IPv6 Source Guard is a security feature that filters traffic based on the source IPv6 address and, optionally, the source MAC address. It leverages the binding table, which is populated by the IPv6 Snooping feature, to validate incoming packets. When IPv6 Source Guard is enabled on an interface, the switch examines traffic from hosts connected to that interface. If the source address of an incoming packet does not match a valid entry in the binding table for that specific port, the packet is dropped. This effectively prevents IP address spoofing attacks from devices on that segment.

A. IPv6 Snooping: This feature builds and maintains the binding table by observing Neighbor Discovery Protocol messages, but it does not, by itself, perform the traffic filtering or rejection.

C. IPv6 DAD Proxy: The Duplicate Address Detection (DAD) Proxy feature responds to DAD queries on behalf of hosts, which helps in scaling ND-P in large L2 domains. It is not a traffic filtering mechanism.

D. IPv6 RA Guard: This feature specifically filters and drops unauthorized Router Advertisement (RA) messages from rogue devices. It does not filter general data traffic based on the source address.

1. Cisco Systems

Inc. (2023). First-Hop Security Configuration Guide

Cisco IOS XE Bengaluru 17.6.x (Catalyst 9300 Switches). Chapter: "Configuring IPv6 First-Hop Security"

Section: "IPv6 Source Guard".

The document states

"IPv6 source guard is a security feature that filters traffic based on the IPv6 source address and the source MAC address... It uses the binding table populated by IPv6 snooping to validate the source of the incoming packets. When IPv6 source guard is enabled on an interface

the device drops packets when the source address is not found in the binding table."

2. Cisco Systems

Inc. (2021). IP Addressing: IPv6 Configuration Guide

Cisco IOS XE 17. Chapter: "Implementing IPv6 First-Hop Security"

Section: "IPv6 Source Guard".

This guide explains

"The IPv6 Source Guard feature filters traffic based on the IPv6 source address of the traffic. The feature uses the binding table

which is populated by the IPv6 snooping feature

to validate the source of the incoming packets."

3. Haddad

W.

& Bshara

M. (2018). IPv6 Security. Cisco Press. Chapter 4: "Layer 2 Security".

This official Cisco Press publication details that IPv6 Source Guard is the feature responsible for using the binding table to perform source IP address filtering

thereby preventing spoofing attacks. It explicitly differentiates its role from IPv6 Snooping

which builds the table

and RA Guard

which protects against rogue routers.