match-option
Syntax
match-option {
hop-limit {
(maximum | minimum) value;
}
managed-config-flag;
other-config-flag;
router-preference maximum (high | low | medium);
}
Hierarchy Level
[edit forwarding-options access-security router-advertisement-guard policy policy-name accept (Router Advertisement Guard Policy)]
Description
Configure one or more parameters such as hop-count limit, managed configuration flag, other configuration flag, or router preference priority as the match condition to be associated with an IPv6 Router Advertisement (RA) guard accept policy.
RA guard protects against rogue RA messages generated either maliciously or unintentionally by unauthorized or improperly configured routers connecting to the network segment. An RA guard policy is used to validate incoming RA messages on the basis of whether they match the conditions defined in the policy.
You can associate match lists (see match-list) or match conditions with an accept policy. You can configure match
conditions by using the match-option statement in an RA
guard accept policy. When RA guard is enabled by using an accept policy,
any RA messages that match the conditions defined in the policy are
forwarded, and RA messages that do not match the conditions are dropped.
Options
hop-limit |
Configure the RA guard policy to verify the minimum or maximum hop
count for an incoming RA message. Use |
managed-config-flag |
Configure the RA guard policy to verify that the managed address configuration flag of an incoming RA message is set. When the managed address configuration flag is set, it indicates that addresses are available for allocation by Dynamic Host Configuration Protocol version 6 (DHCPv6). |
other-config-flag |
Configure the RA guard policy to verify that the other configuration flag of an incoming RA message is set. When this flag is set, it indicates that other configuration information is available through DHCPv6. Examples of such information are DNS-related information or information on other servers within the network. |
router-preference-maximum |
Configure the RA guard policy to verify that the default
router preference parameter value of an incoming RA message is lower
than or equal to a specified limit. The default router preference
value improves the ability of IPv6 hosts to select a default router
to reach a remote destination when the host has multiple routers on
its default router list. Use |
Required Privilege Level
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 15.1X53-D55.