IPv6 RA Guard–IPv6 router advertisement protection
1. Basic Concepts
The IPv6 RA Guard feature provides support for allowing the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network device platform
2. Limitations of IPv6RA protection
a) This feature does not support protection of IPv6 traffic in tunnels
b) This feature only supports TACM-driven hardware platforms
c) This feature is configured in the inbound direction of the switch interface and does not support the outbound direction
d) This feature supports host mode and router mode
e) This feature does not support Ether Channel and Ether Channel member interfaces
f) This feature does not support merge mode of trunk interface
g) This feature supports PVLAN packets discarded by IPv6 RA protection feature can be SPANNED (captured)
h) Cannot and order
3. IPv6 global policy
IPv6 global policy provides storage and access policy database services. IPv6 neighbor discovery detection and IPv6RA protection are IPv6 global policy features. When neighbor discovery detection or RA protection is configured globally, policy attributes are stored in the software policy database. When the policy is applied to the interface, the software measurement database representation is updated on the interface to which the policy is applied.-https://www.spotodumps.com/p/ccie-coll-lab-cisco-certified-internetwork-expert-collaboration-lab.html
4. IPv6 RA protection
The IPv6 RA protection feature allows administrators to congest or deny incoming network device platforms or unwanted malicious router advertisement protection messages.
RA messages are provided by routers to advertise themselves on the link to provide prefix information to terminal devices. The RA protection feature analyzes these RA messages and filters those RA messages sent by unauthorized devices.
In host mode, RA messages and router redirect messages are not allowed to appear on the port. RA protection is specific compared to the configuration information in the RA frame received on the Layer 2 device. Once the Layer 2 device verifies that the content and configuration in the RA frame and the router redirect message match, it forwards the RA to the unicast or multicast destination land. If the content of the RA frame does not match, the RA packet is discarded
RA attack
An attacker impersonates the gateway to send router advertisement packets (RA) to other users, which will rewrite other users’ ND entries or cause other users to record incorrect IPv6 configuration parameters, causing these users to fail to communicate with the ND Snooping trusted interface.
This type of interface is used to connect to trusted IPv6 nodes. The device normally forwards ND packets received from this type of interface, and the device establishes a prefix management table based on the received RA packets.
ND Snooping Untrusted Interface
This type of interface is used to connect untrusted IPv6 nodes. For the RA packet received from this type of interface, the device considers it to be an illegal packet and directly discards it; For the received NA/NS/RS packet, if the If the validity check function of ND packets is enabled on the interface or the VLAN where the interface resides, the device will check the validity of ND packets according to the
The ND Snooping dynamic binding table checks the binding table matching of NA/NS/RS packets. When the packet does not conform to the binding table relationship, the packet is considered to be an illegal user packet and is discarded directly; other received packets are discarded. Type ND packets, which are normally forwarded by the device