Configuring an IPv6 RA Guard Policy

Context

You can configure an IPv6 RA guard policy for an interface to filter RA messages in the following situations:

The type of the device or terminal connected to the interface cannot be determined. That is, no interface role can be configured for the interface to help determine whether to discard or forward RA messages.
The interface is connected to a router and needs to filter RA messages based on specific conditions instead of forwarding RA messages immediately.

Procedure

Run system-view
The system view is displayed.
Run nd raguard policy policy-name
An IPv6 RA guard policy is created.
Configure matching rules in the IPv6 RA guard policy.
- RA messages can be forwarded only when they match all the rules configured in the IPv6 RA guard policy.
- When an ACL is used as a matching rule, RA messages will not match against the ACL if the ACL is not created, no rule is configured in the ACL, or the rule configured in the ACL is not the source MAC address, source IPv6 address, or IPv6 prefix. In the matching process, the permit and deny actions configured in the ACL are ignored, and the focus is only on the rule (source MAC address, source IPv6 address, or IPv6 prefix) configured in the ACL. That is, RA messages are forwarded as long as they match the rule.
- Run if-match source-mac-address acl acl-number
  An ACL is configured to match RA messages against the source MAC address in RA messages.
  
  By default, no ACL is configured to match RA messages against the source MAC address in RA messages.
  
  A matching rule is specified using a Layer 2 ACL. For details about how to configure a Layer 2 ACL, see Configuring a Layer 2 ACL in "ACL Configuration."
- Run if-match ipv6-source-address acl acl-number
  An ACL is configured to match RA messages against the source IPv6 address in RA messages.
  
  By default, no ACL is configured to match RA messages against the source IPv6 address in RA messages.
  
  A matching rule is specified using a basic ACL6. For details about how to configure a basic ACL6, see Configuring a Basic ACL6 in "ACL Configuration."
- Run if-match prefix acl acl-number
  An ACL is configured to match RA messages against the IPv6 prefix in RA messages.
  
  By default, no ACL is configured to match RA messages against the IPv6 prefix in RA messages.
  
  A matching rule is specified using a basic ACL6. For details about how to configure a basic ACL6, see Configuring a Basic ACL6 in "ACL Configuration."
- Run hop-limit { maximum max-value | minimum min-value }
  A rule is configured to match RA messages against the maximum or minimum hop limit in RA messages.
  
  By default, the maximum and minimum hop limits in an RA message are 255 and 1 respectively.
- Run managed-address-flag { on | off }
  A rule is configured to match RA messages against the M flag in RA messages.
  
  By default, no rule is configured to match RA messages against the M flag in RA messages.
- Run other-config-flag { on | off }
  A rule is configured to match RA messages against the O flag in RA messages.
  
  By default, no rule is configured to match RA messages against the O flag in RA messages.
- Run router-preference maximum { high | medium | low }
  A rule is configured to match RA messages against the highest route preference in RA messages.
  
  By default, no rule is configured to match RA messages against the highest route preference in RA messages.
Run quit
Return to the system view.
Run interface interface-type interface-number
The Layer 2 interface view is displayed.
Run the nd raguard attach-policy policy-name
The IPv6 RA guard policy is applied to the interface.

By default, no IPv6 RA guard policy is applied to an interface.

Result

Run the display nd raguard policy [ policy-name ] command to view the configuration of an IPv6 RA guard policy.