Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Cisco ACI Layer 2 Switch Security Technical Implementation Guide

  • Version/Release: V1R0.1
  • Published: 2025-02-05
  • Released: 2025-02-07
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
c
The Cisco ACI layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection.
IA-3 - High - CCI-000778 - V-272029 - SV-272029r1064432_rule
RMF Control
IA-3
Severity
High
CCI
CCI-000778
Version
CACI-L2-000001
Vuln IDs
  • V-272029
Rule IDs
  • SV-272029r1064432_rule
Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection.
Checks: C-76079r1064301_chk

Verify if the switch configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. MAC Authentication Bypass (MAB) must be configured on those switch ports connected to devices that do not support an 802.1x supplicant. Verify the 802.1X Port Authentication policy is configured correctly: 1. On the menu bar, click Fabric >> External Access Policies >> Policies >> Interface >> 802.1X Port Authentication. 2. Right-click "802.1X Port Authentication" and review each 802.1X Port Authentication Policy. - In the Host Mode field, verify "Single Host" is selected. - In the MAC Auth field, verify "EAP_FALLBACK_MAB" is selected. Verify 802.1X Node Authentication is associated with the 802.1X Port Authentication Policy to a Fabric Access Group: 1. On the menu bar, click Fabric >> External Access Policies >> Policies >> Switch >> 802.1X Node Authentication. 2. Right-click 802.1X Node Authentication and review each 802.1X Node Authentication Policy. - In the Failed-auth EPG field, verify the tenant, application profile, and EPG to deploy to if failed authentication is configured. - In the Failed-auth VLAN field, verify the VLAN to deploy to if failed authentication is selected. Verify the 802.1X Node Authentication Policy is applied to each Leaf Switch Policy Group: 1. Navigate to Fabric >> External Access Policies >> Switches >> Leaf Switches >> Policy Groups. 2. Right-click "Policy Groups" to inspect each Access Switch Policy Group. Verify the 802.1X Node Authentication Policy to a Leaf Interface Profile: 1. Navigate to Fabric >> External Access Policies >> Interfaces >> Leaf Interfaces >> Profiles. 2. Right-click "Profiles" and select "Leaf Interface Profile". 3. Expand the Interface Selectors table, to review the Access Port Selector(s). If 802.1x authentication or MAB is not configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.

Fix: F-75986r1063483_fix

Configure 802.1 x authentications on all host-facing access switch ports. To authenticate those devices that do not support 802.1x, MAB must be configured. The following is an example. Step 1: Configure a Policy Group. apic1(config)# template policy-group <mygroup policy name> apic1(config-pol-grp-if)# switchport port-authentication <mydot1x> apic1(config-port-authentication)# host-mode multi-host apic1(config-port-authentication)# dot1x port-control mab apic1(config-port-authentication)# no shutdown Step 2: Configure the leaf interface profile. apic1(config)#leaf-interface-profile <myleafprofile_name> apic1(config-leaf-if-profile)#leaf-interface-group <myinterfacegroup_name> apic1(config-leaf-if-group)# interface g1/0 - 8 apic1(config-leaf-if-group)# policy-group <mygroup policy name> Step 3: Configure the leaf profile. apic1(config)# leaf-profile <myleafprofile_name> apic1(config-leaf-profile)# leaf-group <myleafgrp_name> apic1(config-leaf-group)# leaf <myleaf_ID#) Step 4: Apply an interface policy on the leaf switch profile. apic1(config-leaf-profile)# leaf-interface-profile <myprofile_name> Step 5: Configure 802.1x with MAC bypass on an interface. apic1(config)# interface Ethernet1/1 apic1(config-if)# dot1x port-control mab

b
The Cisco ACI layer 2 switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available.
IA-7 - Medium - CCI-000803 - V-272030 - SV-272030r1064433_rule
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
CACI-L2-000002
Vuln IDs
  • V-272030
Rule IDs
  • SV-272030r1064433_rule
VTP provides central management of VLAN domains, thus reducing administration in a switched network. When configuring a new VLAN on a VTP server, the VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN everywhere. VTP pruning preserves bandwidth by preventing VLAN traffic (unknown MAC, broadcast, multicast) from being sent down trunk links when not needed, that is, there are no access switch ports in neighboring switches belonging to such VLANs. An attack can force a digest change for the VTP domain enabling a rogue device to become the VTP server, which could allow unauthorized access to previously blocked VLANs or allow the addition of unauthorized switches into the domain. Authenticating VTP messages with a cryptographic hash function can reduce the risk of the VTP domain's being compromised.
Checks: C-76080r1064120_chk

