Capturing and verifying FHS specific packets against the configured policies

First Hop Security filters can be installed only if FHS is enabled globally. The DHCPv6 Guard or RA Guard filters are created as a part of First Hop Security filter with port bit mask “0”.

The following list identifies the high-level tasks to capture DHCPv6 packets received on a physical port:

  1. Enable FHS globally.

  2. Enable DHCPv6 Guard or RA Guard globally.

  3. Create a DHCPv6 Guard or an RA Guard policy.

  4. Configure RA Guard or DHCPv6 Guard device role on the port.

  5. Attach DHCPv6 Guard and/or RA Guard policy to a physical port if needed.

On configuring RA Guard or DHCPv6 Guard device role on the port, the appropriate port bitmask for that port will be updated in the data path filter.

The RA or DHCPv6 sever initiated packets received on trusted ports (router or server ports) will be sent to the local CPU for further validations. If these packets pass the RA Guard and DHCPv6 Guard validation, they will be forwarded towards the intended host or DHCPv6 client; if not, they will be dropped by the switch.