Usage Guidelines - Cisco Catalyst 4500 series Administration Manual
Hide thumbs
Also See for Catalyst 4500 series:
- Software configuration manual (2086 pages) ,
- Configuration manual (1610 pages) ,
- Command reference manual (1230 pages)
Table of Contents
Advertisement
Chapter 54
Configuring Network Security with ACLs
Be aware that only RA (Router Advertisement) and REDIR (Router Redirected packets) counters are
Note
supported in 12.2(54)SG.
Switch# show ipv6 nd raguard policy RA_GUARD
Policy RA_GUARD configuration:
device-role router
Policy RA_GUARD is applied on the following targets:
Target
Gi 1/1
Switch#
With Cisco Release IOS XE 3.4.0SG and IOS 15.1(2)SG, the show ipv6 nd raguard policy command
Note
replaces the show ipv6 first-hop policies command.
Usage Guidelines
Observe the following restrictions:
•
•
•
•
•
•
•
•
Note
OL_28731-01
Type
PORT
RA_GUARD
It is an ingress feature; only IPv6 Router-Advertisement and Router-Redirect packets entering
through the port are filtered.
RA Guard does not offer protection in environments where IPv6 traffic is tunneled.
Starting with IOS XE 3.4.0SG/15.1(2)SG, RA Guard is supported in software. In prior releases, this
Feature is supported only in hardware; packets are not punted to software except under resource
exhaustion (for example, TCAM memory exhaustion).
RA Guard is purely an Layer 2 port based feature and can be configured only on switchports. It
works irrespective of whether IPv6 routing is enabled. It is supported on switchports and VLANs.
RA Guard is supported on trunk ports and VLANs; filtering is performed on packets arriving from
all the allowed VLANs.
Starting with IOS XE 3.4.0SG/15.1(2)SG, RA Guard is not supported on EtherChannel. In prior
releases, RA Guard is supported on EtherChannel; the RA Guard configuration (whether present or
not) on the EtherChannel overrides the RA Guard configuration on the member ports.
RA Guard is supported on ports that belong to PVLANs (for example, isolated secondary host ports,
community secondary host ports, promiscuous primary host ports, (primary/secondary) trunk ports.
Primary VLAN features are inherited and merged with port features.
Starting with IOS XE 3.4.0SG/15.1(2)SG, RA Guard is supported on SUP-6, SUP6L-E, 4948E,
SUP-7E, SUP7L-E, SUP8-E, 4500X-32, and 4500X-16 platforms. In prior releases, because of
hardware limitations, it may not be possible for Catalyst 4900M, Catalyst 4948E, Catalyst 4948L-E,
Supervisor Engine 6-E, Supervisor Engine 6L-E, Supervisor Engine 7-E and Supervisor Engine
7L-E to collect statistics for RA Guard in hardware. If so, an error message is displayed.
The show ipv6 snooping counter interface command displays the estimated counters
Beginning with Cisco IOS Release 15.0(2)SG, per port RA Guard ACL statistics are supported
and displayed when you enter a show ipv6 snooping counters interface command. (Previous to
this release, you enter the show ipv6 first-hop counters interface command.)
Policy
Feature
RA guard
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
Configuring RA Guard
Target range
vlan all
.
54-39
Advertisement
Chapters
Table of Contents
Troubleshooting
