Title

The Cisco ACI layer 2 switch must employ a first-hop-security (FHS) policy to protect against denial-of-service (DoS) attacks. (Cat II impact)

Discussion

DoS events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of DoS events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of DoS attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to DoS events. FHS features enable a better IPv4 and IPv6 link security and management over the layer 2 links. In a service provider environment, these features closely control address assignment and derived operations.

Check Content

Verify the FHS policy is configured. Note: This is an example. The exact configuration may vary with the site's architecture. leaf4# show fhs bt all If an FHS policy is not configured, this is a finding.

Fix Text

Configure the FHS policy. Note: This is an example. The exact configuration may vary with the site's architecture. Example: apic1(config)# tenant <tennant name> apic1(config-tenant)# first-hop-security apic1(config-tenant-fhs)# security-policy secpol1 apic1(config-tenant-fhs-secpol)# apic1(config-tenant-fhs-secpol)# ip-inspection-admin-status enabled-both apic1(config-tenant-fhs-secpol)# source-guard-admin-status enabled-both apic1(config-tenant-fhs-secpol)# router-advertisement-guard-admin-status enabled apic1(config-tenant-fhs-secpol)# router-advertisement-guard apic1(config-tenant-fhs-raguard)# apic1(config-tenant-fhs-raguard)# managed-config-check apic1(config-tenant-fhs-raguard)# managed-config-flag apic1(config-tenant-fhs-raguard)# other-config-check apic1(config-tenant-fhs-raguard)# other-config-flag apic1(config-tenant-fhs-raguard)# maximum-router-preference low apic1(config-tenant-fhs-raguard)# minimum-hop-limit 10 apic1(config-tenant-fhs-raguard)# maximum-hop-limit 100 apic1(config-tenant-fhs-raguard)# exit apic1(config-tenant-fhs-secpol1)# exit apic1(config-tenant-fhs)# trust-control tcpol1 pic1(config-tenant-fhs-trustctrl)# arp apic1(config-tenant-fhs-trustctrl)# dhcpv4-server apic1(config-tenant-fhs-trustctrl)# dhcpv6-server apic1(config-tenant-fhs-trustctrl)# ipv6-router apic1(config-tenant-fhs-trustctrl)# router-advertisement apic1(config-tenant-fhs-trustctrl)# neighbor-discovery apic1(config-tenant-fhs-trustctrl)# exit apic1(config-tenant-fhs)# exit apic1(config-tenant)# bridge-domain bd1 apic1(config-tenant-bd)# first-hop-security security-policy pol1 apic1(config-tenant-bd)# exit apic1(config-tenant)# application ap1 apic1(config-tenant-app)# epg epg1 apic1(config-tenant-app-epg)# first-hop-security trust-control tcpol1

Additional Identifiers

Rule ID: SV-272045r1064448_rule

Vulnerability ID: V-272045

Group Title: SRG-NET-000705-L2S-000110

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.