n
About vPC First Hop Security Configuration
You can deploy IPv6 First Hop Security vPC in many ways. We recommend the following best practice
deployment scenarios:
• DHCP relay on-stack
• DHCP relay on vPC leg
• DHCP client and relay on orphan ports
DHCP Relay On-stack
In this deployment scenario, you can directly connect clients behind the vPC link, or behind an intermediary
switch with DHCP relay running on the Nexus switch. Connecting clients behind an intermediary switch with
DHCP relay running on the Nexus switch, is ideal because you can configure the IPv6 Snooping feature on
the vPC interface links directly, instead of at a VLAN level. Configuration at the interface level is efficient
for the following reasons:
• Control traffic (DHCP/ND) will not be redirected to CPU for processing on both vPC peers if it goes
over the peer link.
• Packets switched over the peer link aren’t processed a second time.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
371
Configuring IPv6 First Hop Security
About vPC First Hop Security Configuration