The following limitations exist in First Hop Security:
Fragmented RA and DHCPv6 server initiated packets are dropped on the FHS enabled switch.
DHCPv6 Guard and RA Guard do not work on devices connected on shared media or on tunneled interfaces.
DHCPv6 Guard or RA Guard policies are not VLAN or MLT based.
FHS is not supported on the Out Of Band (OOB) port on the switch.
Packets received on FHS ports with more than one extension header, and if they are destined to link-local unicast or link-scope multicast address, are dropped as they cannot be classified as RA or DHCPv6 reply packets.
The FHS functionality can be bypassed at the first hop switch, if the malicious packets are destined to global address, and have more than one extension header.
If the FHS rules and IPv6 filters match for a packet, the IPv6 filter has precedence.
In a Layer 2 VSN, packets are not filtered based on FHS rules. Enable FHS on the required UNI ports to protect the connected devices from FHS attacks.