Ra guard policy, Whitelist, Prefix list – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

link. This helps the nodes to autoconfigure themselves on the network. Unintended misconfigurations
or malicious attacks on the network lead to false RAs being present, which in turn causes operational
problems for hosts on the network.

IPv6 RA guard improves security of the local IPv6 networks. The IPv6 RA guard is useful in network
segments that are designed around a single Layer 2 switching device or a set of Layer 2 switching
devices. You can configure IPv6 RA guard if you have local IPv6 networks and you are using auto-
configuration for local addresses. IPv6 RA guard filters untrusted sources; host ports are dropped, and
trusted ports are passed. The IPv6 RA guard filters RAs based on certain criteria.

You can configure RA guard policy and associate criteria such as whitelist, prefix list, and preference
maximum value against which the RAs are inspected and the decision is taken whether to forward or
drop the RA packets. You can configure a port as host, trusted, or untrusted. For the RA guard policy
to take effect, you must configure the RA guard policy, and associate the criteria, and set the port type
as host, trusted, or untrusted.

RA guard policy

An RA guard policy is a set of criteria against which the RAs are inspected by ports. Based on the RA
guard policy configurations, RAs are forwarded or dropped. The whitelist, prefix-list, and maximum
preference value configurations are set for a particular RA guard policy so that the RAs are inspected
against all the criteria before being forwarded or dropped.

Before configuring an RA guard policy, you must enable ACL filtering based on VLAN membership
using the enable acl-per-port-per-vlan command.

Whitelist

The whitelist contains the link-local addresses of the trusted sources; RAs from these sources can be
forwarded. The RAs from the sources permitted by the whitelist are forwarded and the remaining RAs
are dropped.

Prefix list

Prefix list is supported only on Layer 3 devices. The prefix list is configured at the global level using
the ipv6 prefix-list command. IPv6 prefix lists can be used in the RA policy to inspect and restrict the
advertised prefixes in the RA packets. RA packets from the trusted sources in the whitelist can be
further inspected using the prefix list. If the RA packet has a prefix that does not match with the
configured prefix list, the RA packet is dropped.

Maximum preference

RA packets may contain a router preference value. If the RA packets have a preference value higher
the policy's maximum-preference value, the packets are dropped. If, for example, this value is set to
medium and the advertised default router preference is set to high in the received packet, then the
packet is dropped. If the option is set to medium or low in the received packet, then the packet is not
dropped.

Trusted, untrusted, and host ports

IPv6 RA guard classifies interfaces on devices as trusted, untrusted, or host ports. For the
configuration to take effect (trusted, untrusted, or host ports), the RA guard policy must be applied to

RA guard policy

362

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03