Fortinet black logo

IPv6 router advertisement guard

Copy Link
Copy Doc ID bcbd4007-4027-11ed-9d74-fa163e15d75b:61029
Download PDF

IPv6 router advertisement guard

IPv6-enabled routers send router advertisement (RA) messages to neighboring hosts in the local network. To prevent the spoofing of the RA messages, RA guard inspects RA messages to see if they meet the criteria contained in an RA-guard policy. If the RA messages match the criteria in the policy, they are forwarded. If the RA messages do not match the criteria in the policy, they are dropped.

The IPv6 RA-guard policy checks for the following criteria in each RA message:

  • Whether it has been flagged with the M (managed address configuration) flag or O (other configuration) flag
  • Whether the hop number is equal or more than the minimum hop limit
  • Whether the hop number is equal or less than the maximum hop limit
  • Whether the default router preference is set to high, medium, or low
  • Whether the source IPv6 address matches an allowed address in an IPv6 access list (created with the config router access-list6 command)
  • Whether the IPv6 address prefix matches an allowed prefix in an IPv6 prefix list (created with the config router prefix-list6 command)
  • Whether the device is a host or a router. If the device is a host, all RA messages are dropped. If the device is a router, the other criteria in the policy are checked.

IPv6 RA guard is supported on 2xx models and higher.

Configuring IPv6 RA guard

Configuring IPv6 RA guard consists of the following steps:

  1. (Optional) Create lists of source IPv6 addresses and IPv6 address prefixes that are allowed in RA messages.
  2. Create one or more IPv6 RA-guard policies.
  3. Apply the IPv6 RA-guard policies to switch interfaces and VLANs.

Create an IPv6 access list

Create an IPv6 access list if you want to specify which source IPv6 address are allowed in RA messages. When no rule in the IPv6 access list is matched, the RA messages are dropped.

To create an IPv6 access list:

config router access-list6

edit <name_of_IPv6_access_list>

set comments <string>

config rule

edit <rule_ID>

set action {deny | permit}

set prefix6 {<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> | any}

set exact-match {enable | disable}

next

end

end

For example:

config router access-list6

edit accesslist1

set comments "IPv6 access list"

config rule

edit 1

set action permit

set prefix6 fe80::a5b:eff:fef1:95e5

set exact-match disable

next

end

end

Create an IPv6 prefix list

Create an IPv6 prefix list if you want to specify which IPv6 prefixes in the RA option type 3 are allowed in RA messages. When no rule in the IPv6 prefix list is matched, the RA messages are dropped.

To create an IPv6 prefix list:

config router prefix-list6

edit <name_of_IPv6_prefix_list>

set comments <string>

config rule

edit <rule_ID>

set action {deny | permit}

set prefix6 {<IPv6_prefix> | any}

set ge <0-128>

set le <0-128>

next

end

end

For example:

config router prefix-list6

edit prefixlist1

set comments "IPv6 prefix list"

config rule

edit 1

set action permit

set prefix6 any

set ge 50

set le 50

next

end

end

Create an IPv6 RA-guard policy

In the IPv6 RA-guard policy, you specify the criteria that RA messages must match before the RA messages are forwarded.

To create an IPv6 RA-guard policy:

config switch raguard-policy

edit <RA-guard policy name>

set device-role {host | router}

set managed-flag {Off | On}

set other-flag {Off | On}

set max-hop-limit <0-255>

set min-hop-limit <0-255>

set max-router-preference {high | medium | low}

set match-src-addr <name_of_IPv6_access_list>

set match-prefix <name_of_IPv6_prefix_list>

next

end

For example:

config switch raguard-policy

edit RApolicy1

set device-role router

set managed-flag On

set other-flag On

set max-hop-limit 100

set min-hop-limit 5

set max-router-preference medium

set match-src-addr accesslist1

set match-prefix prefixlist1

next

end

Apply the IPv6 RA-guard policy

After you create an IPv6 RA-guard policy, you need to apply it to the appropriate switch ports or trunks and VLANs. You can create and apply different policies to different VLANs.

To apply the IPv6 RA-guard policy:

config switch interface

edit <interface_name>

config raguard

edit <ID>

set raguard-policy <name_of_RA_guard_policy>

set vlan-list <list_of_VLANs>

next

end

end

For example:

config switch interface

edit <interface_name>

config raguard

edit 1

set raguard-policy RApolicy1

set vlan-list 1

next

edit 2

set raguard-policy RApolicy2

set vlan-list 2-5

next

end

end

View available IPv6 RA-guard policies

Use the following command to list the available IPv6 RA-guard policies:

get switch raguard-policy

For example:

S524DF4K15000024 # get switch raguard-policy

== [ RApolicy1 ]

name: RApolicy1

IPv6 router advertisement guard

IPv6-enabled routers send router advertisement (RA) messages to neighboring hosts in the local network. To prevent the spoofing of the RA messages, RA guard inspects RA messages to see if they meet the criteria contained in an RA-guard policy. If the RA messages match the criteria in the policy, they are forwarded. If the RA messages do not match the criteria in the policy, they are dropped.

