Versions Compared

Version Old Version 2 New Version 3
Changes made by

Tracy Yang

Tracy Yang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

When the switch receives an ingress router advertisement (RA) message, it will attempt to match the message via the RA guard. If the ingress port has the RA guard applied but is not a trusted port, the applied VLAN ID will be matched first. If the RA tag is matched with the VLAN ID, the RA guard will continue matching conditions to determine whether to forward or drop the RA message. If the RA tag is is not matched  matched with the VLAN ID, the applied interface will be matched (followed by the subsequent conditions). RA guard policy can be configured using hop-limit, managed-config-flag, other-config-flag, prefix, source-ipv6-addr, and source-mac-addr options.

Code Block
admin@XorPlus# set protocols neighbour ra-guard term 1 from hop-limit 1
admin@XorPlus# set protocols neighbour ra-guard term 1 from managed-config-flag false
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# set protocols neighbour ra-guard term 2 from prefix 2001:1:1:1::/64
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# set protocols neighbour ra-guard term 3 from source-mac-addr 22:22:22:22:22:22 
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus#

Configuring Trusted-Port

RA guard can be applied to physical interfaces, LAGs, or VLANs. No more than one RA guard can be applied to one interface. The RAs will be forwarded only if all conditions are matched. But if "trusted-port" has been configured for the RA guard, RAs will be forwarded on the trusted port regardless.

Code Block
admin@XorPlus# set protocols neighbour ra-guard term 1 frominterface hop-limit ge-1/1/1
admin@XorPlus# set protocols neighbour ra-guard term 1 from managed-config-flag false interface ae1
admin@XorPlus# set protocols neighbour ra-guard term 1 vlan-id 2
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# setadmin@XorPlus#set protocols neighbour ra-guard term 2 from prefix 2001:1:1:1::/64trusted-port ge-1/1/1
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# set protocols neighbour ra-guard term 32 from source-mac-addr 22:22:22:22:22:22vlan-id 3
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus#

Displaying RA Guards

Code Block
admin@XorPlus# run show raguardra-guard 
RaguardRa-guard: 1
    cur hop limit  : 1..101
    managed configuration : Unset
other configuration : Set
source mac address :
22:22:22:22:22:22
source ipv6 address :
fe80::/64
prefix    interface      : ae1
    vlan           : 2
    packet dropped : 0
    packet total   : 0

Ra-guard: 2
    prefix         : 2001:1:1:1::/64
interface : ge-1/1/1, ae1 vlan           : 3
   2 packet dropped : 0
    packet total   : 0

Raguard: 2
vlan : 3Ra-guard: 3
    source mac address: 22:22:22:22:22:22
    packet dropped : 0
    packet total : 0 
trusted port: ge-1/1/10

admin@XorPlus#

...

Code Block
admin@XorPlus# set protocols neighbour 
admin@187mlag# run show ra-guard name 1
hopRa-limitguard: 1
admin@XorPlus#   set protocolscur neighbourhop ra-guardlimit 1 managed-config-flag false
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# set protocols neighbour ra-guard 2 prefix 2001:1:1:1::/64
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# set protocols neighbour ra-guard 3 source-mac-addr 22:22:22:22:22:22 
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# : 1..1
    managed configuration: Unset
    interface      : ae1
    vlan           : 2
    packet dropped : 0
    packet total   : 0