RA Guard Configuration

introduction introduction ra guard functionality is used on layer 2 access devices to prevent router advertisement (ra) message spoofing attacks when a layer 2 access device receives an ra message with a unicast or multicast mac address, the ra guard functionality processes the ra message as follows if the port is not configured with a port role, the ra message is directly forwarded if the port role is a router, the ra message is directly forwarded if the port role is a user, the ra message is directly discarded if the port role is hybrid, the port's ra guard policy is matched if the ra guard policy has configured matching rules, the ra message must match all rules successfully to be forwarded otherwise, the message is discarded if the ra guard policy does not have matching rules configured, all ra messages are discarded configuration example configuration example network requirements network requirements to prevent route announcement message (ra message) spoofing attack, you need to configure ra guard policy rules on the device interface ethernet 2 is connected to an unknown device, and the user wants the interface to match and filter ra messages according to ra guard policy rules interface ethernet 1 is connected to a user who wants the ra messages received on this interface to be discarded directly interface ethernet 3 is connected to a device and the user wants the interface to fully trust ra messages to be forwarded directly procedure procedure create a vlan and add an interface sonic(config)# vlan 100 sonic(config)# port group ethernet 1 3 sonic(config port group 1 3)# switchport access vlan 100 configure the interface role sonic(config)# interface ethernet 1 sonic(config if 1)# raguard role user sonic(config)# interface ethernet 2 sonic(config if 1)# raguard role hybrid sonic(config)# interface ethernet 3 sonic(config if 1)# raguard role router configure ra guard policy sonic(config)# vlan 100 sonic(config vlan 100)# raguard policy src ip fe80 1a17 25ff\ fe37 6722