The IPv6 RA-guard policy checks for the following criteria in each RA message:

  • Whether it has been flagged with the M (managed address configuration) flag or O (other configuration) flag
  • Whether the hop number is equal or more than the minimum hop limit
  • Whether the hop number is equal or less than the maximum hop limit
  • Whether the default router preference is set to high, medium, or low
  • Whether the source IPv6 address matches an allowed address in an IPv6 access list (created with the config router access-list6 command)
  • Whether the IPv6 address prefix matches an allowed prefix in an IPv6 prefix list (created with the config router prefix-list6 command)
  • Whether the device is a host or a router. If the device is a host, all RA messages are dropped. If the device is a router, the other criteria in the policy are checked.

IPv6 RA guard is supported on 2xx models and higher.

Configuring IPv6 RA guard

Configuring IPv6 RA guard consists of the following steps:

  1. (Optional) Create lists of source IPv6 addresses and IPv6 address prefixes that are allowed in RA messages.
  2. Create one or more IPv6 RA-guard policies.
  3. Apply the IPv6 RA-guard policies to switch interfaces and VLANs.

Create an IPv6 access list

Create an IPv6 access list if you want to specify which source IPv6 address are allowed in RA messages. When no rule in the IPv6 access list is matched, the RA messages are dropped.

To create an IPv6 access list:

config router access-list6

edit <name_of_IPv6_access_list>

set comments <string>

config rule

edit <rule_ID>

set action {deny | permit}

set prefix6 {<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> | any}

set exact-match {enable | disable}

next

end

end

For example:

config router access-list6

edit accesslist1

set comments "IPv6 access list"

config rule

edit 1

set action permit

set prefix6 fe80::a5b:eff:fef1:95e5

set exact-match disable

next

end

end

Create an IPv6 prefix list

Create an IPv6 prefix list if you want to specify which IPv6 prefixes in the RA option type 3 are allowed in RA messages. When no rule in the IPv6 prefix list is matched, the RA messages are dropped.

To create an IPv6 prefix list:

config router prefix-list6

edit <name_of_IPv6_prefix_list>

set comments <string>

config rule

edit <rule_ID>

set action {deny | permit}

set prefix6 {<IPv6_prefix> | any}

set ge <0-128>

set le <0-128>

next

end

end

For example:

config router prefix-list6

edit prefixlist1

set comments "IPv6 prefix list"

config rule

edit 1

set action permit

set prefix6 any

set ge 50

set le 50

next

end

end

Create an IPv6 RA-guard policy

In the IPv6 RA-guard policy, you specify the criteria that RA messages must match before the RA messages are forwarded.

To create an IPv6 RA-guard policy:

config switch raguard-policy

edit <RA-guard policy name>

set device-role {host | router}

set managed-flag {Off | On}

set other-flag {Off | On}

set max-hop-limit <0-255>

set min-hop-limit <0-255>

set max-router-preference {high | medium | low}

set match-src-addr <name_of_IPv6_access_list>

set match-prefix <name_of_IPv6_prefix_list>

next

end

For example:

config switch raguard-policy

edit RApolicy1

set device-role router

set managed-flag On

set other-flag On

set max-hop-limit 100

set min-hop-limit 5

set max-router-preference medium

set match-src-addr accesslist1

set match-prefix prefixlist1

next

end

Apply the IPv6 RA-guard policy

After you create an IPv6 RA-guard policy, you need to apply it to the appropriate switch ports or trunks and VLANs. You can create and apply different policies to different VLANs.

To apply the IPv6 RA-guard policy:

config switch interface

edit <interface_name>

config raguard

edit <ID>

set raguard-policy <name_of_RA_guard_policy>

set vlan-list <list_of_VLANs>

next

end

end

For example:

config switch interface

edit <interface_name>

config raguard

edit 1

set raguard-policy RApolicy1

set vlan-list 1

next

edit 2

set raguard-policy RApolicy2

set vlan-list 2-5

next

end

end

View available IPv6 RA-guard policies

Use the following command to list the available IPv6 RA-guard policies:

get switch raguard-policy

For example:

S524DF4K15000024 # get switch raguard-policy

== [ RApolicy1 ]

name: RApolicy1