Configure RA Guard in RA Guard Mode
About this task
Configures RA Guard in the RA Guard configuration mode.
Procedure
Variable Definitions
The following table defines parameters to configure RA Guard policy.
Variable |
Description |
---|---|
match ra-prefix-list WORD<1–64> |
Verifies the advertised prefixes in RA packets against the configured authorized prefix list. Note:
RA packet's sender IPv6 address is not validated if no IPv6 source access list is attached to the RA Guard policy. If the list is attached and if RA packet's sender IPv6 address does not match any entry in that IPv6 prefix list, then the RA packet is dropped. To change this behavior, add a entry with ipv6 prefix“0::0/0” with Allow option. The default value changes from Drop to Allow. |
{no | default} match ra-prefix-list |
Removes the advertised prefix-based RA Guard filtering |
match ra-macaddr-list WORD<1–64> |
Verifies sender‘s source MAC address against the configured mac-access-list. Note:
Advertised prefixes in RA packet are not validated if no IPv6 prefix list is attached to the RA Guard policy. If the list is attached and if it does not match any MAC in the list, then the RA packet is dropped. |
{no | default} match ra-macaddr-list |
Removes the source MAC address-based RA Guard filtering for the specified MAC address access list names. |
match ra-srcaddr-list WORD<1–64> |
Verifies sender‘s source IPV6 address against the configured list. Note:
Inspection is not done if the access-list is not attached. If the list is attached and if it does not match any IPv6 in the list, then the RA packet is dropped. To change the behavior, add a dummy IPv6 “0:0:0:0:0:0” to the list with Allow option. The default value changes from Drop to Allow. |
{no | default} match ra-srcaddr-list |
Removes the source IPv6 address-based RA Guard filtering for the specified IPv6 address access list names. |
managed-config-flag <none | on | off> |
Verifies managed address configuration flag in the advertised RA packet. By default, the value is none and check is bypassed. |
hop-limit {maximum | minimum} <0–255> |
Verifies the advertised hop count limit. The limit value range is from 0 to 255. While changing the minimum or maximum value, ensure the maximum value is greater than the minimum value. By default, the minimum and maximum limit are 0. In this case, the hop-limit check is bypassed. |
router-preference maximum {none | high | low | medium} |
Verifies if the advertised default router-preference parameter value is lower than or equal to a specified limit. By default, the value is none and the check is bypassed. |