globally enabling RAs on the routing switch does not override per-VLAN RA suppression (using theipv6 nd ra suppress
command in a VLAN context). See Suppressing RAs on a VLAN.
Syntax:
Syntax:
managed–config–flag
: Controls the M-bit setting in RAs the router transmits on the current VLAN. Enabling the M-bit directs clients to acquire their IPv6 addressing and ND host configuration information for the current VLAN interface from a DHCPv6 server.
other–config–flag
: Ignored unless the M-bit (above) is disabled in RAs. Controls the O-bit in RAs the router transmits on the current VLAN.Enabling the O-bit while the M-bit is disabled directs hosts on the VLAN to acquire their ND configuration settings from a DHCPv6 server and their global unicast prefixes from the RA.
The
no
form of either command turns off (disables) the setting for that command in RAs.
NOTE: In the default configuration, both the M-bit and the O-bit are disabled, and a host receiving the RA must acquire its prefix and ND configuration from the RA itself and not from a DHCPv6 server.
The interval between RA transmissions on a VLAN is a random value that changes every time an RA is sent. The interval is calculated to be a value between the current max-interval
and min-interval
settings described below.
Syntax:
Syntax:
VLAN context commands for changing the maximum and minimum intervals between transmissions of IPv6 RAs on the VLAN. These values have one setting per VLAN and do not apply to RAs sent in response to a router solicitation received from another device.
max-interval
: Must be equal to or less than the configured lifetime setting. Attempting to setmax-interval
to a value greater than the configured lifetime setting results in an error message.The
no
form of themax-interval
command returns the setting to its default, provided the default value is less than or equal to 75% of the new maximum interval you are setting.Attempting to set
max-interval
to a value that is not sufficiently larger than the currentmin-interval
also results in an error message.
min-interval
: Must be less than or equal to 75% ofmax-interval
. Attempting to setmin-interval
to a higher value results in an error message.
Syntax:
hop-limit
: VLAN-context command to specify the hop-limit a host includes in the packets it transmits.
Syntax:
lifetime
: VLAN-context command for configuring the lifetime in seconds for the routing switch to be used as a default router by hosts on the current VLAN. This setting must be configured to a value greater than or equal to themax-interval
setting.A given host on a VLAN refreshes the default router lifetime for a specific router each time the host receives an RA from that router. A specific router ceases to be a default router candidate for a given host if the default router lifetime expires before the host is updated with a new RA from the router.
A setting of 0 (unspecified) for default router lifetime in an RA indicates that the routing switch is not a default router on the subject VLAN.
Default: 3 times the
ra max-interval
setting. Range: unspecified 0 – 9000 seconds
Syntax:
reachable–time
: VLAN-context command for all hosts on the VLAN to configure as the reachable time duration for a given neighbor after receiving a reachability confirmation from the neighbor. This value is used to ensure a uniform reachable time among hosts on the VLAN by replacing the individually configured settings on various hosts on the VLAN.
Syntax:
Syntax:
Used on VLAN interfaces to advertise the period (retransmit timer) in milliseconds between ND solicitations sent by a host for an unresolved destination, or between DAD neighbor solicitation requests. Increasing this setting is indicated where neighbor solicitation retries or failures are occurring, or in a "slow" (WAN) network.
1000–4294967295
: An advertised setting in this range replaces the corresponding, locally configured setting in hosts on the VLAN.
unspecified
: Sets the retransmit timer value in RAs to zero, which causes the hosts on the VLAN to use their own locally configured NS-interval settings instead of using the value received in the RAs.The
no
form returns the setting to its default.Default: unspecified (0) ; Range: 1000–4294967295 ms
These commands define the content of RAs transmitted on a VLAN.
Syntax:
[no] ipv6 nd ra prefix
<ipv6–prefix|prefix–len>
<<valid–lifetime>
<preferred–lifetime>
| at <valid–date>
<preferred–date>
infinite | no–advertise> [no–autoconfig] [off–link]
Syntax:
[no] ipv6 nd ra prefix default
<<valid–lifetime>
<preferred–lifetime>
| at <valid–date>
<preferred–date>
| infinite | no–advertise> [no–autoconfig] [off–link]
Options for
:
<valid–lifetime>
<preferred–lifetime>
VLAN-context command for specifying prefixes for the routing switch to include in RAs transmitted on the VLAN. IPv6 hosts use the prefixes in RAs to autoconfigure themselves with global unicast addresses. A host’s autoconfigured address is composed of the advertised prefix and the interface identifier in the host’s current link-local address.