Verify a VPC Interface policy is applied to the host-facing VLAN tunnels: 1. Click Fabric &gt;&gt; Access Policies &gt;&gt; Interfaces &gt;&gt; Leaf Interfaces &gt;&gt; Profiles. 2. Right-click "Profiles", select "Leaf Interface Profile". 3. In the Interface IDs field, review the interfaces for VLAN tunnels and verify a Dot1q Tunnel interface policy has been included. Verify a static binding of the tunnel configuration to the VLAN ports: 1. Click Tenant &gt;&gt; Networking &gt;&gt; Dot1Q Tunnels. 2. Expand Dot1Q Tunnels and verify that one or multiple Dot1Q Tunnels have been applied bound to the interface using Static Binding. If VTP is enabled on the switch and is not authenticating VTP messages with a hash function using a configured password, this is a finding.

Fix: F-75987r1063486_fix

Configure 802.1 x authentications on all host-facing access switch ports. To authenticate those devices that do not support 802.1x, MAC Authentication Bypass must be configured. When configuring the interface for a leaf switch, the port security policy can be chosen from the list of available port security policies. Create an 802.1X Port Authentication Policy: 1. On the menu bar, click Fabric >> External Access Policies >> Policies >> Interface >> 802.1X Port Authentication. 2. Right-click "802.1X Port Authentication" to open Create "802.1X Port Authentication Policy" and fill out the form. - In the Host Mode field, select "Single Host—For allowing only one host per port". - In the MAC Auth field, select "EAP_FALLBACK_MAB". - Click "Submit". Configure 802.1X Node Authentication: Associate the 802.1X Port Authentication Policy to a Fabric Access Group. 1. On the menu bar, click Fabric >> External Access Policies >> Policies >> Switch >> 802.1X Node Authentication. - Right-click "802.1X Node Authentication" to open Create 802.1X Node Authentication Policy. - In the Failed-auth EPG field, select the tenant, application profile, and EPG to deploy to in the case of failed authentication. - In the Failed-auth VLAN, select the VLAN to deploy to in the case of failed authentication. 2. To associate the 802.1X Node Authentication Policy to a Leaf Switch Policy Group, navigate to Fabric >> External Access Policies >> Switches >> Leaf Switches >> Policy Groups. - Right-click "Policy Groups" to open Create Access Switch Policy Group. - In the 802.1X Node Authentication Policy field, select the policy previously created. - Click "Submit". 3. To associate the 802.1X Node Authentication Policy to a Leaf Interface Profile, navigate to Fabric >> External Access Policies >> Interfaces >> Leaf Interfaces >> Profiles. - Right-click "Profiles" to open Create Leaf Interface Profile. - Expand the Interface Selectors table to open the Create Access Port Selector dialog box and fill out the form. - In the Interface Policy Group field, select the previously created policy and click "OK". - Click "Submit".

b
The Cisco ACI layer 2 switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
SC-5 - Medium - CCI-001095 - V-272031 - SV-272031r1064434_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-001095
Version
CACI-L2-000003
Vuln IDs
  • V-272031
Rule IDs
  • SV-272031r1064434_rule
DoS is a condition that occurs when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch by using readily available tools such as Low Orbit Ion Cannon or by using botnets. Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, quality of service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages).
Checks: C-76081r1064122_chk

Verify a VPC Interface policy is applied to the host-facing VLAN tunnels: 1. Click Fabric &gt;&gt; Access Policies &gt;&gt; Interfaces &gt;&gt; Leaf Interfaces &gt;&gt; Profiles. 2. Right-click "Profiles", select "Leaf Interface Profile". 3. In the Interface IDs field, review the interfaces for VLAN tunnels and verify a Dot1q Tunnel interface policy has been included. Verify a static binding of the tunnel configuration to the VLAN ports: 1. Click Tenant &gt;&gt; Networking &gt;&gt; Dot1Q Tunnels. 2. Expand Dot1Q Tunnels and verify that one or multiple Dot1Q Tunnels have been applied bound to the interface using Static Binding. If quality of service (QoS) has not been enabled, this is a finding.

