Router Advertisement Guard; Neighbor Discovery Inspection - Cisco 350 Series Administration Manual

26

Router Advertisement Guard

Neighbor Discovery Inspection

445
The device-role command in the Neighbor Binding policy configuration screen specifies the
perimeter.
Each IPv6 First Hop Security switch establishes binding for neighbors partitioned by the edge.
In this way, binding entries are distributed on IPv6 First Hop Security devices forming the
perimeter. The IPv6 First Hop Security devices can then provide binding integrity to the inside
of the perimeter, without setting up bindings for all the addresses on each device.
Router Advertisement (RA) Guard is the first FHS feature that treats trapped RA messages.
RA Guard supports the following functions:
• Filtering of received RA, CPA, and ICMPv6 redirect messages.
• Validation of received RA messages.
Filtering of Received RA, CPA, and IPCMv6 redirect Messages
RA Guard discards RA and CPA messages received on interfaces whose role are not router.
The interface role is configured in the
Validation of RA messages
RA Guard validates RA messages using the filtering based on the RA Guard policy attached to
the interface. These policies can be configured in
If a message does not pass verification, it is dropped. If the logging packet drop configuration
on the FHS common component is enabled, a rate limited SYSLOG message is sent.
Neighbor Discovery (ND) Inspection supports the following functions:
• Validation of received Neighbor Discovery protocol messages.
• Egress filtering
RA Guard Settings
Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4
Security: IPv6 First Hop Security
Router Advertisement Guard
page.
theRA Guard Settings page.