IPv6 First Hop Security Features

IPv6 FHS (First Hop Security) are different features that secure IPv6 on L2 links.

First “hop” might make you think about the first router but that’s not the case. These are all switch features, in particular, the switch that sits between your end devices and the first router.

Here are the First Hop Security features you need to know for the CCIE R&S written 400-101 exam:

  • RA Guard: any device on the network can transmit router advertisements and hosts don’t care where it comes from. They will happily accept anything. With RA guard, you can filter router advertisements. You can create a simple policy where you only accept RAs on certain interfaces or you can inspect RAs and permit them only when they match certain criteria.
  • DHCPv6 Guard: similar to DHCP snooping for IPv4. We inspect DHCP packets and only permit them from trusted interfaces. You can also create policies where you only accept DHCP packets for certain prefixes or preference levels.
  • ND Inspection: the switch inspects NS (Neighbor Solicitation) and NA (Neighbor Advertisement) messages and stores them in the IPv6 binding table. The switch can then drop any spoofed NS/NA messages.
  • Source Guard: the switch filters all packets where the source address is not found in the IPv6 binding table. This helps against spoofing attacks where the source address is not found in the IPv6 binding table.

You can click on the links above to learn more about each feature.