First Hop Security (FHS) improves local network security by employing a number of mitigation techniques. This section describes the base set functionality which provides protection from a wide host of rogue or mis-configured users, and this can be extended with additional features for different deployment scenarios. For example, see the following topology.
In the following topology, Layer 2 switch SW-1 is connected to another Layer 2 switch SW-2. SW-2 is connected to three hosts and SW-1 is connected to two hosts.
In this network, if FHS is enabled only on SW-1, then it can only save the nodes which are directly connected to it. To protect the good node connected to SW-2, the FHS must be enabled on SW-2.
First Hop Security contains the majority of the RIPE 554 mandatory requirements for Layer 2 switches. This includes the following:
DHCPv6 Guard or DHCPv6 filtering
RA Guard or Router Advertisement filtering