: The total time the prefix remains available before becoming unusable. After preferred-lifetime expiration, any autoconfigured address is deprecated and used only for transactions that began before the preferred-lifetime expired. If the valid lifetime also expires, the address becomes unusable. Default: 2,592,000 seconds–30 days; Range: 0–4294967295 seconds.
valid–lifetime
: The span of time during which the address can be freely used as a source and destination for traffic. This setting must be less than or equal to the corresponding
preferred–lifetime
valid–lifetime
setting. Default: 604,000 seconds–7 days; Range: 0–4294967295 seconds
NOTE: The valid and preferred lifetimes designated in this command are fixed values. Each successive transmission of the same RA contains the same valid and preferred lifetimes.
For more information on valid and preferred lifetimes, see Address lifetimes.
default
: Applied to all on-link prefixes that are not individually set by theipv6 ra prefix
command. It applies the same valid and preferred lifetimes, link state, autoconfiguration state, and advertise options to the advertisements sent for all on-link prefixes that are not individually configured with a unique lifetime. This also applies to the prefixes for any global unicast addresses configured later on the same VLAN.<ipv6–prefix|prefix–len>
Using
default
once, and then using it again with any new values results in the new values replacing the former values in advertisements.If
default
is used without theno–advertise
,no–autoconfig
, or theoff–link
keyword, the advertisement setting for the absent keyword is returned to its default setting.
NOTE: To configure a prefix as
off–link
orno–autoconfig
, you must enter unique valid and preferred lifetimes with theprefix
command (instead of thedefault
command).
: Specifies the prefixes to advertise on the subject VLAN. A separate instance of the command must be used for each prefix to advertise.
ipv6–prefix / prefix–len
infinite
: Specifies that the prefix lifetime will not expire. This option sets the valid and preferred lifetimes to infinity. (All bits set to 1; ffffffff.)
no–advertise
: Specifies no advertisement for the prefix. For example, if the routing-switches VLAN interface is configured with any prefixes that you do not want advertised on the VLAN, use this command to specify the prefixes to withhold from advertisements on the subject VLAN. Default: Advertising enabled.
no–autoconfig
: Disables host autoconfiguration by turning off the A-bit in RAs. This requires hosts to acquire prefixes through manual or DHCPv6 assignments. Depending on the host implementation, a host that was previously configured by an RA to use autoconfiguration will not be affected by a later RA that includesno–autoconfig
(unless the host disconnects and reconnects to the network). To re-enable host autoconfiguration (turn on the A-bit in RAs) for a given RA, useipv6 nd ra prefix
again, without invokingno–autoconfig
. Default: A-bit turned on— host autoconfig turned on.
off–link
: Sets the (L-bit) prefix information in an RA to indicate that the advertised prefix is not on the subject VLAN. A host that was previously configured using an RA withoutoff–link
will not be affected by a later RA that includesoff–link
(unless the host disconnects and reconnects to the network). Can be used in instances where the prefix is being deprecated, and you do not want any newly brought up hosts to use the prefix. Default: L-bit turned off.The
no
form of the command deletes the specified prefix from RAs.
The table below lists the global unicast addresses configured on a VLAN, with original and updated settings configured using the default
command.
Address or prefix | Interface | Original lifetime & autoconfig | Updated lifetime & autoconfig | Advertise on VLAN 100? |
---|---|---|---|---|
2001:db8:0:f::f1/64 | VLAN 100 |
15 days 14 days Auto: Yes Set in Using the default command to configure and update prefix advertisements. |
30 days 25 days Auto: No (Changed in Using the default command to configure and update prefix advertisements. |
Yes |
2001:db8:0:b::b1/64 | VLAN 100 | |||
2001:db8:0:c::c1/64 | VLAN 100 | |||
2001:db8:0:d::d1/64 | VLAN 100 | |||
2001:db8:0:a::/64 | Off-Link |
12/31/2010 at 00:00:01 12/20/2010 at 00:00:01 Auto: Yes |
not updated |
Using the default command to configure and update prefix advertisements
