Skip to main content
PacketMentor logo
Open menu
Home
Training
Learn
CCNA Library (74)
Browse all CCNA topics →
Network (13)
Device Operations (5)
Network Access (12)
Wireless (6)
IP Connectivity (10)
IP Services (11)
Security (10)
Automation (7)
Network+ Library (77)
Browse all Network+ topics →
1.0Networking Concepts (22)
2.0Network Implementation (17)
3.0Network Operations (16)
4.0Network Security (15)
5.0Network Troubleshooting (7)
NSE 4 Library (45)
CCNP Library (33)
Practice
All practice →
Troubleshooting Labs
Packet Tracer Labs
Interactive Simulators
Mock ExamPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← All topics
CCNP Security Fundamentals Advanced

IPv6 First-Hop Security — RA Guard, DHCPv6 Guard, ND Inspection, IPv6 Source Guard

The four Layer-2 security features every enterprise needs when it enables IPv6: RA Guard blocks rogue Router Advertisements, DHCPv6 Guard blocks rogue DHCPv6 servers, ND Inspection validates Neighbor Discovery, IPv6 Source Guard binds addresses to ports.

Quick summary
  • IPv6 has no ARP — it uses **Neighbor Discovery (ND)** instead, which is a giant attack surface without protection. First-Hop Security (FHS) is Cisco's four-feature answer.
  • **RA Guard** blocks unauthorized Router Advertisements — the biggest IPv6 threat (rogue RAs redirect all traffic to an attacker). **DHCPv6 Guard** does the same for rogue DHCPv6 servers.
  • **ND Inspection** validates NS/NA against a binding table (like DAI for IPv6). **IPv6 Source Guard** enforces that source IPv6 addresses match the binding for the port (like IPSG for IPv6).

The one-sentence mental model

IPv6 gives an attacker four Layer-2 attack surfaces (rogue RA, rogue DHCPv6, ND spoofing, IPv6 spoofing). First-Hop Security is Cisco’s four features that mirror what you’re already doing on IPv4 (RA Guard ↔ nothing on v4; DHCPv6 Guard ↔ DHCP snooping; ND Inspection ↔ DAI; IPv6 Source Guard ↔ IP Source Guard). Deploy all four together or you have gaps.

The four features

1. RA Guard (Router Advertisement Guard) — the most important

A malicious host sends fake Router Advertisements claiming to be the default gateway. Every host on the segment believes it, updates its default route to the attacker, and now the attacker sees all off-link traffic.

RA Guard on the switch drops RAs on untrusted ports. Only the port toward the real router is trusted to send RAs.

ipv6 nd raguard policy HOST-RAGUARD
  device-role host

ipv6 nd raguard policy ROUTER-RAGUARD
  device-role router

interface GigabitEthernet0/1
  ipv6 nd raguard attach-policy HOST-RAGUARD   ! access ports
!
interface GigabitEthernet0/24
  ipv6 nd raguard attach-policy ROUTER-RAGUARD ! uplink to router

Default policy on ports without explicit config: device-role host (safer default).

2. DHCPv6 Guard

A rogue DHCPv6 server hands out its own address as gateway/DNS. Same attack as DHCPv4 rogue-server, just IPv6.

DHCPv6 Guard filters DHCPv6 server messages (ADVERTISE, REPLY) on untrusted ports.

ipv6 dhcp guard policy HOST-DHCPGUARD
  device-role client

ipv6 dhcp guard policy SERVER-DHCPGUARD
  device-role server

interface GigabitEthernet0/1
  ipv6 dhcp guard attach-policy HOST-DHCPGUARD
!
interface GigabitEthernet0/24
  ipv6 dhcp guard attach-policy SERVER-DHCPGUARD ! uplink to DHCPv6 server

3. ND Inspection (Neighbor Discovery Inspection)

IPv6’s replacement for ARP. Neighbor Solicitation (NS) and Neighbor Advertisement (NA) messages resolve IPv6 → MAC. Attacker can spoof NAs to claim any IPv6 address.

