Rule ID
SV-272045r1168271_rule
Version
V1R2
DoS events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Each Bridge Domain is going to have the option to configure First hop Security Policies. If nothing is listed on the FHS policy, the Common tenant Default policy should be the enforced settings. FHS features enable a better IPv4 and IPv6 link security and management over the layer 2 links. In a service provider environment, these features closely control address assignment and derived operations. Setting include the following DOD required configurations: - Unknown Unicast Flood Blocking (UUFB) enabled. - DHCP snooping enabled for all user VLANs to validate DHCP messages from untrusted sources. - IP Source Guard enabled on all user-facing or untrusted access switch ports. - Dynamic Address Resolution Protocol (ARP) Inspection enabled on all user VLANs. Satisfies: SRG-NET-000362-L2S-000025, SRG-NET-000362-L2S-000026, SRG-NET-000362-L2S-000027
Verify the FHS policy is configured.
To validate the BD has FHS configured, navigate to Tenants >> {{Your_Tenant}} >> Networking >> Bridge domains >> {{your_BridgeDomain_Name}} >> Policy >> Advanced/Troubleshooting. Search for First Hop Security Policy.
To validate the First hop Security Policy settings, navigate to Tenants >> Policies >> Protocol >> First Hop Security.
If an FHS policy is not configured with all required settings, this is a finding.Configure the FHS policy.
Tenants >> {{Your_Tenant}} >> Networking >> Bridge domains >> {{your_BridgeDomain_Name}} >> Policy >> Advanced/Troubleshooting
Create a First Hop Security Policy.