HP Switch(config)# vlan 100 HP Switch(vlan–100)# ipv6 address 2001:db8:0:f::f1/64 HP Switch(vlan–100)# ipv6 address 2001:db8:0:b::b1/64HP Switch(vlan–100)# ipv6 address 2001:db8:0:c::c1/64 HP Switch(vlan–100)# ipv6 nd ra prefix default 1296000 1209600
HP Switch(vlan–100)# show ipv6 nd ra prefix vlan 100 IPv6 Neighbor Discovery Prefix Information VLAN Name : VLAN100
IPv6 Prefix : Default Valid Lifetime : 15 days Preferred Lifetime : 14 days On–link Flag : On Autonomous Flag : On Advertise Flag : On HP Switch(vlan–100)# ipv6 address 2001:db8:0:d::d1/64
HP Switch(vlan–100)# ipv6 nd ra prefix 2001:db8:0:d::/64 infinite no–autoconfig HP Switch(vlan–100)# ipv6 nd ra prefix 2001:db8:0:a::/64 at 12/31/2010 00:00:01 12/20/2010 00:00:01 off–link
HP Switch(vlan–100)# show ipv6 nd ra prefix vlan 100 IPv6 Neighbor Discovery Prefix Information VLAN Name : VLAN100 IPv6 Prefix : Default
Valid Lifetime : 15 days Preferred Lifetime : 14 days On–link Flag : On Autonomous Flag : On Advertise Flag : On IPv6 Prefix : 2001:db8:0:a::/64
Valid Lifetime : 12/31/2010 00:00:01 Preferred Lifetime : 12/20/2010 00:00:01 On–link Flag : Off Autonomous Flag : On Advertise Flag : On IPv6 Prefix : 2001:db8:0:d::/64
Valid Lifetime : Infinite Preferred Lifetime : Infinite On–link Flag : On Autonomous Flag : Off Advertise Flag : On HP Switch(vlan–100)# ipv6 nd ra prefix default 2592000 2160000 no–autoconfig
HP Switch(vlan–100)# show ipv6 nd ra prefix vlan 100 IPv6 Neighbor Discovery Prefix Information VLAN Name : VLAN100 IPv6 Prefix : Default
Valid Lifetime : 30 days Preferred Lifetime : 25 days On–link Flag : On Autonomous Flag : Off Advertise Flag : On IPv6 Prefix : 2001:db8:0:a::/64
Valid Lifetime : 12/31/2010 00:00:01 Preferred Lifetime : 12/20/2010 00:00:01 On–link Flag : Off Autonomous Flag : On Advertise Flag : On IPv6 Prefix : 2001:db8:0:d::/64
Valid Lifetime : Infinite Preferred Lifetime : Infinite On–link Flag : On Autonomous Flag : Off Advertise Flag : On
The RA Guard feature restricts the ports (or trunks) that can accept IPv6 RAs. Additionally, ICMPv6 router redirects are blocked on the configured ports.
Only physical ports and trunk ports are supported. Dynamic ports, dynamic trunks, and mesh ports are not supported.
|
|
![]() |
NOTE: IPv6 RAs are ICMPv6 type 134 messages and may be sent to either the “all nodes” multicast address (FF02:0:0:0:0:0:0:1) or to the address of the device itself as a result of an IPv6 router solicitation. IPv6 router redirect messages are ICMPv6 type 137 messages. They are sent to the source address of the packet that triggered the redirect. |
|
Syntax:
-
When a logical trunk port is enabled, all members of the trunk are enabled for RA Guard. Likewise, when a logical trunk port is disabled, (
no ipv6 ra-guard ports <
), all members of the trunk are disabled for RA.trunk-port
> -
When ports are configured for RA Guard, hardware resources are allocated. If there are not enough hardware resources, this message displays:
Commit failed
-
When debug logging is enabled (
ipv6 ra-guard ports <
), the RA and redirect packets are sent to the CPU, which can be CPU-intensive. This message displays:port-list
> logThe log option uses a lot of CPU and should be used only for short periods of time.
-
The
debug security ra-guard
command is used to filter and display RA Guard debug log messages.
Use the show ipv6 ra-guard
command to display configuration and statistical information about RA Guard.
Configuration and statistics for RA Guard
HP Switch (config)# show ipv6 ra-guard IPv6 RA Guard Information Port Block RAs Blocked Redirs Blocked Log ----- ------ ----------- -------------- --- 1 No 0 0 No 2 No 0 0 No 3 No 0 0 No 4 No 0 0 No 5 No 0 0 No 6 Yes 123 450 Yes 7 No 0 0 No 8 No 0 0 No
When RA Guard is enabled, there will be one or two lines displayed in the running config file.
Running config file showing line for RA-Guard
HP Switch(config)# show running-config Running configuration: ; Jxxxxx Configuration Editor; Created on release #xx.16.xx.0000 ; Ver #02.01.0f:0c hostname "HP Switch" module 1 type Jxxxxx module 2 type Jxxxxx module 3 type Jxxxxx no stack auto-join vlan 1 name "DEFAULT_VLAN" untagged 1-4, 7-48, A1-A4 ipv6 address fe80::2 link-local ip address dhcp-bootp ipv6 enable no untagged 5-6 exit vlan 2 name "VLAN2" untagged 5-6 ip address 10.10.10.1 255.255.255.0 exit power-over-ethernet pre-std-detect sflow 3 destination 3fff::3 ipv6 unicast-routing ipv6 ra-guard ports 6 log![]()