Detections
Analytics

3.7 RA Guard

Information

RA (Router Advertisement) Guard is a security feature in AOS-CX switches that monitors and filters IPv6 Router Advertisement messages, allowing only authorized RAs to propagate. It helps prevent rogue or malicious routers from disrupting network operations.When RA guard policy is enabled (with ipv6 nd-snooping ra-guard policy), RA packets received ontrusted ports are validated against a set of parameters configured on the policy and assigned to a portor VLAN. RA Guard policy options include:

 - Hop Limit
 - Managed Config Flag
 - Other Config Flag
 - Router Preference
 - ACL
 - Advertised Prefix Lists

The feature ensures that only trusted router advertisements can influence the IPv6 routing environment. This is critical for maintaining the integrity of the routing configuration and mitigating attacks like rogue RA injection and man-in-the-middle exploits.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

This command enables Routing Advertisement (RA) guard on the selected VLAN. When enabled, ingressRouting Advertisement (RA) packets on the selected VLAN are blocked on untrusted ports. The packets are forwarded when received on trusted ports -

switch(config)# nd-snooping enable
switch(config)# vlan <id>
switch(config-vlan-id)# nd-snooping ra-guard
switch(config-vlan-id)# exit
switch(config)#

Following commands enables RA guard policy, hence RA packets received on trusted ports are validated against a set of parameters configured on the policy and assigned to a port or VLAN -

switch(config)# ipv6 nd-snooping ra-guard policy <POLICY-NAME>
switch(config-raguard-policy)# hop-limit <enable | minimum | maximum>
switch(config-raguard-policy)# match <access-list | prefix-list>
switch(config-raguard-policy)# managed-config-flag <on | off>
switch(config-raguard-policy)# other-config-flag <on | off>
switch(config-raguard-policy)# router-preference <high | medium | low>
switch(config-raguard-policy)# exit
switch(config)# vlan <id>
switch(config-vlan-id)# nd-snooping ra-guard attach-policy POLICY_NAME

Impact:

By deploying RA Guard, network administrators can prevent unauthorized devices from acting as routers, reducing the risk of network disruptions and enhancing overall IPv6 network stability, security, and performance.

See Also

https://workbench.cisecurity.org/benchmarks/24202

Item Details

Category: ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|CA-7, 800-53|CA-9, 800-53|MP-2, 800-53|SC-4, 800-53|SC-7, CSCv7|14.1, CSCv7|14.2, CSCv7|14.6, CSCv7|14.7

Plugin: ArubaOS

Control ID: bdaa0308a0418cf5eb0269ecc0cfb6c22a49752443ebd54f733357c72ebe3a2d