IPv6 RA Guard

This topic is to discuss the following lesson:

You are using real gear or vios?

Hello Heriberto

As far as I know for most of Rene’s labs he uses Cisco’s VIRL.


Hi, so I’m trying to understand whats going on with this so I’ve created the test setup int CML2 and looking at the commands should the command be
show ipv6 route nd instead of
show ipv6 route static ?
as when I type in show ipv6 route static I don’t see any entries
but if I type in

H1#sh ipv6 route nd
    IPv6 Routing Table - default - 6 entries
    Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
           B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
           H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
           IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO
           ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
           RL - RPL, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
           OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
           la - LISP alt, lr - LISP site-registrations, ld - LISP dyn-eid
           lA - LISP away, a - Application
    ND  ::/0 [2/0]
         via FE80::5054:FF:FE10:83BD, GigabitEthernet0/1
    NDp 2001:DB8:0:1::/64 [2/0]
         via GigabitEthernet0/1, directly connected
    NDp 2001:DB8:BAD:BAD::/64 [2/0]
         via GigabitEthernet0/1, directly connected


Hello Andy

Yes, you seem to be correct. The default route that will appear in H1 should be learned via NDP from either the legitimate or the hijacker router, and should not appear as a static route. I will let Rene know about this to modify the content…

Thanks again!


1 Like

I am trying to implement RAguard attach-policy on the interface but I get this message:
% Hardware failure
I am labbing on vIOS VIRL image with EVE-NG, is that due to the virtual appliance that doesn’t support the feature or am I missing something ?
Does it work for someone ?
Thank you

Hello Mathieu

Hmm, that’s strange. I tried labbing this up in CML and it worked fine for me. I tried searching for similar circumstances that others may have faced for this command, but I was unable to find any additional information. Can you attempt to recreate the same scenario on GNS3 to see if you get a similar result? Check it out and let us know…

I hope this has been helpful!


Hello @lagapides thank you for your reply and sorry I had no time to test on gns3.
I need to deploy a new instance. I will try ASAP

1 Like

So here is a related question… I have a router that is taking in a trunk from my switch. This trunk has 4 vlans going over it (all in different VRF-lite entries on the router if that matters). Does applying this policy on a trunk do anything? Does it affect all vlans or is it an access port only policy? If only an access port policy, then how do I apply the server policy to the router port?


Hello Marcos

You can apply this command to a trunk port, and it will apply the feature to all VLANs on the trunk. Looking at the command reference (see below) you can see that there are additional keywords that you can use to specify on which VLAN you want the policy to be applied. If you don’t specify a VLAN it will apply it to all of them. Take a look at this command reference for details:

I hope this has been helpful!