Configuring Ipv6 First Hop Security; Introduction To First-Hop Security - Cisco Nexus 9000 Series Configuration Manual

Configuring IPv6 First Hop Security

This chapter describes how to configure First Hop Security (FHS) features on Cisco NX-OS devices.
This chapter includes the following sections:
•
•
•
•
•
•
•
•
•

Introduction to First-Hop Security

The Layer 2 and Layer 3 switches operate in the Layer 2 domains with technologies such as server virtualization,
Overlay Transport Virtualization (OTV), and Layer 2 mobility. These devices are sometimes referred to as
"first hops", specifically when they are facing end nodes. The First-Hop Security feature provides end node
protection and optimizes link operations on IPv6 or dual-stack networks.
First-Hop Security (FHS) is a set of features to optimize IPv6 link operation, and help with scale in large L2
domains. These features provide protection from a wide host of rogue or mis-configured users. You can use
extended FHS features for different deployment scenarios, or attack vectors.
The following FHS features are supported:
• IPv6 RA Guard
• DHCPv6 Guard
• IPv6 Snooping
Note
See Guidelines and Limitations of First Hop Security, on page 370
Introduction to First-Hop Security, on page 369
Guidelines and Limitations of First Hop Security, on page 370
About vPC First Hop Security Configuration, on page 371
RA Guard, on page 374
DHCPv6 Guard, on page 375
IPv6 Snooping, on page 376
How to Configure IPv6 FHS, on page 377
Configuration Examples, on page 386
Additional References for IPv6 First-Hop Security, on page 387
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
15
C H A P T E R
for information about enabling this feature.
369