C H A P T E R
15
Configuring IPv6 First Hop Security
This chapter describes how to configure First Hop Security (FHS) features on Cisco NX-OS devices.
This chapter includes the following sections:
•
Introduction to First-Hop Security, on page 369
•
Guidelines and Limitations of First Hop Security, on page 370
•
About vPC First Hop Security Configuration, on page 371
•
•
•
•
How to Configure IPv6 FHS, on page 377
•
Configuration Examples, on page 386
•
Additional References for IPv6 First-Hop Security, on page 387
Introduction to First-Hop Security
The Layer 2 and Layer 3 switches operate in the Layer 2 domains with technologies such as server virtualization,
Overlay Transport Virtualization (OTV), and Layer 2 mobility. These devices are sometimes referred to as
"first hops", specifically when they are facing end nodes. The First-Hop Security feature provides end node
protection and optimizes link operations on IPv6 or dual-stack networks.
First-Hop Security (FHS) is a set of features to optimize IPv6 link operation, and help with scale in large L2
domains. These features provide protection from a wide host of rogue or mis-configured users. You can use
extended FHS features for different deployment scenarios, or attack vectors.
The following FHS features are supported:
• IPv6 RA Guard
• DHCPv6 Guard
• IPv6 Snooping
See
Guidelines and Limitations of First Hop Security, on page 370
for information about enabling this feature.
Note
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
369