Programmable Internetworking & Communication Operating System Docs ... Click Spaces -> Space Directory to see docs for all releases ...
Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

RA guard function can be configured on physical interfaces, LAG ports, or in VLANs, and only checks the router advertisement (RA) packets on the untrusted ports with RA guard function enabled. By default, RA guard considers all interfaces to be untrustedare untrusted with respect to RA guard. Trusted interfaces are manually specified. 

  • If the RA guard function is enabled on an untrusted interface, the RA message received on the interface will be checked by the RA guard policy. Only the The RA packets only matched the RA guard policy can be processed and forwarded.
  • If the RA guard function is disabled on an untrusted interface, the RA message received on the interface will not be checked by the RA guard policy. All the RA packets received on this interface can be processedare processed and forwarded without inspection.
  • If the RA guard function is enabled on a trusted interface, the RA message received on the interface will not be checked by the RA guard policy. All the RA packets received on this interface can be processedare processed and forwarded without inspection.

Configuring RA Guard Policy

Code Block
admin@XorPlus# set protocols neighbour ra-guard term guard1 from hop-limit 1
admin@XorPlus# set protocols neighbour ra-guard term guard1 from managed-config-flag false
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# set protocols neighbour ra-guard term guard2 from prefix 2001:1:1:1::/64
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# set protocols neighbour ra-guard term guard3 from source-mac-addr 22:22:22:22:22:22 
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# 

...

Code Block
admin@XorPlus# run show ra-guard 
Ra-guard: guard1
    cur hop limit  : 1..1
    managed configuration: Unset
    interface      : ae1
    vlan           : 2
    packet dropped : 0
    packet total   : 0

Ra-guard: guard2
    prefix         : 2001:1:1:1::/64
    vlan           : 3
    packet dropped : 0
    packet total   : 0

Ra-guard: guard3
    source mac address: 22:22:22:22:22:22
    packet dropped : 0
    packet total   : 0

trusted port: ge-1/1/2

admin@XorPlus# run show ra-guard name guard1
Ra-guard: guard1
    cur hop limit  : 1..1
    managed configuration: Unset
    interface      : ae1
    vlan           : 2
    packet dropped : 0
    packet total   : 0

...