IPv6 global policies provide storage and access policy database services. IPv6 snooping, DHCPv6 guard, and IPv6 RA guard are IPv6 global policies features. Each time IPv6 snooping, DHCPv6 guard, or RA guard is configured globally, the policy attributes are stored in the software policy database. The policy is then applied to an interface, and the software policy database entry is updated to include this interface to which the policy is applied.

Use the hardware access-list tcam region ing-redirect tcam_size command, to configure FHS. You can resize the ing-racl region to allocate space to the ing-redirect region.

• Cisco Nexus 9200, 9300-EX, and 9300-FX/FX2 platform switches, FHS packets take the copp-s-dhcpreq queue for software processing.

• Cisco Nexus 9300, 9500 platform switches, N9K-X9432C-S line card use the class default.

Note	When you upgrade the Cisco Nexus Series switch to Cisco NX-OS Release 7.0(3)I7(1) using the In-Service Software Upgrades (ISSU), you must reload the Cisco NX-OS box before configuring the port level FHS policies.

A database table of IPv6 neighbors connected to the device is created from information sources such as IPv6 snooping. This database, or binding table is used by various IPv6 guard features to validate the link-layer address (LLA), the IPv6 address, and prefix binding of the neighbors to prevent spoofing and redirect attacks.

The IPv6 RA Guard feature provides support for allowing the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network device platform. RAs are used by devices to announce themselves on the link. The IPv6 RA Guard feature analyzes these RAs and filters out RAs that are sent by unauthorized devices. In host mode, all RA and router redirect messages are disallowed on the port. The RA guard feature compares configuration information on the Layer 2 (L2) device with the information found in the received RA frame. Once the L2 device has validated the content of the RA frame and router redirect frame against the configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped.

The Router Advertisement suggests to devices how to create or obtain a global unicast address and other addressing information for communicating on the link. The RA message uses four flags to tell devices how this is to be done:

1. Address Autoconfiguration flag (A flag): The A flag is enabled by default. This flag tells to hosts on the local link that the specified prefix can be used for IPv6 autoconfiguration.

2. Other Configuration flag (O flag): The O flag is disabled by default. This flag tells the host to get addressing information other than its global unicast address from a stateless DHCPv6 server. This information may include DNS server addresses and a domain name.

3. Managed Address Configuration flag (M flag): The M flag is disabled by default. This flag tells a host to use a stateful DHCPv6 server for its global unicast address and all other addressing information. When stateful DHCPv6 is required, use the ipv6 managed-config-flag command to enable the M Flag.

   Note	When the M flag is enabled, the A flag should usually be disabled. Manually enabling the M flag does not automatically disable the A flag. To disable the A flag, use the ipv6 nd prefix ipv6-prefix/prefix-length no-autoconfig command.

4. On-Link flag (L flag): The L flag is also enabled by default. The L flag identifies that a specific prefix is on this link or subnet. IPv6 does not perform the Logical AND hashing to determine whether a destination IP address is local to the link as IPv4 does. If the L flag is disabled, every packet is sent to the default gateway. The A flag and the L flag are advertised via ICMPv6 Router Advertisement (RA) by default.

The guidelines and limitations of IPv6 RA Guard are as follows:

• The IPv6 RA Guard feature does not offer protection in environments where IPv6 traffic is tunneled.

• Beginning with Cisco NX-OS Release 10.1(1), IPV6 RA guard is supported on Cisco Nexus 9300-GX platform switches.

• This feature is supported only in hardware when the ternary content addressable memory (TCAM) is programmed.

• This feature can be configured on a switch port interface in the ingress direction.

• This feature supports host mode and router mode.

• This feature is supported only in the ingress direction; it is not supported in the egress direction.

• This feature is supported on auxiliary VLANs and private VLANs (PVLANs). In the case of PVLANs, primary VLAN features are inherited and merged with port features.

• Packets dropped by the IPv6 RA Guard feature can be spanned.

The DHCPv6 Guard feature blocks DHCP reply and advertisement messages that originate from unauthorized DHCP servers and relay agents that forward DHCP packets from servers to clients. Client messages or messages sent by relay agents from clients to servers are not blocked. The filtering decision is determined by the device role assigned to the receiving switch port, trunk, or VLAN. This functionality helps to prevent traffic redirection or denial of service (DoS).

Packets are classified into one of the three DHCP type messages. All client messages are always switched regardless of device role. DHCP server messages are only processed further if the device role is set to server. Further processing of DHCP server advertisements occurs for server preference checking.

If the device is configured as a DHCP server, all the messages need to be switched, regardless of the device role configuration.

The guidelines and limitations of DHCPv6 Guard are as follows:

• If a packet arriving from DHCP server is a Relay Forward or a Relay Reply, only the device role is checked. In addition, IPv6 DHCP Guard doesn't apply the policy for a packet sent out by the local relay agent running on the switch.

IPv6 "snooping," feature bundles several Layer 2 IPv6 first-hop security features, which operates at Layer 2, or between Layer 2 and Layer 3, and provides IPv6 features with security and scalability. This feature mitigates some of the inherent vulnerabilities for the neighbor discovery mechanism, such as attacks on duplicate address detection (DAD), address resolution, device discovery, and the neighbor cache.

IPv6 snooping learns and secures bindings for stateless autoconfiguration addresses in Layer 2 neighbor tables and analyzes snooping messages in order to build a trusted binding table. IPv6 snooping messages that do not have valid bindings are dropped. An IPv6 snooping message is considered trustworthy if its IPv6-to-MAC mapping is verifiable.

When IPv6 snooping is configured on a target (which varies depending on platform target support and may include device ports, switch ports, Layer 2 interfaces, Layer 3 interfaces, and VLANs), capture instructions are downloaded to the hardware to redirect the snooping protocol and Dynamic Host Configuration Protocol (DHCP) for IPv6 traffic up to the switch integrated security features (SISF) infrastructure in the routing device. For snooping traffic, Neighbor Discovery Protocol (NDP) messages are directed to SISF. For DHCPv6, UDP messages sourced from dhcvp6_client and dhcvp_server ports are redirected.

IPv6 snooping registers its "capture rules" to the classifier, which aggregates all rules from all features on a given target and installs the corresponding ACL down into the platform-dependent modules. Upon receiving redirected traffic, the classifier calls all entry points from any registered feature (for the target on which the traffic is being received), including the IPv6 snooping entry point. This entry point is the last to be called, so any decision (such as drop) made by another feature supersedes the IPv6 snooping decision.

IPv6 snooping provides IPv6 host liveness tracking so that a neighbor table can be immediately updated when an IPv6 host disappears.

Additionally, IPv6 snooping is the foundation for many other IPv6 features that depend on an accurate binding table. It inspects snooping and DHCP messages on a link to glean addresses, and then populates the binding table with these addresses. This feature also enforces address ownership and limits the number of addresses any given node is allowed to claim.

The guidelines and limitations of IPv6 Snooping are as follows:

• You must perform the same configurations on both the vPC peers. Automatic consistency checker for IPv6 snooping is not supported.

• The IPv6 Snooping feature is supported only in hardware when the ternary content addressable memory (TCAM) is programed.

• This feature can be configured on a switch port interface or VLAN only on the ingress port.

• For IPv6 Snooping to learn DHCP bindings, it must see both server and client replies. A IPv6 snooping policy must be attached to both the client facing the interface (or VLAN) as well as the DHCP server facing interface (or VLAN). In the case of DHCP Relay, an IPv6 Snooping policy must be attached at the VLAN level to see the server replies.