Fortinet black logo

Administration Guide

IPv6 router advertisement guard

Copy Link
Copy Doc ID 0f66c6af-cee6-11eb-97f7-00505692583a:61029
Download PDF

IPv6 router advertisement guard

IPv6-enabled routers send router advertisement (RA) messages to neighboring hosts in the local network. To prevent the spoofing of the RA messages, RA guard inspects RA messages to see if they meet the criteria contained in an RA-guard policy. If the RA messages match the criteria in the policy, they are forwarded. If the RA messages do not match the criteria in the policy, they are dropped.

The IPv6 RA-guard policy checks for the following criteria in each RA message:

  • Whether it has been flagged with the M (managed address configuration) flag or O (other configuration) flag
  • Whether the hop number is equal or more than the minimum hop limit
  • Whether the hop number is equal or less than the maximum hop limit
  • Whether the default router preference is set to high, medium, or low
  • Whether the source IPv6 address matches an allowed address in an IPv6 access list (created with the config router access-list6 command)
  • Whether the IPv6 address prefix matches an allowed prefix in an IPv6 prefix list (created with the config router prefix-list6 command)
  • Whether the device is a host or a router. If the device is a host, all RA messages are dropped. If the device is a router, the other criteria in the policy are checked.

To see which models support this feature, refer to the FortiSwitch feature matrix.

Configuring IPv6 RA guard consists of the following steps:

  1. (Optional) Creating an IPv6 access list
  2. (Optional) Creating an IPv6 prefix list
  3. Creating an IPv6 RA-guard policy
  4. Applying the IPv6 RA-guard policy
  5. (Optional) Viewing available IPv6 RA-guard policies

Creating an IPv6 access list

Create an IPv6 access list if you want to specify which source IPv6 address are allowed in RA messages. When no rule in the IPv6 access list is matched, the RA messages are dropped.

To create an IPv6 access list:

config router access-list6

edit <name_of_IPv6_access_list>

set comments <string>

config rule

edit <rule_ID>

set action {deny | permit}

set prefix6 {<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> | any}

set exact-match {enable | disable}

next

end

end

For example:

config router access-list6

edit accesslist1

set comments "IPv6 access list"

config rule

edit 1

set action permit

set prefix6 fe80::a5b:eff:fef1:95e5

set exact-match disable

next

end

end

Creating an IPv6 prefix list

Create an IPv6 prefix list if you want to specify which IPv6 prefixes in the RA option type 3 are allowed in RA messages. When no rule in the IPv6 prefix list is matched, the RA messages are dropped.

To create an IPv6 prefix list:

config router prefix-list6

edit <name_of_IPv6_prefix_list>

set comments <string>

config rule

edit <rule_ID>

set action {deny | permit}

set prefix6 {<IPv6_prefix> | any}

set ge <0-128>

set le <0-128>

next

end

end

For example:

config router prefix-list6

edit prefixlist1

set comments "IPv6 prefix list"

config rule

edit 1

set action permit

set prefix6 any

set ge 50

set le 50

next

end

end

Creating an IPv6 RA-guard policy

In the IPv6 RA-guard policy, you specify the criteria that RA messages must match before the RA messages are forwarded.

To create an IPv6 RA-guard policy:

config switch raguard-policy

edit <RA-guard policy name>

set device-role {host | router}

set managed-flag {Off | On}

set other-flag {Off | On}

set max-hop-limit <0-255>

set min-hop-limit <0-255>

set max-router-preference {high | medium | low}

set match-src-addr <name_of_IPv6_access_list>

set match-prefix <name_of_IPv6_prefix_list>

next

end

For example:

config switch raguard-policy

edit RApolicy1

set device-role router

set managed-flag On

set other-flag On

set max-hop-limit 100

set min-hop-limit 5

set max-router-preference medium

set match-src-addr accesslist1

set match-prefix prefixlist1

next

end

Applying the IPv6 RA-guard policy

After you create an IPv6 RA-guard policy, you need to apply it to the appropriate switch ports or trunks and VLANs. You can create and apply different policies to different VLANs.

To apply the IPv6 RA-guard policy:

config switch interface

edit <interface_name>

config raguard

edit <ID>

set raguard-policy <name_of_RA_guard_policy>

set vlan-list <list_of_VLANs>

next

end

end

For example:

config switch interface

edit <interface_name>

config raguard

edit 1

set raguard-policy RApolicy1

set vlan-list 1

next

edit 2

set raguard-policy RApolicy2

set vlan-list 2-5

next

end

end

Viewing available IPv6 RA-guard policies

Use the following command to list the available IPv6 RA-guard policies:

get switch raguard-policy

For example:

S524DF4K15000024 # get switch raguard-policy

== [ RApolicy1 ]

name: RApolicy1

IPv6 router advertisement guard

IPv6-enabled routers send router advertisement (RA) messages to neighboring hosts in the local network. To prevent the spoofing of the RA messages, RA guard inspects RA messages to see if they meet the criteria contained in an RA-guard policy. If the RA messages match the criteria in the policy, they are forwarded. If the RA messages do not match the criteria in the policy, they are dropped.