Fix: F-75988r1064303_fix

Configuring 802.1Q Tunnel Interfaces. Configure the interfaces that will use the tunnel. Create an L2 Interface Policy: 1. On the menu bar, click Fabric >> Access Policies. 2. On the Navigation bar, click Policies >> Interface >> L2 Interface. 3. Right-click "L2 Interface", select "Create L2 Interface Policy", and fill in the form. - To create an interface policy that enables an interface to be used as an edge port in a Dot1q Tunnel, in the QinQ field, click "edgePort". - To create an interface policy that enables an interface to be used as a core port in Dot1q Tunnels, in the QinQ field, click "corePort". Apply the L2 Interface policy to a Policy Group: 1. Click Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Policy Groups. 2. Right-click "VPC Interface", choose "Create VPC Policy Group", and fill out the form. 3. In the L2 Interface Policy field, click the down arrow and choose the L2 Interface Policy previously created. 4. To use VTP for Layer 2 protocol tunneling, CDP must be enabled on the tunnel. Click the "CDP Policy" down-arrow. 5. In the policy dialog box, add a name for the policy and disable the Admin State. 6. Click "Submit". Create a Leaf Interface Profile: 1. Click on Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles. 2. Right-click "Profiles", select "Create Leaf Interface Profile", and fill out the form. 3. In the Interface Selectors field, click the "+" and fill out the form. - In the Interface IDs field, enter the Dot1q Tunnel interface or multiple interfaces to be included in the tunnel. - In the Interface Policy Group field, click the down arrow and select the previously created interface policy group. Create a static binding of the tunnel configuration to a port: 1. Click Tenant >> Networking >> Dot1Q Tunnels. 2. Expand Dot1Q Tunnels, click the previously created Dot1Q Tunnels policy_name, and fill out the form. 3. Expand the Static Bindings table to open Create Static Binding dialog box. - In the Port field, select the type of port. - In the Node field, select a node from the drop-down. - In the Path field, select the interface path from the drop-down. 4. Click "Submit".

b
The Cisco ACI layer 2 switch must authenticate all network-connected endpoint devices before establishing any connection.
IA-3 - Medium - CCI-001958 - V-272032 - SV-272032r1064573_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001958
Version
CACI-L2-000004
Vuln IDs
  • V-272032
Rule IDs
  • SV-272032r1064573_rule
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. For distributed architectures (e.g., service-oriented architectures [SOA]), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions. This requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers (outside a datacenter), VoIP Phones, and VTC CODECs). Gateways and SOA applications are examples of where this requirement would apply. Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system.
Checks: C-76082r1064572_chk

Verify the switch configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. MAC Authentication Bypass (MAB) must be configured on those switch ports connected to devices that do not support an 802.1x supplicant. Verify the 802.1X Port Authentication policy is configured correctly: 1. On the menu bar, click Fabric &gt;&gt; External Access Policies &gt;&gt; Policies &gt;&gt; Interface &gt;&gt; 802.1X Port Authentication. 2. Right-click "802.1X Port Authentication" and review each 802.1X Port Authentication Policy. - In the Host Mode field, verify "Single Host" is selected. - In the MAC Auth field, verify "EAP_FALLBACK_MAB" is selected. Verify 802.1X Node Authentication is associated with the 802.1X Port Authentication Policy to a Fabric Access Group: 1. On the menu bar, click Fabric &gt;&gt; External Access Policies &gt;&gt; Policies &gt;&gt; Switch &gt;&gt; 802.1X Node Authentication. 2. Right-click "802.1X Node Authentication" and review each 802.1X Node Authentication Policy. - In the Failed-auth EPG field, verify the tenant, application profile, and EPG to deploy to in the case of failed authentication is configured. - In the Failed-auth VLAN. verify the VLAN to deploy to in the case of failed authentication is selected. Verify the 802.1X Node Authentication Policy is applied to each Leaf Switch Policy Group: 1. Navigate to Fabric &gt;&gt; External Access Policies &gt;&gt; Switches &gt;&gt; Leaf Switches &gt;&gt; Policy Groups. 2. Right-click "Policy Groups" to inspect each Access Switch Policy Group. Verify the 802.1X Node Authentication Policy to a Leaf Interface Profile: 1. Navigate to Fabric &gt;&gt; External Access Policies &gt;&gt; Interfaces &gt;&gt; Leaf Interfaces &gt;&gt; Profiles. 2. Right-click "Profiles" and select Leaf Interface Profile. 3. Expand the Interface Selectors table to review the Access Port Selector(s). If 802.1x authentication or MAB is not configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.

