Ipv6 Stateless Ra Guard - NETGEAR M4200 Software Administration Manual

If the authentication is successful, the session displays in the output of the show login
sessions command.
7. Disconnect the user from the DAC.
[root@localhost raddb]# cat /usr/local/etc/raddb/test.txt | radclient -x
172.26.2.145:3799

IPv6 Stateless RA Guard

Spoof attacks can occur on routed protocols. When you operate an IPv6 network in a shared
Layer 2 network segment, the network can receive and process rogue router advertisement
(RA) messages that are generated with malicious intent or are caused by an incorrect
configuration of routers that are connected to the segment.
If the IPv6 network segments are part of one or more managed switches and all traffic
between the IPv6 end devices traverses through the managed switches, the IPv6 RA Guard
feature can provide protection against rogue RA messages.
The IPv6 RA Guard feature lets you block or reject rogue RA messages that are received on
a port. The IPv6 RA Guard feature analyzes the RA messages and compares the
configuration on the switch with the information in the RA message. If the frame is validated,
the RA message is forwarded to the unicast or multicast destination. If the RA message is not
validated, the RA message is dropped by the switch.
The IPv6 RA Guard feature can operate in the following two modes:
• Stateless. The switch does not maintain any state and simply validates the RA
messages as they are received against the configured match criteria.
• Stateful. The switch dynamically learns about valid RA senders and stores this
information to allow subsequent RA messages. The switch listens to the RA messages
that are received over a short period that you can configure manually. The switch then
allows RA messages that are received only on the ports on which valid RA messages
were received during the listening period.
Note: On a managed switch, the IPv6 RA Guard feature supports only the
stateless mode.
Managed Switches
disconnect 12345678
Security Management
372