User's Manual
Security: IPV6 First Hop Security
Attack Protection
420 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
20
• A Neighbor Advertisement (NA) message is dropped if the target IPv6 
address is bound with another interface.
Protection against IPv6 Duplication Address Detection 
Spoofing
An IPv6 host must perform Duplication Address Detection for each assigned IPv6 
address by sending a special NS message (Duplicate Address Detection 
Neighbor Solicitation message (DAD_NS) message).
A malicious host could send reply to a DAD_RS message advertising itself as an 
IPv6 host having the given IPv6 address.
NB Integrity provides protection against such attacks in the following ways: 
• If the given IPv6 address is unknown, the DAD_NS message is forwarded 
only on inner interfaces.
• If the given IPv6 address is known, the DAD_NS message is forwarded only 
on the interface where the IPv6 address is bound.
• An NA message is dropped if the target IPv6 address is bound with another 
interface.
Protection against DHCPv6 Server Spoofing
An IPv6 host can use the DHCPv6 protocol for:
• Stateless Information configuration
• Statefull address configuration
A malicious host could send DHCPv6 reply messages advertising itself as a 
DHCPv6 server and providing counterfeit stateless information and IPv6 
addresses. DHCPv6 Guard provides protection against such attacks by 
configuring the interface role as a client port for all ports to which DHCPv6 servers 
cannot be connected.
Protection Against NBD Cache Spoofing
An IPv6 router supports the Neighbor Discovery Protocol (NDP) cache that maps 
the IPv6 address to the MAC address for the last hop routing. 










