IPv6 First Hop Security
OL-32830-01 Command Line Interface Reference Guide
switchxxxxxx(config)#
25.34 ipv6 nd raguard managed-config-flag
To globally enable verification of the advertised the Managed Address
Configuration flag in RA messages, use the ipv6 nd raguard managed-config-flag
command in Global Configuration mode. To return to the default, use the no form of
this command.
Syntax
ipv6 nd raguard managed-config-flag {on | off}
no ipv6 nd raguard managed-config-flag
Parameters
•
on—The value of the flag must be 1.
•
off—The value of the flag must be 0.
Default Configuration
Verification is disabled.
Command Mode
Global Configuration mode
User Guidelines
This command enables verification of the advertised the Managed Address
Configuration flag (or the M flag) in an RA message (see RFC4861). This flag could
be set by an attacker to force hosts to obtain addresses through a DHCPv6 server
that might not be trustworthy.
Example
The following example enables M flag verification that checks if the value of the
flag is 0:
switchxxxxxx(config)#
ipv6 nd raguard hop-limit minimum 3 maximum 100
ipv6 nd raguard managed-config-flag off
25
530