The Cisco ACI layer 2 switch must employ a first-hop-security (FHS) policy to protect against denial-of-service (DoS) attacks.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-272045	SRG-NET-000705-L2S-000110	CACI-L2-000017	SV-272045r1168271_rule	2025-12-11	1

Description
DoS events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Each Bridge Domain is going to have the option to configure First hop Security Policies. If nothing is listed on the FHS policy, the Common tenant Default policy should be the enforced settings. FHS features enable a better IPv4 and IPv6 link security and management over the layer 2 links. In a service provider environment, these features closely control address assignment and derived operations. Setting include the following DOD required configurations: - Unknown Unicast Flood Blocking (UUFB) enabled. - DHCP snooping enabled for all user VLANs to validate DHCP messages from untrusted sources. - IP Source Guard enabled on all user-facing or untrusted access switch ports. - Dynamic Address Resolution Protocol (ARP) Inspection enabled on all user VLANs. Satisfies: SRG-NET-000362-L2S-000025, SRG-NET-000362-L2S-000026, SRG-NET-000362-L2S-000027

Description

DoS events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Each Bridge Domain is going to have the option to configure First hop Security Policies. If nothing is listed on the FHS policy, the Common tenant Default policy should be the enforced settings. FHS features enable a better IPv4 and IPv6 link security and management over the layer 2 links. In a service provider environment, these features closely control address assignment and derived operations. Setting include the following DOD required configurations: - Unknown Unicast Flood Blocking (UUFB) enabled. - DHCP snooping enabled for all user VLANs to validate DHCP messages from untrusted sources. - IP Source Guard enabled on all user-facing or untrusted access switch ports. - Dynamic Address Resolution Protocol (ARP) Inspection enabled on all user VLANs. Satisfies: SRG-NET-000362-L2S-000025, SRG-NET-000362-L2S-000026, SRG-NET-000362-L2S-000027

ℹ️ Check
Verify the FHS policy is configured. To validate the BD has FHS configured, navigate to Tenants >> {{Your_Tenant}} >> Networking >> Bridge domains >> {{your_BridgeDomain_Name}} >> Policy >> Advanced/Troubleshooting. Search for First Hop Security Policy. To validate the First hop Security Policy settings, navigate to Tenants >> Policies >> Protocol >> First Hop Security. If an FHS policy is not configured with all required settings, this is a finding.

ℹ️ Check

Verify the FHS policy is configured. To validate the BD has FHS configured, navigate to Tenants >> {{Your_Tenant}} >> Networking >> Bridge domains >> {{your_BridgeDomain_Name}} >> Policy >> Advanced/Troubleshooting. Search for First Hop Security Policy. To validate the First hop Security Policy settings, navigate to Tenants >> Policies >> Protocol >> First Hop Security. If an FHS policy is not configured with all required settings, this is a finding.

✔️ Fix
Configure the FHS policy. Tenants >> {{Your_Tenant}} >> Networking >> Bridge domains >> {{your_BridgeDomain_Name}} >> Policy >> Advanced/Troubleshooting Create a First Hop Security Policy.