In the following example, the Layer 2 switch “SW-1” is connected to another Layer 2 switch “SW-2”, two hosts and a DHCP server. Switch “SW-2” is connected to two other hosts and a router. Out of the two hosts connected to SW-2, one is a malicious host, which can generate bogus RA packets to advertise route prefix, and can also generate bogus DHCP reply packets to configure wrong IPv6 address or wrong default gateway. By doing this, it tries denial-of-service or node-in-the-middle attacks. These attacks must be prevented as it affects all the nodes present in the Layer 2 network and FHS can be effective in preventing these attacks.
These attacks can spread over the entire Layer 2 network and thus can affect the hosts connected to SW-2 as well as the hosts connected to SW-1. If you enable FHS only on SW-2, then it could only save the nodes which are directly connected to it. To prevent the good node connected to SW-1 from these attacks, the SW-1 switch also should be FHS enabled.
The following figure shows the FHS deployment scenario topology.
By default, all the ports are trusted, until you configure DHCPv6 Guard or RA Guard policies.
See the following procedures to configure FHS RA Guard and DHCPv6 Guard for the preceding topology.