hit counter script

Dhcp Client Relay On Orphan Ports - Cisco Nexus 9000 Series Configuration Manual

Nx-os security configuration guide, release 9.x
Hide thumbs Also See for Nexus 9000 Series:
Table of Contents

Advertisement

Configuring IPv6 First Hop Security
Figure 13: FHS Configuration with external DHCP relay
In the figure, the clients are located behind the vPC links with the default IPv6 snooping policy. You can
attach both ipv6 snooping and ipv6 dhcp-guard attach-policy SERVER policies to the links where DHCP
server traffic arrives. You will need both the server or relay facing and client facing IPv6 snooping policies
to create the client binding entries via DHCP control traffic. This is because IPv6 Snooping needs to see both
the client and server packets to create the binding. You must also configure the IPv6 DHCP Guard policy to
allow DHCP server traffic by the IPv6 Snooping policy. Both peers require the same configuration because
the vPC peers synch all newly learnt client entries learnt on the vPC port.

DHCP Client Relay on Orphan Ports

In this configuration, you can connect the client via an orphan port. The IPv6 Snooping feature only syncs
client bindings on vPC ports, but not on orphan ports as these are not directly connected to both vPC peers.
In such a configuration, the IPv6 Snooping feature runs independently on both switches. The figure illustrates
the following:
• On the first switch, you must attach the IPv6 Snooping policy on the client facing interface. However,
to accommodate DHCP server packets coming from the server on an orphan port behind the vPC peer,
you must attach the policy at the VLAN level. In such a case, the policy applied at the VLAN inspects
both the client traffic interface and DHCP server traffic. You do not require an individual IPv6 snooping
policy per interface. Any DHCP traffic arriving via the vPC peer is also implicitly trusted and if policing
is required, the vPC peer automatically drops it.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
DHCP Client Relay on Orphan Ports
373

Hide quick links:

Advertisement

Table of Contents
loading

Table of Contents

Save PDF