Versions Compared

Version Old Version 2 New Version Current
Changes made by

Tracy Yang

Tracy Yang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
titleNOTE:

Enable IP routing function before using this feature, for details please refer to Configuring IP Routing.

When the switch receives an ingress router advertisement (RA) message, it will attempt to match the message via the RA guard. If the ingress port has the RA guard applied but is not a trusted port, the applied VLAN ID will be matched first. If the RA tag is matched with the VLAN ID, the RA guard will continue matching conditions to determine whether to forward or drop the RA message. If the RA tag is is not matched  matched with the VLAN ID, the applied interface will be matched (followed by the subsequent conditions). RA guard policy can be configured using hop-limit, managed-config-flag, other-config-flag, prefix, source-ipv6-addr, and source-mac-addr options.

Configuring Trusted-Port

RA guard function can be applied to configured on physical interfaces, LAGsLAG ports, or in VLANs. No more than one RA guard can be applied to one interface. The RAs will be forwarded only if all conditions are matched. But if "trusted-port" has been configured for the RA guard, RAs will be forwarded on the trusted port regardless., and only checks the router advertisement (RA) packets on the untrusted ports with RA guard enabled. By default, all interfaces are untrusted with respect to RA guard. Trusted interfaces are manually specified. 

  • If RA guard is enabled on an untrusted interface, the RA message received on the interface will be checked by the RA guard policy. The RA packets only matched the RA guard policy can be processed and forwarded.
  • If RA guard is disabled on an untrusted interface, the RA message received on the interface will not be checked by the RA guard policy. All the RA packets received on this interface are processed and forwarded without inspection.
  • If RA guard is enabled on a trusted interface, the RA message received on the interface will not be checked by the RA guard policy. All the RA packets received on this interface are processed and forwarded without inspection.

Configuring RA Guard Policy

Code Block
admin@XorPlus# set protocols neighbour ra-guard term 1guard1 from hop-limit 1
admin@XorPlus# set protocols neighbour ra-guard term 1guard1 from managed-config-flag false
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# set protocols neighbour ra-guard term 2guard2 from prefix 2001:1:1:1::/64
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# set protocols neighbour ra-guard term 3guard3 from source-mac-addr 22:22:22:22:22:22 
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus#

Configuring Trusted-Port

No more than one RA guard can be applied to one interface. The RAs will be forwarded only if all conditions are matched. But if "trusted-port" has been configured for the RA guard, RAs will be forwarded on the trusted port regardless.

Code Block
admin@XorPlus# set protocols neighbour ra-guard term 1 interface ge-1/1/1
admin@XorPlus# set protocols neighbour ra-guard term 1 interface ae1
admin@XorPlus# set protocols neighbour ra-guard term 1 vlan-id 2
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus#set protocols neighbour ra-guard trusted-port ge-1/1/2
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# set protocols neighbour ra-guard term 2 vlan-id 3
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus#

Displaying RA Guards

Code Block
admin@XorPlus# run show raguardra-guard 
Raguard: 1Ra-guard: guard1
    cur hop limit  : 1..101
    managed configuration : Unset
other configuration : Set
source mac address :
22:22:22:22:22:22
source ipv6 address :
fe80::/64
prefix 
    interface      : ae1
    vlan           : 2
    packet dropped : 0
    packet total   : 0

Ra-guard: guard2
    prefix         : 2001:1:1:1::/64
interface : ge-1/1/1, ae1 vlan           : 3
 2   packet dropped : 0
    packet total   : 0

Raguard: 2
vlan : 3Ra-guard: guard3
    source mac address: 22:22:22:22:22:22
    packet dropped : 0
    packet total   : 0

trusted port: ge-1/1/12

admin@XorPlus#

...

Code Block
admin@XorPlus# set protocols neighbour ra-guard 1 hop-limit 1
admin@XorPlus# set protocols neighbour ra-guard 1 managed-config-flag false
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# set protocols neighbour ra-guard 2 prefix 2001:1:1:1::/64
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# set protocols neighbour ra-guard 3 source-mac-addr 22:22:22:22:22:22 
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus#  run show ra-guard name guard1
Ra-guard: guard1
    cur hop limit  : 1..1
    managed configuration: Unset
    interface      : ae1
    vlan           : 2
    packet dropped : 0
    packet total   : 0