Figure 13: FHS Configuration with external DHCP relay
In the figure, the clients are located behind the vPC links with the default IPv6 snooping policy. You can
attach both ipv6 snooping and ipv6 dhcp-guard attach-policy SERVER policies to the links where DHCP
server traffic arrives. You will need both the server or relay facing and client facing IPv6 snooping policies
to create the client binding entries via DHCP control traffic. This is because IPv6 Snooping needs to see both
the client and server packets to create the binding. You must also configure the IPv6 DHCP Guard policy to
allow DHCP server traffic by the IPv6 Snooping policy. Both peers require the same configuration because
the vPC peers synch all newly learnt client entries learnt on the vPC port.
DHCP Client Relay on Orphan Ports
In this configuration, you can connect the client via an orphan port. The IPv6 Snooping feature only syncs
client bindings on vPC ports, but not on orphan ports as these are not directly connected to both vPC peers.
In such a configuration, the IPv6 Snooping feature runs independently on both switches. The figure illustrates
the following:
• On the first switch, you must attach the IPv6 Snooping policy on the client facing interface. However,
to accommodate DHCP server packets coming from the server on an orphan port behind the vPC peer,
you must attach the policy at the VLAN level. In such a case, the policy applied at the VLAN inspects
both the client traffic interface and DHCP server traffic. You do not require an individual IPv6 snooping
policy per interface. Any DHCP traffic arriving via the vPC peer is also implicitly trusted and if policing
is required, the vPC peer automatically drops it.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
373
Configuring IPv6 First Hop Security
DHCP Client Relay on Orphan Ports