Use the
feature dhcp
command to enable the FHS features on a switch.
Note
IPv6 Global Policies
IPv6 global policies provide storage and access policy database services. IPv6 snooping, DHCPv6 guard, and
IPv6 RA guard are IPv6 global policies features. Each time IPv6 snooping, DHCPv6 guard, or RA guard is
configured globally, the policy attributes are stored in the software policy database. The policy is then applied
to an interface, and the software policy database entry is updated to include this interface to which the policy
is applied.
All port level FHS policies are programmed in the ifacl region, while the VLAN level policies are programmed
in the FHS region. Use the hardware profile
tcam regionfhs tcam_size
command to configure the FHS. The
range for the TCAM size is 0-4096.
• Cisco Nexus 9200, and 9300-EX platform switches, FHS packets take the copp-s-dhcpreq queue for
software processing.
• Cisco Nexus 9300, 9500 platform switches, the Cisco Nexus 3164Q switch, N9K-X9432C-S line card,
and the Cisco Nexus 3232C and 3264Q switches use the class default.
When you upgrade the Cisco Nexus Series switch to Cisco NX-OS Release 7.0(3)I7(1) using the In-Service
Software Upgrades (ISSU), you must reload the Cisco NX-OS box before configuring the port level FHS
policies.
Note
IPv6 First-Hop Security Binding Table
A database table of IPv6 neighbors connected to the device is created from information sources such as IPv6
snooping. This database, or binding table is used by various IPv6 guard features to validate the link-layer
address (LLA), the IPv6 address, and prefix binding of the neighbors to prevent spoofing and redirect attacks.
Guidelines and Limitations of First Hop Security
The general guidelines and limitations of First Hop Security are as follows:
• Before enabling the FHS on the interface or VLAN, we recommend carving TCAM regions on Cisco
Nexus 9300 and 9500 Series switches. To enable FHS successfully:
• On an interface, you must carve the
ifacl
TCAM region.
• On a VLAN, you must carve the necessary redirect TCAM region.
• On a FEX interface, you must carve the
fex-ipv6-ifacl
TCAM region.
• Before enabling the FHS, we recommend carving the
ing-redirect
TCAM region on Cisco Nexus 9200
and 9300-EX Series switches.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
370
Configuring IPv6 First Hop Security
IPv6 Global Policies