ND Inspection validates NS/NA against a binding table (built from DHCPv6 snooping and/or SEND). Drops anything that doesn’t match.

Requires a binding table to be populated:

ipv6 neighbor binding vlan 10
ipv6 neighbor binding logging

ipv6 nd inspection policy HOST-NDPOLICY
  device-role host

interface GigabitEthernet0/1
  ipv6 nd inspection attach-policy HOST-NDPOLICY

4. IPv6 Source Guard

Once the binding table exists, IPv6 Source Guard enforces that any packet’s source IPv6 address matches the binding for the ingress port. Blocks address spoofing.

ipv6 source-guard policy SRC-GUARD
  deny global-autoconf

interface GigabitEthernet0/1
  ipv6 source-guard attach-policy SRC-GUARD

The binding table — where the state lives

All four features (well, three of the four) depend on the IPv6 neighbor binding table. Populated by:

  • DHCPv6 snooping — captures DHCPv6 REPLY events, records IP↔MAC↔port
  • SEND (Secure Neighbor Discovery) — cryptographically signed NDP, populates binding table on trusted signatures
  • Static entries — for servers with fixed IPv6

Verify:

show ipv6 neighbor binding
show ipv6 neighbor binding vlan 10

Deployment order

  1. Turn on RA Guard first — biggest attack surface, cheapest to deploy.
  2. Add DHCPv6 Guard if you use DHCPv6 (many IPv6 shops use SLAAC only — then this is skipped).
  3. Build the binding table via DHCPv6 snooping.
  4. Add ND Inspection on the same VLANs.
  5. Add IPv6 Source Guard as the enforcement layer.

Don’t deploy 3-5 without a populated binding table — legit traffic will be dropped.

Common exam / real-world mistakes

  1. Skipping RA Guard because “we’re an all-SLAAC shop”. SLAAC is exactly why RA Guard matters — attacker can inject SLAAC RAs and steal every default gateway on the segment.
  2. Attaching a host policy to the router uplink. Router-facing ports need device-role router policies. Getting this wrong drops legitimate RAs.
  3. Forgetting the binding table — deploying ND Inspection or IPv6 Source Guard without DHCPv6 snooping or SEND means an empty binding table and everything gets dropped.
  4. Confusing DAI-thinking with ND Inspection. They’re conceptually similar (validate L2 protocol against binding) but have different message types. NS/NA replaces ARP request/reply.
  5. Ignoring link-local addresses. Every IPv6 interface auto-generates a link-local (fe80::/10). Policies must permit link-local or basic protocols break.

Cheat strip

IPv6 threats:      rogue RA, rogue DHCPv6, ND spoof, source-IP spoof
FHS answer:        RA Guard, DHCPv6 Guard, ND Inspection, IPv6 Source Guard

RA Guard           blocks rogue RAs on host ports. #1 most-important.
DHCPv6 Guard       blocks rogue server messages on host ports.
ND Inspection      validates NS/NA against binding table (like DAI).
IPv6 Source Guard  enforces source IP matches binding (like IPSG).

Binding table      populated by DHCPv6 snooping + SEND + static entries.
                   Required for ND Inspection + Source Guard.

Roles              device-role host  (default)  |  router  |  server
Config style       policy X → device-role Y → attach-policy X on interface

Verify             show ipv6 neighbor binding
                   show ipv6 nd raguard policy X
Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNP® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

Get the free CCNA 12-week roadmap

You're already reading up on IPv6 First-Hop Security — RA Guard, DHCPv6 Guard, ND Inspection, IPv6 Source Guard. The roadmap is the order I recommend studying every CCNA topic in — with what to lab each week and where IPv6 First-Hop Security — RA Guard, DHCPv6 Guard, ND Inspection, IPv6 Source Guard fits. A written personal reply, not an autoresponder. Expect it within one business day.

Personal reply from a senior network engineer. No third-party tracking. Unsubscribe any time.