IPv6 First-Hop Security — RA Guard, DHCPv6 Guard, ND Inspection, IPv6 Source Guard
The four Layer-2 security features every enterprise needs when it enables IPv6: RA Guard blocks rogue Router Advertisements, DHCPv6 Guard blocks rogue DHCPv6 servers, ND Inspection validates Neighbor Discovery, IPv6 Source Guard binds addresses to ports.
- IPv6 has no ARP — it uses **Neighbor Discovery (ND)** instead, which is a giant attack surface without protection. First-Hop Security (FHS) is Cisco's four-feature answer.
- **RA Guard** blocks unauthorized Router Advertisements — the biggest IPv6 threat (rogue RAs redirect all traffic to an attacker). **DHCPv6 Guard** does the same for rogue DHCPv6 servers.
- **ND Inspection** validates NS/NA against a binding table (like DAI for IPv6). **IPv6 Source Guard** enforces that source IPv6 addresses match the binding for the port (like IPSG for IPv6).
The one-sentence mental model
IPv6 gives an attacker four Layer-2 attack surfaces (rogue RA, rogue DHCPv6, ND spoofing, IPv6 spoofing). First-Hop Security is Cisco’s four features that mirror what you’re already doing on IPv4 (RA Guard ↔ nothing on v4; DHCPv6 Guard ↔ DHCP snooping; ND Inspection ↔ DAI; IPv6 Source Guard ↔ IP Source Guard). Deploy all four together or you have gaps.
The four features
1. RA Guard (Router Advertisement Guard) — the most important
A malicious host sends fake Router Advertisements claiming to be the default gateway. Every host on the segment believes it, updates its default route to the attacker, and now the attacker sees all off-link traffic.
RA Guard on the switch drops RAs on untrusted ports. Only the port toward the real router is trusted to send RAs.
ipv6 nd raguard policy HOST-RAGUARD
device-role host
ipv6 nd raguard policy ROUTER-RAGUARD
device-role router
interface GigabitEthernet0/1
ipv6 nd raguard attach-policy HOST-RAGUARD ! access ports
!
interface GigabitEthernet0/24
ipv6 nd raguard attach-policy ROUTER-RAGUARD ! uplink to router
Default policy on ports without explicit config: device-role host (safer default).
2. DHCPv6 Guard
A rogue DHCPv6 server hands out its own address as gateway/DNS. Same attack as DHCPv4 rogue-server, just IPv6.
DHCPv6 Guard filters DHCPv6 server messages (ADVERTISE, REPLY) on untrusted ports.
ipv6 dhcp guard policy HOST-DHCPGUARD
device-role client
ipv6 dhcp guard policy SERVER-DHCPGUARD
device-role server
interface GigabitEthernet0/1
ipv6 dhcp guard attach-policy HOST-DHCPGUARD
!
interface GigabitEthernet0/24
ipv6 dhcp guard attach-policy SERVER-DHCPGUARD ! uplink to DHCPv6 server
3. ND Inspection (Neighbor Discovery Inspection)
IPv6’s replacement for ARP. Neighbor Solicitation (NS) and Neighbor Advertisement (NA) messages resolve IPv6 → MAC. Attacker can spoof NAs to claim any IPv6 address.
ND Inspection validates NS/NA against a binding table (built from DHCPv6 snooping and/or SEND). Drops anything that doesn’t match.
Requires a binding table to be populated:
ipv6 neighbor binding vlan 10
ipv6 neighbor binding logging
ipv6 nd inspection policy HOST-NDPOLICY
device-role host
interface GigabitEthernet0/1
ipv6 nd inspection attach-policy HOST-NDPOLICY
4. IPv6 Source Guard
Once the binding table exists, IPv6 Source Guard enforces that any packet’s source IPv6 address matches the binding for the ingress port. Blocks address spoofing.
ipv6 source-guard policy SRC-GUARD
deny global-autoconf
interface GigabitEthernet0/1
ipv6 source-guard attach-policy SRC-GUARD
The binding table — where the state lives
All four features (well, three of the four) depend on the IPv6 neighbor binding table. Populated by:
- DHCPv6 snooping — captures DHCPv6 REPLY events, records IP↔MAC↔port
- SEND (Secure Neighbor Discovery) — cryptographically signed NDP, populates binding table on trusted signatures
- Static entries — for servers with fixed IPv6
Verify:
show ipv6 neighbor binding
show ipv6 neighbor binding vlan 10
Deployment order
- Turn on RA Guard first — biggest attack surface, cheapest to deploy.
