IPv6 RA Guard

RA Guard is an IPv6 first hop security feature that is used to prevent malicious attackers from sending fake Router Advertisements (RA) in an attempt to redirect host traffic to them and to supersede the legitimate router on the network. IPv6 RA guard is applied on a switch and filters out any unauthorized RAs.

RA guard works on the principle that a switch expects to receive RAs only on ports that are connected to routers. All other ports should not receive RAs. If they do, they can be considered illegitimate and be filtered out. This is somewhat similar to the logic behind the configuration of DHCP trusted and untrusted ports.

RA guard is thus applied in an inbound direction on switch ports from which you would never receive an RA.

The feature can be applied to an access port or a trunk port. When applied to a trunk port, it applies to all VLANs on that trunk port. However, the command has additional keywords that can be used to specify on which VLANs the feature should be activated.

https://networklessons.com/cisco/ccie-routing-switching-written/ipv6-ra-guard

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-mt/ip6f-15-mt-book/ip6-ra-guard.pdf

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/command/ipv6-cr-book/ipv6-i3.html#wp2309713487