Describe IPv6 First Hop security features (RA guard, DHCP guard, binding table, ND inspection/snooping, source guard)

📘CCNP Enterprise – ENARSI (300-410)

IPv6 First Hop Security Features (Exam-Focused Explanation)

IPv6 networks are more complex than IPv4 because of features like Neighbor Discovery (ND) and stateless address autoconfiguration (SLAAC). These are very useful but can be exploited by attackers. Cisco provides First Hop Security (FHS) features to protect the network at the edge (the first hop from the host to the network). These include:

  1. RA Guard (Router Advertisement Guard)
  2. DHCP Guard
  3. IPv6 Binding Table
  4. ND Inspection / ND Snooping
  5. IPv6 Source Guard

We’ll go through each one in detail.

1. RA Guard (Router Advertisement Guard)

Purpose:
RA Guard prevents rogue devices from sending fake Router Advertisements (RA) on a network. RAs are part of IPv6 Neighbor Discovery Protocol (NDP) and tell hosts how to configure themselves (gateway, prefix, etc.).

Problem it solves:
If an attacker sends fake RAs, hosts may use the attacker’s device as a gateway, allowing Man-in-the-Middle attacks.

How it works:

  • RA Guard inspects incoming RAs on a switch port.
  • Only allows RAs from legitimate routers.
  • Drops RAs from unauthorized devices.

Configuration Example (Simplified):

interface GigabitEthernet0/1
   ipv6 nd raguard
  • Typically applied to access ports (where hosts connect).
  • Helps ensure only trusted routers can send RAs.

Exam Tip:

  • Know that RA Guard protects against rogue RAs.
  • Applied on access layer switches.

2. DHCPv6 Guard

Purpose:
DHCPv6 Guard stops rogue devices from acting as DHCPv6 servers.

Problem it solves:

  • A rogue DHCPv6 server can provide incorrect IP addresses or DNS servers to clients.
  • This could allow attackers to intercept traffic or block connectivity.

How it works:

  • Switch checks which devices are allowed to send DHCPv6 responses.
  • DHCPv6 replies from unauthorized devices are blocked.

Configuration Example:

interface GigabitEthernet0/1
   ipv6 dhcp guard policy TRUSTED
  • Applied to access ports where hosts are connected.
  • Only trusted ports (like uplinks to DHCP servers) are allowed to send replies.

Exam Tip:

  • Remember: Protects against rogue DHCPv6 servers.
  • Works on access ports, not uplinks.

3. IPv6 Binding Table

Purpose:
The binding table keeps a record of which IPv6 addresses belong to which MAC addresses on which switch ports.

Problem it solves:

  • Without it, an attacker could spoof another host’s IPv6 address.
  • Binding table is essential for other features like IPv6 Source Guard.

How it works:

  • The table records host MAC, IPv6 address, and interface.
  • Features like Source Guard and ND Inspection use it to validate traffic.

Exam Tip:

  • The binding table is like a reference list to check legitimate devices.
  • Updated via ND Snooping (more on that next).

4. ND Inspection / ND Snooping (Neighbor Discovery Inspection)

Purpose:
ND Inspection ensures that Neighbor Discovery messages (like NS – Neighbor Solicitation, NA – Neighbor Advertisement) are legitimate.

Problem it solves:

  • ND messages are essential for IPv6 hosts to find each other.
  • Attackers can send fake NS or NA messages to hijack traffic (like MITM attacks).

How it works:

  • Switch inspects ND messages.
  • Only allows ND messages from known/trusted devices in the binding table.

Configuration Example (Simplified):

ipv6 nd inspection policy POL1
   device-role trusted
interface GigabitEthernet0/1
   ipv6 nd inspection POL1
  • Typically applied on access ports.
  • Works closely with RA Guard and Binding Table.

Exam Tip:

  • ND Inspection is a key protection for IPv6 NDP attacks.

5. IPv6 Source Guard

Purpose:
IPv6 Source Guard blocks packets from unauthorized IPv6 addresses on a port.

Problem it solves:

  • Prevents IP spoofing by ensuring traffic matches the IPv6 binding table.

How it works:

  • Uses the binding table (created by ND Snooping) to validate source IPv6 addresses.
  • If a host sends traffic from an IP that doesn’t match the table, it is blocked.

Configuration Example:

interface GigabitEthernet0/1
   ipv6 source guard
  • Usually applied on access ports.
  • Protects against host trying to use someone else’s IPv6 address.

Exam Tip:

  • Remember: Works with Binding Table and ND Snooping.
  • Main purpose: Prevent spoofed IPv6 traffic.

Summary Table for Exam

FeaturePurposeProtects AgainstApplied On
RA GuardValidate Router AdvertisementsRogue RA / MITMAccess ports
DHCP GuardValidate DHCPv6 responsesRogue DHCPv6 serversAccess ports
IPv6 Binding TableStores MAC-IPv6 mappingUsed by ND Inspection / Source GuardN/A
ND Inspection / SnoopingInspect NS/NA messagesND spoofing / MITMAccess ports
IPv6 Source GuardBlocks spoofed IPv6 source addressesIP spoofing / unauthorized hostsAccess ports

Key Exam Points

  1. All first-hop security features are mainly applied at access ports.
  2. RA Guard protects hosts from rogue routers.
  3. DHCP Guard protects hosts from rogue DHCPv6 servers.
  4. Binding Table is used by ND Inspection and Source Guard to validate hosts.
  5. ND Inspection protects the network from ND-based attacks.
  6. Source Guard prevents IP address spoofing.
  7. These features often work together in a layered security approach for IPv6.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by