Fix: F-75989r1064306_fix

Configure 802.1 x authentications on all host-facing access switch ports. To authenticate those devices that do not support 802.1x, MAB must be configured. When configuring the interface for a leaf switch, the port security policy can be chosen from the list of available port security policies. Create an 802.1X Port Authentication Policy: 1. On the menu bar, click Fabric >> External Access Policies >> Policies >> Interface >> 802.1X Port Authentication. 2. Right-click "802.1X Port Authentication" to open Create 802.1X Port Authentication Policy and fill out the form. - In the Host Mode field, select "Single Host—For allowing only one host per port". - In the MAC Auth field, select "EAP_FALLBACK_MAB". - Click "Submit". Configure 802.1X Node Authentication. Associate the 802.1X Port Authentication Policy to a Fabric Access Group: 1. On the menu bar, click Fabric >> External Access Policies >> Policies >> Switch >> 802.1X Node Authentication. - Right-click "802.1X Node Authentication" to open Create 802.1X Node Authentication Policy. - In the Failed-auth EPG field, select the tenant, application profile, and EPG to deploy to in the case of failed authentication. - In the Failed-auth VLAN, select the VLAN to deploy to in the case of failed authentication. 2. To associate the 802.1X Node Authentication Policy to a Leaf Switch Policy Group, navigate to Fabric >> External Access Policies >> Switches >> Leaf Switches >> Policy Groups. - Right-click "Policy Groups" to open Create Access Switch Policy Group. - In the 802.1X Node Authentication Policy field, select the previously created policy. - Click "Submit". 3. To associate the 802.1X Node Authentication Policy to a Leaf Interface Profile, navigate to Fabric >> External Access Policies >> Interfaces >> Leaf Interfaces >> Profiles. - Right-click "Profiles" to open Create Leaf Interface Profile. - Expand the Interface Selectors table to open the Create Access Port Selector dialog box and fill out the form. - In the Interface Policy Group field, select the previously created policy and click "OK". - Click "Submit".

b
The Cisco ACI layer 2 switch must have Unknown Unicast Flood Blocking (UUFB) enabled.
SC-5 - Medium - CCI-002385 - V-272033 - SV-272033r1064436_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
CACI-L2-000005
Vuln IDs
  • V-272033
Rule IDs
  • SV-272033r1064436_rule
Access layer switches use the Content Addressable Memory (CAM) table to direct traffic to specific ports based on the VLAN number and the destination MAC address of the frame. When a router has an Address Resolution Protocol (ARP) entry for a destination host and forwards it to the access layer switch and there is no entry corresponding to the frame's destination MAC address in the incoming VLAN, the frame will be sent to all forwarding ports within the respective VLAN, which causes flooding. Large amounts of flooded traffic can saturate low-bandwidth links, causing network performance issues or complete connectivity outage to the connected devices. Unknown unicast flooding has been a nagging problem in networks that have asymmetric routing and default timers. To mitigate the risk of a connectivity outage, the Unknown Unicast Flood Blocking (UUFB) feature must be implemented on all access layer switches. The UUFB feature will block unknown unicast traffic flooding and only permit egress traffic with MAC addresses that are known to exit on the port. To block unicast traffic on a Cisco APIC, configure a security policy within a bridge domain (BD) to filter specific unicast IP addresses or address ranges, effectively blocking traffic from those sources; this is achieved by leveraging the APIC's policy-based forwarding capabilities, which allow granular control over traffic based on defined criteria like source/destination IP addresses and protocols.
Checks: C-76083r1064127_chk

Verify each Bridge Domain used is configured to block unknown unicast traffic: 1. In the APIC GUI Navigation pane, select "Tenant" and inspect each Tenant's Bridge Domain configuration. 2. Expand Networking and right-click each Bridge Domain. - Verify the L2 Unknown Unicast box, is set to "Flood". If any user-facing or untrusted access switch ports do not have UUFB enabled, this is a finding.

