Step 1 |
configure terminal
Example:
Switch# configure terminal
|
Enters the
global configuration mode.
|
Step 2 | [no]ipv6 nd raguard
policy
policy-name
Example:
Switch(config)# ipv6 nd raguard policy example_policy
|
Specifies the RA
Guard policy name and enters RA Guard Policy configuration mode.
|
Step 3 | [no]device-role {host |
monitor |
router
|
switch}
Example:
Switch(config-nd-raguard)# device-role switch
|
Specifies the
role of the device attached to the port. The default is
host.
|
Step 4 | [no]hop-limit {maximum |
minimum}
value
Example:
Switch(config-nd-raguard)# hop-limit maximum 33
|
(1–255) Range for Maximum and Minimum Hop Limit values.
Enables
filtering of Router Advertisement messages by the Hop Limit value. A rogue RA
message may have a low Hop Limit value (equivalent to the IPv4 Time to Live)
that when accepted by the host, prevents the host from generating traffic to
destinations beyond the rogue RA message generator. An RA message with an
unspecified Hop Limit value is blocked.
If not configured, this filter is disabled. Configure
minimum to block RA messages with Hop Limit values lower
than the value you specify. Configure
maximumto block RA messages with Hop Limit values greater
than the value you specify.
|
Step 5 | [no]managed-config-flag
{off |
on}
Example:
Switch(config-nd-raguard)# managed-config-flag on
|
Enables
filtering of Router Advertisement messages by the Managed Address
Configuration, or "M" flag field. A rouge RA message with an M field of 1 can
cause a host to use a rogue DHCPv6 server. If not configured, this filter is
disabled.
On—Accepts and forwards RA messages with an M value of 1,
blocks those with 0.
Off—Accepts and forwards RA messages with an M value of 0,
blocks those with 1.
|
Step 6 | [no]match {ipv6 access-list
list |
ra
prefix-list
list}
Example:
Switch(config-nd-raguard)# match ipv6 access-list example_list
|
Matches a
specified prefix list or access list.
|
Step 7 | [no]other-config-flag {on |
off}
Example:
Switch(config-nd-raguard)# other-config-flag on
|
Enables filtering of Router Advertisement messages by the Other
Configuration, or "O" flag field. A rouge RA message with an O field of 1 can
cause a host to use a rogue DHCPv6 server. If not configured, this filter is
disabled.
On—Accepts and forwards RA messages with an O value of 1,
blocks those with 0.
Off—Accepts and forwards RA messages with an O value of 0,
blocks those with 1.
|
Step 8 | [no]router-preference
maximum {high |
medium |
low}
Example:
Switch(config-nd-raguard)# router-preference maximum high
|
Enables filtering of Router Advertisement messages by the Router
Preference flag. If not configured, this filter is disabled.
-
high—Accepts RA messages with the Router Preference set to
high, medium, or low.
-
medium—Blocks RA messages with the Router Preference set to
high.
-
low—Blocks RA messages with the Router Preference set
to medium and high.
|
Step 9 | [no]trusted-port
Example:
Switch(config-nd-raguard)# trusted-port
|
When
configured as a trusted port, all attached devices are trusted, and no further
message verification is performed.
|
Step 10 | default {device-role |
hop-limit {maximum |
minimum} |
managed-config-flag |
match {ipv6 access-list |
ra
prefix-list } |
other-config-flag |
router-preference maximum|
trusted-port}
Example:
Switch(config-nd-raguard)# default hop-limit
|
Restores a
command to its default value.
|
Step 11 | do show ipv6 nd raguard policy
policy_name
Example:
Switch(config-nd-raguard)# do show ipv6 nd raguard policy example_policy
|
(Optional)—Displays the ND Guard Policy configuration without
exiting the RA Guard policy configuration mode.
|