Ipv6 Global Policies; Ipv6 First-Hop Security Binding Table; Guidelines And Limitations Of First Hop Security - Cisco Nexus 9000 Series Configuration Manual
Nx-os security configuration guide, release 9.x
Hide thumbs
Also See for Nexus 9000 Series:
- Configuration manual (276 pages) ,
- Troubleshooting manual (126 pages) ,
- Quick start configuration manual (6 pages)
Table of Contents
Advertisement
IPv6 Global Policies
Note
Use the feature dhcp command to enable the FHS features on a switch.
IPv6 Global Policies
IPv6 global policies provide storage and access policy database services. IPv6 snooping, DHCPv6 guard, and
IPv6 RA guard are IPv6 global policies features. Each time IPv6 snooping, DHCPv6 guard, or RA guard is
configured globally, the policy attributes are stored in the software policy database. The policy is then applied
to an interface, and the software policy database entry is updated to include this interface to which the policy
is applied.
All port level FHS policies are programmed in the ifacl region, while the VLAN level policies are programmed
in the FHS region. Use the hardware profile tcam regionfhs tcam_size command to configure the FHS. The
range for the TCAM size is 0-4096.
• Cisco Nexus 9200, and 9300-EX platform switches, FHS packets take the copp-s-dhcpreq queue for
• Cisco Nexus 9300, 9500 platform switches, the Cisco Nexus 3164Q switch, N9K-X9432C-S line card,
Note
When you upgrade the Cisco Nexus Series switch to Cisco NX-OS Release 7.0(3)I7(1) using the In-Service
Software Upgrades (ISSU), you must reload the Cisco NX-OS box before configuring the port level FHS
policies.
IPv6 First-Hop Security Binding Table
A database table of IPv6 neighbors connected to the device is created from information sources such as IPv6
snooping. This database, or binding table is used by various IPv6 guard features to validate the link-layer
address (LLA), the IPv6 address, and prefix binding of the neighbors to prevent spoofing and redirect attacks.
Guidelines and Limitations of First Hop Security
The general guidelines and limitations of First Hop Security are as follows:
• Before enabling the FHS on the interface or VLAN, we recommend carving TCAM regions on Cisco
• Before enabling the FHS, we recommend carving the ing-redirect TCAM region on Cisco Nexus 9200
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
370
software processing.
and the Cisco Nexus 3232C and 3264Q switches use the class default.
Nexus 9300 and 9500 Series switches. To enable FHS successfully:
• On an interface, you must carve the ifacl TCAM region.
• On a VLAN, you must carve the necessary redirect TCAM region.
• On a FEX interface, you must carve the fex-ipv6-ifacl TCAM region.
and 9300-EX Series switches.
Configuring IPv6 First Hop Security
- Quick Links:
- Radius and Tacacs+ Security Protocols
Hide quick links:
Advertisement
Table of Contents