- Add DHCPv6 Guard if you use DHCPv6 (many IPv6 shops use SLAAC only — then this is skipped).
- Build the binding table via DHCPv6 snooping.
- Add ND Inspection on the same VLANs.
- Add IPv6 Source Guard as the enforcement layer.
Don’t deploy 3-5 without a populated binding table — legit traffic will be dropped.
Common exam / real-world mistakes
- Skipping RA Guard because “we’re an all-SLAAC shop”. SLAAC is exactly why RA Guard matters — attacker can inject SLAAC RAs and steal every default gateway on the segment.
- Attaching a host policy to the router uplink. Router-facing ports need
device-role routerpolicies. Getting this wrong drops legitimate RAs. - Forgetting the binding table — deploying ND Inspection or IPv6 Source Guard without DHCPv6 snooping or SEND means an empty binding table and everything gets dropped.
- Confusing DAI-thinking with ND Inspection. They’re conceptually similar (validate L2 protocol against binding) but have different message types. NS/NA replaces ARP request/reply.
- Ignoring link-local addresses. Every IPv6 interface auto-generates a link-local (fe80::/10). Policies must permit link-local or basic protocols break.
Cheat strip
IPv6 threats: rogue RA, rogue DHCPv6, ND spoof, source-IP spoof
FHS answer: RA Guard, DHCPv6 Guard, ND Inspection, IPv6 Source Guard
RA Guard blocks rogue RAs on host ports. #1 most-important.
DHCPv6 Guard blocks rogue server messages on host ports.
ND Inspection validates NS/NA against binding table (like DAI).
IPv6 Source Guard enforces source IP matches binding (like IPSG).
Binding table populated by DHCPv6 snooping + SEND + static entries.
Required for ND Inspection + Source Guard.
Roles device-role host (default) | router | server
Config style policy X → device-role Y → attach-policy X on interface
Verify show ipv6 neighbor binding
show ipv6 nd raguard policy X
Practice — quick check
A scenario each round. Take your time — there's a Next button whether you're right or wrong.
Cisco StackWise Virtual (SVL) — Two Chassis as One Logical Switch
How StackWise Virtual makes a pair of Catalyst 9500/9600 chassis behave as a single logical switch. SVL links, DAD (dual-active detection), and why SVL replaced legacy VSS.
IP SLA — Cisco's Active Network Measurement + Track Object Integration
How Cisco IP SLA sends synthetic probes (ICMP, TCP, UDP, HTTP, jitter) to measure availability, latency, and jitter — and how track objects plug those measurements into HSRP, static routes, and PBR for smart failover.
Want this drilled into reflex?
1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNP® exam blueprint. Free first session. No card on file until you decide.
Related topics
DHCP Snooping
Switch security feature that blocks rogue DHCP servers. Trusts one port (where the real server lives) and drops DHCP server messages from any other port. Foundation for Dynamic ARP Inspection too.
Security FundamentalsDynamic ARP Inspection (DAI)
The Layer-2 security feature that kills ARP spoofing dead. Validates every ARP packet against the DHCP Snooping binding table — bogus replies get dropped, trust your gateway again.
Security FundamentalsIP Source Guard (IPSG)
The fourth Layer-2 security feature. Validates the source IP of every IP packet against the DHCP Snooping binding table — blocking IP spoofing attacks at the access port.
Get the free CCNA 12-week roadmap
You're already reading up on IPv6 First-Hop Security — RA Guard, DHCPv6 Guard, ND Inspection, IPv6 Source Guard. The roadmap is the order I recommend studying every CCNA topic in — with what to lab each week and where IPv6 First-Hop Security — RA Guard, DHCPv6 Guard, ND Inspection, IPv6 Source Guard fits. A written personal reply, not an autoresponder. Expect it within one business day.
Personal reply from a senior network engineer. No third-party tracking. Unsubscribe any time.
