IPv6 Source Guard

ReneMolenaar · August 7, 2018, 10:23am

This topic is to discuss the following lesson:

nicholas.williams2 · June 2, 2019, 3:43am

Not sure if the forum is the spot for this. I am only able to view the “preview version” of the video for this section (1:25 run time). I can view the “full” version of everything else (made sure I was logged in, etc.), so I am thinking maybe the wrong video is up in the “members” version of the page?

lagapidis · June 2, 2019, 2:39pm

Hello Nicholas

Thanks for letting us know. I will let Rene know so he can take a look ASAP and resolve the issue.

Laz

ReneMolenaar · June 3, 2019, 2:17pm

Hello Nicholas,

You are right, I accidentally had the trial video for non-members. Just fixed it, you can see the whole video now. Thanks for letting us know!

Rene

Giovanni · May 30, 2022, 10:07am

Hi

What is the difference between Ipv6 source guard and ipv6 destination guard ?

Thanks

lagapidis · June 2, 2022, 5:30am

Hello Giovanni

IPv6 source guard is a layer 2 snooping feature that blocks any traffic from an unknown source. An unknown source is an IPv6 address that is not already in the binding table or has not previously been learned through ND, as described in the lesson.

IPv6 destination guard will ensure that a device performs address resolution only for those addresses that are known to be active on the link. It uses what is known as address glean functionality. Address gleaning involves snooping Neighbor Discovery Protocol (NDP) and DHCP messages on the link to populate the binding table. When a packet reaches the device and there is not yet an adjacency for the destination or for the next hop, the NDP consults the device binding table to verify that the destination or the next hop has been previously gleaned. If the destination is not found in the binding table, the packet is dropped. Otherwise, neighbor discovery resolution is performed.

I hope this has been helpful!

Laz

lw.wilson · January 7, 2026, 7:12pm

Just to clarify the purpose of source guard is keeping ip address exhaustion from happening and a sort DOS mitigation at layer 2 in IPv6 networks?

lagapidis · January 8, 2026, 6:28am

Hello Leo

Well, not quite. IPv6 Source Guard is not used to prevent IPv6 address exhaustion. What you may be thinking of is DHCP starvation attacks (where an attacker requests all available addresses from a DHCP pool). That threat is actually mitigated by DHCPv6 Snooping with rate-limiting or maximum binding limits per port, not by IPv6 Source Guard itself.

Actually, IPv6 Source Guard does provide Layer 2 DoS mitigation, but more precisely, it’s an anti-spoofing mechanism. IPv6 Source Guard primarily prevents IPv6 address spoofing at the access layer. By preventing spoofing, it indirectly mitigates certain DoS and man-in-the-middle attacks that rely on spoofed source addresses (such as impersonating servers, gateways, or other hosts).

IPv6 Source Guard is part of Cisco’s IPv6 First-Hop Security (FHS) feature set. It works by building a binding table that maps IPv6 address ↔ MAC address ↔ VLAN ↔ interface based on:

DHCPv6 snooping (for stateful DHCPv6 assignments)
ND inspection/IPv6 device tracking (for SLAAC assignments)
Static bindings (for manually configured addresses)
Enforcing the binding table on untrusted access ports - any IPv6 packet with a source address that doesn’t match a valid binding for that port is dropped.

So IPv6 Source Guard is an anti-spoofing/access control feature, not an address conservation mechanism. It does contribute to DoS mitigation by preventing spoofing-based attacks at Layer 2. Make sense?

I hope this has been helpful!

Laz

lw.wilson · January 9, 2026, 10:29pm

That makes a lot more sense