The Cisco ACI layer 2 switch must employ a first-hop-security (FHS) policy to protect against denial-of-service (DoS) attacks.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-272045 | CACI-L2-000017 | SV-272045r1114353_rule | CCI-004866 | medium |
| Description | ||||
| DoS events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. FHS features enable a better IPv4 and IPv6 link security and management over the layer 2 links. In a service provider environment, these features closely control address assignment and derived operations. Setting include the following DOD required configurations: - Unknown Unicast Flood Blocking (UUFB) enabled. - DHCP snooping enabled for all user VLANs to validate DHCP messages from untrusted sources. - IP Source Guard enabled on all user-facing or untrusted access switch ports. - Dynamic Address Resolution Protocol (ARP) Inspection enabled on all user VLANs. Satisfies: SRG-NET-000362-L2S-000025, SRG-NET-000362-L2S-000026, SRG-NET-000362-L2S-000027 | ||||
| STIG | Date | |||
| Cisco ACI Layer 2 Switch Security Technical Implementation Guide | 2025-06-13 | |||
Details
Check Text (C-272045r1114353_chk)
Verify the FHS policy is configured.
Note: This is an example. The exact configuration may vary with the site's architecture.
leaf4# show fhs bt all
The following settings must be enabled at a minimum:
- ip-inspection-admin-status enabled-both
- source-guard-admin-status enabled-both
- router-advertisement-guard-admin-status enabled
- router-advertisement-guard
- managed-config-check
- managed-config-flag
- other-config-check
- other-config-flag
- maximum-router-preference low
- minimum-hop-limit 10
- maximum-hop-limit 100
Trust-control tcpolicy settings:
- arp
- dhcpv4-server
- dhcpv6-server
- ipv6-router
- router-advertisement
- neighbor-discovery
If an FHS policy is not configured with all required settings, this is a finding.
Fix Text (F-76002r1114352_fix)
Configure the FHS policy.
Note: This is an example. The exact configuration may vary with the site's architecture.
Example:
apic1(config)# tenant <tenant name>
apic1(config-tenant)# first-hop-security
apic1(config-tenant-fhs)# security-policy secpol1
apic1(config-tenant-fhs-secpol)#
apic1(config-tenant-fhs-secpol)# ip-inspection-admin-status enabled-both
apic1(config-tenant-fhs-secpol)# source-guard-admin-status enabled-both
apic1(config-tenant-fhs-secpol)# router-advertisement-guard-admin-status enabled
apic1(config-tenant-fhs-secpol)# router-advertisement-guard
apic1(config-tenant-fhs-raguard)#
apic1(config-tenant-fhs-raguard)# managed-config-check
apic1(config-tenant-fhs-raguard)# managed-config-flag
apic1(config-tenant-fhs-raguard)# other-config-check
apic1(config-tenant-fhs-raguard)# other-config-flag
apic1(config-tenant-fhs-raguard)# maximum-router-preference low
apic1(config-tenant-fhs-raguard)# minimum-hop-limit 10
apic1(config-tenant-fhs-raguard)# maximum-hop-limit 100
apic1(config-tenant-fhs-raguard)# exit
apic1(config-tenant-fhs-secpol1)# exit
apic1(config-tenant-fhs)# trust-control tcpol1
apic1(config-tenant-fhs-trustctrl)# arp
apic1(config-tenant-fhs-trustctrl)# dhcpv4-server
apic1(config-tenant-fhs-trustctrl)# dhcpv6-server
apic1(config-tenant-fhs-trustctrl)# ipv6-router
apic1(config-tenant-fhs-trustctrl)# router-advertisement
apic1(config-tenant-fhs-trustctrl)# neighbor-discovery
apic1(config-tenant-fhs-trustctrl)# exit
apic1(config-tenant-fhs)# exit
apic1(config-tenant)# bridge-domain bd1
apic1(config-tenant-bd)# first-hop-security security-policy pol1
apic1(config-tenant-bd)# exit
apic1(config-tenant)# application ap1
apic1(config-tenant-app)# epg epg1
apic1(config-tenant-app-epg)# first-hop-security trust-control tcpol1