Courseiva
IPv6CCNA 200-301

RA Guard Blocking Router Advertisements on Correct Interface

Presenting Symptom

IPv6 hosts on a VLAN are not receiving Router Advertisements (RAs) and cannot autoconfigure IPv6 addresses or set a default gateway.

Network Context

A small enterprise campus network with a Layer 3 switch (Cisco Catalyst 3850 running IOS XE 16.9) acting as the default gateway for multiple VLANs. The switch has IPv6 routing enabled and is configured to send RAs on VLAN 10. A host on VLAN 10 reports no IPv6 connectivity; its IPv6 address is link-local only.

Diagnostic Steps

1

Check if the interface is enabled for IPv6 and RA generation

show ipv6 interface vlan 10
Vlan10 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::1
  No global unicast address is configured
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:1
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  Hosts use stateless autoconfiguration for addresses.

The output shows that IPv6 is enabled and RAs are being sent (every 200 seconds). However, the host is not receiving them. This suggests the RAs are being blocked somewhere.

2

Verify RA Guard configuration on the switch

show ipv6 nd raguard policy
RA Guard policy: BLOCK-RA
  device-role router
  match ra prefix-list ANY
  deny
  (no match)

The RA Guard policy named 'BLOCK-RA' is configured with 'device-role router' and 'deny'. This policy is applied to an interface and will block RAs from any device that is not a trusted router. If the policy is applied to the host-facing interface, it will block the switch's own RAs.

3

Identify which interfaces have RA Guard applied

show running-config | include raguard
interface GigabitEthernet1/0/1
 ipv6 nd raguard attach-policy BLOCK-RA
!

RA Guard policy 'BLOCK-RA' is attached to GigabitEthernet1/0/1, which is the interface connecting to the host. This policy is blocking the RAs sent by the switch itself because the switch is not recognized as a trusted router by the policy.

4

Check the RA Guard policy details to understand blocking criteria

show ipv6 nd raguard policy BLOCK-RA
RA Guard policy: BLOCK-RA
  device-role router
  match ra prefix-list ANY
  deny
  (no match)

The policy has 'device-role router' and 'deny'. This means it denies RAs from devices that are not trusted routers. Since the switch is the source of the RAs and the policy is applied inbound on the host-facing interface, the switch's own RAs are being dropped because the switch is not considered a trusted router (it is the default gateway). The policy should either be removed or changed to 'device-role host' to allow RAs from the switch.

Root Cause

RA Guard policy 'BLOCK-RA' is applied inbound on the host-facing interface (GigabitEthernet1/0/1) with 'device-role router' and 'deny'. This configuration blocks all Router Advertisements, including those sent by the switch itself, because the switch is not recognized as a trusted router. As a result, hosts on VLAN 10 do not receive RAs and cannot autoconfigure IPv6 addresses or learn the default gateway.

Resolution

Remove the RA Guard policy from the host-facing interface, or modify the policy to allow RAs from the switch. The simplest fix is to remove the policy: interface GigabitEthernet1/0/1 no ipv6 nd raguard attach-policy BLOCK-RA Alternatively, if RA Guard is required for security, change the policy to 'device-role host' so that RAs from the switch are allowed: ipv6 nd raguard policy BLOCK-RA device-role host Then reapply the policy. However, removing the policy is the most straightforward resolution.

Verification

After removing the policy, verify that the host receives RAs: On the host: ipconfig /all (Windows) or ifconfig (Linux) should show an IPv6 global unicast address and a default gateway. On the switch: show ipv6 interface vlan 10 | include ND advertised ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Also check that the host can ping the switch's link-local address: ping FE80::1%<interface>

Prevention

1. Apply RA Guard only on interfaces where untrusted devices (e.g., user hosts) are connected, and ensure the policy is configured with 'device-role host' to allow RAs from legitimate routers. 2. Before deploying RA Guard, test the policy in a lab to verify it does not block legitimate RAs. 3. Use RA Guard in conjunction with DHCPv6 Guard and IPv6 First Hop Security features, but carefully plan the policy to avoid blocking necessary traffic.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question where you must identify why IPv6 hosts are not receiving RAs. The exam tests understanding of RA Guard configuration and its impact on IPv6 autoconfiguration. A candidate must know that RA Guard with 'device-role router' blocks RAs from all devices except trusted routers, and that applying it to a host-facing interface can block the switch's own RAs.

Exam Tips

1.

Remember that RA Guard is used to prevent rogue RA attacks, but misconfiguration can block legitimate RAs.

2.

The default device-role in RA Guard is 'router', which blocks RAs from non-trusted devices. If applied to a host-facing interface, it will block the switch's RAs unless the switch is explicitly trusted.

3.

Use 'show ipv6 nd raguard policy' to view the policy details and 'show running-config | include raguard' to find where it is applied.

Commands Used in This Scenario

show running-config

Displays the current active configuration in DRAM, showing all non-default settings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions