Title

The Cisco ACI layer 2 switch must employ a first-hop-security (FHS) policy to protect against denial-of-service (DoS) attacks. (Cat II impact)

Discussion

DoS events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. FHS features enable a better IPv4 and IPv6 link security and management over the layer 2 links. In a service provider environment, these features closely control address assignment and derived operations. Setting include the following DOD required configurations: - Unknown Unicast Flood Blocking (UUFB) enabled. - DHCP snooping enabled for all user VLANs to validate DHCP messages from untrusted sources. - IP Source Guard enabled on all user-facing or untrusted access switch ports. - Dynamic Address Resolution Protocol (ARP) Inspection enabled on all user VLANs. Satisfies: SRG-NET-000362-L2S-000025, SRG-NET-000362-L2S-000026, SRG-NET-000362-L2S-000027

Check Content

Verify the FHS policy is configured. Note: This is an example. The exact configuration may vary with the site's architecture. leaf4# show fhs bt all The following settings must be enabled at a minimum: - ip-inspection-admin-status enabled-both - source-guard-admin-status enabled-both - router-advertisement-guard-admin-status enabled - router-advertisement-guard - managed-config-check - managed-config-flag - other-config-check - other-config-flag - maximum-router-preference low - minimum-hop-limit 10 - maximum-hop-limit 100 Trust-control tcpolicy settings: - arp - dhcpv4-server - dhcpv6-server - ipv6-router - router-advertisement - neighbor-discovery If an FHS policy is not configured with all required settings, this is a finding.

Fix Text

Configure the FHS policy. Note: This is an example. The exact configuration may vary with the site's architecture. Example: apic1(config)# tenant <tenant name> apic1(config-tenant)# first-hop-security apic1(config-tenant-fhs)# security-policy secpol1 apic1(config-tenant-fhs-secpol)# apic1(config-tenant-fhs-secpol)# ip-inspection-admin-status enabled-both apic1(config-tenant-fhs-secpol)# source-guard-admin-status enabled-both apic1(config-tenant-fhs-secpol)# router-advertisement-guard-admin-status enabled apic1(config-tenant-fhs-secpol)# router-advertisement-guard apic1(config-tenant-fhs-raguard)# apic1(config-tenant-fhs-raguard)# managed-config-check apic1(config-tenant-fhs-raguard)# managed-config-flag apic1(config-tenant-fhs-raguard)# other-config-check apic1(config-tenant-fhs-raguard)# other-config-flag apic1(config-tenant-fhs-raguard)# maximum-router-preference low apic1(config-tenant-fhs-raguard)# minimum-hop-limit 10 apic1(config-tenant-fhs-raguard)# maximum-hop-limit 100 apic1(config-tenant-fhs-raguard)# exit apic1(config-tenant-fhs-secpol1)# exit apic1(config-tenant-fhs)# trust-control tcpol1 apic1(config-tenant-fhs-trustctrl)# arp apic1(config-tenant-fhs-trustctrl)# dhcpv4-server apic1(config-tenant-fhs-trustctrl)# dhcpv6-server apic1(config-tenant-fhs-trustctrl)# ipv6-router apic1(config-tenant-fhs-trustctrl)# router-advertisement apic1(config-tenant-fhs-trustctrl)# neighbor-discovery apic1(config-tenant-fhs-trustctrl)# exit apic1(config-tenant-fhs)# exit apic1(config-tenant)# bridge-domain bd1 apic1(config-tenant-bd)# first-hop-security security-policy pol1 apic1(config-tenant-bd)# exit apic1(config-tenant)# application ap1 apic1(config-tenant-app)# epg epg1 apic1(config-tenant-app-epg)# first-hop-security trust-control tcpol1

Additional Identifiers

Rule ID: SV-272045r1114353_rule

Vulnerability ID: V-272045

Group Title: SRG-NET-000705-L2S-000110

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.