Introduction to First-Hop Security
The Layer 2 and Layer 3 switches operate in the Layer 2 domains with technologies, such as server virtualization, Overlay Transport Virtualization (OTV), and Layer 2 mobility. These devices are sometimes referred to as "first hops", specifically when they are facing end nodes. The First-Hop Security feature provides end node protection and optimizes link operations on IPv6 or dual-stack networks.
First-Hop Security (FHS) is a set of features to optimize IPv6 link operation, as well as help with scale in large L2 domains. These features provide protection from a wide host of rogue or mis-configured users, and this can be extended with additional features for different deployment scenarios, or attack vectors.
Beginning with Cisco Nexus Release 7.0(3)I7(1), the following FHS features are supported:
-
IPv6 RA Guard
-
DHCPv6 Guard
-
IPv6 Snooping
Note |
Use the feature dhcp command to enable the FHS feature. |
IPv6 Global Policies
IPv6 global policies provide storage and access policy database services. IPv6 snooping, DHCPv6 guard, and IPv6 RA guard are IPv6 global policies features. Every time IPv6 snooping, DHCPv6 guard, or RA guard is configured globally, the policy attributes are stored in the software policy database. The policy is then applied to an interface or VLAN, and the software policy database entry is updated to include this interface to which the policy is applied.
All port level FHS policies are programmed in the ifacl region, while the VLAN level policies are programmed in the FHS region. Use the hardware profile tcam region fhs tcam_size command to configure the FHS region. The range for the TCAM size is 0-4096.
Note |
When you upgrade the Cisco Nexus 3000 Series switch to Cisco NX-OS Release 7.0(3)I7(1), you must reload the Cisco NX-OS box before configuring the port level FHS policies. |
All FHS packets take the copp-s-dhcpreq queue for software processing.
IPv6 First-Hop Security Binding Table
A database of table of IPv6 neighbors connected to the device is created from information sources, such as IPv6 snooping. This database, or binding, table is used by various IPv6 guard features to validate the link-layer address (LLA), the IPv6 address, and prefix binding of the neighbors to prevent spoofing and redirect attacks.