About First Hop Security
First-Hop Security (FHS) features enable a better IPv4 and IPv6 link security and management over the layer 2 links. In a service provider environment, these features closely control address assignment and derived operations, such as Duplicate Address Detection (DAD) and Address Resolution (AR).
The following supported FHS features secure the protocols and help build a secure endpoint database on the fabric leaf switches, that are used to mitigate security threats such as MIM attacks and IP thefts:
-
ARP Inspection—allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings.
-
ND Inspection—learns and secures bindings for stateless autoconfiguration addresses in Layer 2 neighbor tables.
-
DHCP Inspection—validates DHCP messages received from untrusted sources and filters out invalid messages.
-
RA Guard—allows the network administrator to block or reject unwanted or rogue router advertisement (RA) guard messages.
-
IPv4 and IPv6 Source Guard—blocks any data traffic from an unknown source.
-
Trust Control—a trusted source is a device that is under your administrative control. These devices include the switches, routers, and servers in the Fabric. Any device beyond the firewall or outside the network is an untrusted source. Generally, host ports are treated as untrusted sources.
FHS features provide the following security measures:
-
Role Enforcement—Prevents untrusted hosts from sending messages that are out the scope of their role.
-
Binding Enforcement—Prevents address theft.
-
DoS Attack Mitigations—Prevents malicious end-points to grow the end-point database to the point where the database could stop providing operation services.
-
Proxy Services—Provides some proxy-services to increase the efficiency of address resolution.
FHS features are enabled on a per tenant bridge domain (BD) basis. As the bridge domain, may be deployed on a single or across multiple leaf switches, the FHS threat control and mitigation mechanisms cater to a single switch and multiple switch scenarios.
Beginning with Cisco APIC release 6.0(2), FHS is supported on the VMware DVS VMM domain. If you need to implement FHS within an EPG, enable intra EPG isolation. If intra EPG isolation is not enabled, then, the endpoints within the same VMware ESX port-group can bypass FHS. If you do not enable intra EPG isolation, FHS features still take effect for endpoints that are in different port-groups, for instance, FHS can prevent a compromised VM from poisoning the ARP table of another VM in a different port-group.