IPv6 FHS (First Hop Security) are different features that secure IPv6 on L2 links.
First “hop” might make you think about the first router but that’s not the case. These are all switch features, in particular, the switch that sits between your end devices and the first router.
Here are the First Hop Security features you need to know for the CCIE R&S written 400-101 exam:
- RA Guard: any device on the network can transmit router advertisements and hosts don’t care where it comes from. They will happily accept anything. With RA guard, you can filter router advertisements. You can create a simple policy where you only accept RAs on certain interfaces or you can inspect RAs and permit them only when they match certain criteria.
- DHCPv6 Guard: similar to DHCP snooping for IPv4. We inspect DHCP packets and only permit them from trusted interfaces. You can also create policies where you only accept DHCP packets for certain prefixes or preference levels.
- ND Inspection: the switch inspects NS (Neighbor Solicitation) and NA (Neighbor Advertisement) messages and stores them in the IPv6 binding table. The switch can then drop any spoofed NS/NA messages.
- Source Guard: the switch filters all packets where the source address is not found in the IPv6 binding table. This helps against spoofing attacks where the source address is not found in the IPv6 binding table.
You can click on the links above to learn more about each feature.
I understand that this is a layer two security feature but would it be considered that it is able to filter layer 3 traffic? These are ipv6 security features which is layer 3.
Hello Cameron
These are indeed features that are applied to the switch that exists between the IPv6 hosts and the first hop router, but they are not Layer 2 security features. All of the features are required to inspect the contents of the IPv6 header. And yes, they do indeed filter traffic based on Layer 3 criteria…
I hope this has been helpful!
Laz
Hi Laz,
Thank you as always for the concise and clear explanation!