The IPv6 RA-guard policy checks for the following criteria in each RA message:

  • Whether it has been flagged with the M (managed address configuration) flag or O (other configuration) flag
  • Whether the hop number is equal or more than the minimum hop limit
  • Whether the hop number is equal or less than the maximum hop limit
  • Whether the default router preference is set to high, medium, or low
  • Whether the source IPv6 address matches an allowed address in an IPv6 access list (created with the config router access-list6 command)
  • Whether the IPv6 address prefix matches an allowed prefix in an IPv6 prefix list (created with the config router prefix-list6 command)
  • Whether the device is a host or a router. If the device is a host, all RA messages are dropped. If the device is a router, the other criteria in the policy are checked.

To see which models support this feature, refer to the FortiSwitch feature matrix.

Configuring IPv6 RA guard consists of the following steps:

  1. (Optional) Creating an IPv6 access list
  2. (Optional) Creating an IPv6 prefix list
  3. Creating an IPv6 RA-guard policy
  4. Applying the IPv6 RA-guard policy
  5. (Optional) Viewing available IPv6 RA-guard policies

Creating an IPv6 access list

Create an IPv6 access list if you want to specify which source IPv6 address are allowed in RA messages. When no rule in the IPv6 access list is matched, the RA messages are dropped.

To create an IPv6 access list:

config router access-list6

edit <name_of_IPv6_access_list>

set comments <string>

config rule

edit <rule_ID>

set action {deny | permit}

set prefix6 {<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> | any}

set exact-match {enable | disable}

next

end

end

For example:

config router access-list6

edit accesslist1

set comments "IPv6 access list"

config rule

edit 1

set action permit

set prefix6 fe80::a5b:eff:fef1:95e5

set exact-match disable

next

end

end

Creating an IPv6 prefix list

Create an IPv6 prefix list if you want to specify which IPv6 prefixes in the RA option type 3 are allowed in RA messages. When no rule in the IPv6 prefix list is matched, the RA messages are dropped.

To create an IPv6 prefix list:

config router prefix-list6

edit <name_of_IPv6_prefix_list>

set comments <string>

config rule

edit <rule_ID>

set action {deny | permit}

set prefix6 {<IPv6_prefix> | any}

set ge <0-128>

set le <0-128>

next

end

end

For example:

config router prefix-list6

edit prefixlist1

set comments "IPv6 prefix list"

config rule

edit 1

set action permit

set prefix6 any

set ge 50

set le 50

next

end

end

Creating an IPv6 RA-guard policy

In the IPv6 RA-guard policy, you specify the criteria that RA messages must match before the RA messages are forwarded.

To create an IPv6 RA-guard policy:

config switch raguard-policy

edit <RA-guard policy name>

set device-role {host | router}

set managed-flag {Off | On}

set other-flag {Off | On}

set max-hop-limit <0-255>

set min-hop-limit <0-255>

set max-router-preference {high | medium | low}

set match-src-addr <name_of_IPv6_access_list>

set match-prefix <name_of_IPv6_prefix_list>

next

end

For example:

config switch raguard-policy

edit RApolicy1

set device-role router

set managed-flag On

set other-flag On

set max-hop-limit 100

set min-hop-limit 5

set max-router-preference medium

set match-src-addr accesslist1

set match-prefix prefixlist1

next

end

Applying the IPv6 RA-guard policy

After you create an IPv6 RA-guard policy, you need to apply it to the appropriate switch ports or trunks and VLANs. You can create and apply different policies to different VLANs.

To apply the IPv6 RA-guard policy:

config switch interface

edit <interface_name>

config raguard

edit <ID>

set raguard-policy <name_of_RA_guard_policy>

set vlan-list <list_of_VLANs>

next

end

end

For example:

config switch interface

edit <interface_name>

config raguard

edit 1

set raguard-policy RApolicy1

set vlan-list 1

next

edit 2

set raguard-policy RApolicy2

set vlan-list 2-5

next

end

end

Viewing available IPv6 RA-guard policies

Use the following command to list the available IPv6 RA-guard policies:

get switch raguard-policy

For example:

S524DF4K15000024 # get switch raguard-policy

== [ RApolicy1 ]

name: RApolicy1