25
559
Syntax
match ra address {prefix-list
no match ra address
Parameters
•
ipv6-prefix-list-name
prefix-list
•
disable—Disables verification of the router's IPv6 address.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: router's addresses are not verified.
Command Mode
RA Guard Policy Configuration mode
User Guidelines
This command enables verification of the router's IPv6 address in received RA
messages by a configured prefix list. If the router's source IPv6 address does not
match the prefix list or if the prefix list is not configured, the RA message is
dropped.
Use the disable keyword to disable verification of the router's IPv6 address
regardless of the VLAN configuration.
Example
The following example defines an RA Guard policy named policy1, places the
switch in RA Guard Policy Configuration mode, matches the router addresses to
the prefix list named list1, and defines the prefix list named list1 authorizing the
router with link-local address FE80::A8BB:CCFF:FE01:F700 only:
switchxxxxxx(config)#
switchxxxxxx(config-ra-guard)#
switchxxxxxx(config-ra-guard)# exit
switchxxxxxx(config)# ipv6 prefix-list list1 permit
FE80::A8BB:CCFF:FE01:F700/128
ipv6-prefix-list-name
—The IPv6 prefix list to be matched.
ipv6 nd raguard policy policy1
match ra address prefix-list list1
OL-32830-01 Command Line Interface Reference Guide
IPv6 First Hop Security
} | disable