IPv6 First Hop Security
683 Cisco Sx350 Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
29.56 match ra prefixes
To enable verification of the advertised prefixes in received RA messages within
an IPv6 RA Guard policy, use the match ra prefixes command in RA Guard Policy
Configuration mode. To return to the default, use the no form of this command.
Syntax
match ra prefixes {prefix-list
ipv6-prefix-list-name
} | disable
no match ra prefixes
Parameters
• prefix-list
ipv6-prefix-list-name
—The IPv6 prefix list to be matched.
• disable—Disables verification of the advertised prefixes in received RA
messages.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: advertised prefixes are not verified.
Command Mode
RA Guard Policy Configuration mode
User Guidelines
This command enables verification of the advertised prefixes in received RA
messages by a configured prefix list. If an advertised prefix does not match the
prefix list, or if the prefix list is not configured, the RA message is dropped.
Use the disable keyword to disable verification of the advertised prefixes in
received RA messages in both global or the VLAN configuration.
Example
The following example defines an RA Guard policy named policy1, places the
switch in RA Guard configuration mode, matches the prefixes to the prefix list
named list1, and the 2001:101::/64 prefixes and denies 2001:100::/64 prefixes:
switchxxxxxx(config)#
ipv6 nd raguard policy
policy1
To Next Page
Loading...