Fix: F-75990r1064128_fix

Create and configure each Bridge Domain to enable unknown unicast flood blocking: 1. In the APIC GUI Navigation pane, select "Tenant" and complete the following for each tenant listed. 2. Expand Networking and right-click "Create Bridge Domain" to open the dialog box and fill out the form. - In the L2 Unknown Unicast box, select "Flood". 3. Click "NEXT". 4. Complete the Bridge Domain configuration and click "Finish".

b
The Cisco ACI layer 2 switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.
SC-5 - Medium - CCI-002385 - V-272034 - SV-272034r1064437_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
CACI-L2-000006
Vuln IDs
  • V-272034
Rule IDs
  • SV-272034r1064437_rule
In an enterprise network, devices under administrative control are trusted sources. These devices include the switches, routers, and servers in the network. Host ports and unknown DHCP servers are considered untrusted sources. An unknown DHCP server on the network on an untrusted port is called a spurious DHCP server, any device (PC, Wireless Access Point) that is loaded with DHCP server enabled. The DHCP snooping feature determines whether traffic sources are trusted or untrusted. The potential exists for a spurious DHCP server to respond to DHCPDISCOVER messages before the real server has time to respond. DHCP snooping allows switches on the network to trust the port a DHCP server is connected to and not trust the other ports. The DHCP snooping feature validates DHCP messages received from untrusted sources and filters out invalid messages as well as rate-limits DHCP traffic from trusted and untrusted sources. DHCP snooping feature builds and maintains a binding database, which contains information about untrusted hosts with leased IP addresses, and it uses the database to validate subsequent requests from untrusted hosts. Other security features, such as IP Source Guard and Dynamic Address Resolution Protocol (ARP) Inspection (DAI), also use information stored in the DHCP snooping binding database. Hence, it is imperative that the DHCP snooping feature is enabled on all VLANs.
Checks: C-76084r1063497_chk

In the Cisco APIC GUI, navigate to Tenants and repeat the following steps for all tenants: 1. On the menu bar, click Tenants &gt;&gt; Tenant_name. 2. In the Navigation pane, click Policies &gt;&gt; Protocol &gt;&gt; First Hop Security. 3. Expand Feature Policy and verify DHCP Inspection is enabled and is enabled for both IPv4 and IPv6. If the switch does not have DHCP snooping enabled for all access switch ports, this is a finding.

Fix: F-75991r1063498_fix

In the Cisco APIC GUI, navigate to Tenants and repeat the following steps for all tenants: 1. On the menu bar, click Tenants >> Tenant_name. 2. In the Navigation pane, click Policies >> Protocol >> First Hop Security. 3. Right-click "First Hop Security" to open Create Feature Policy and fill out the form. - Check the "DHCP Inspection" option box. - Enable for both IPv4 and IPv6. 4. Click "Submit".

b
The Cisco ACI layer 2 switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.
SC-5 - Medium - CCI-002385 - V-272035 - SV-272035r1064438_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
CACI-L2-000007
Vuln IDs
  • V-272035
Rule IDs
  • SV-272035r1064438_rule
IP Source Guard provides source IP address filtering on a layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted layer 2 access ports. Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host's ability to attack the network by claiming a neighbor host's IP address.
Checks: C-76085r1063500_chk

In the Cisco APIC GUI, navigate to Tenants and repeat the following steps for all tenants: 1. On the menu bar, click Tenants &gt;&gt; Tenant_name. 2. In the Navigation pane, click Policies &gt;&gt; Protocol &gt;&gt; First Hop Security. 3. Expand Feature Policy and verify Source Guard is enabled and for both IPv4 and IPv6. If the switch does not have Source Guard-enabled user-facing or untrusted access switch ports, this is a finding.

Fix: F-75992r1063501_fix

In the Cisco APIC GUI, navigate to Tenants and repeat the following steps for all tenants: 1. On the menu bar, click Tenants >> Tenant_name. 2. In the Navigation pane, click Policies >> Protocol >> First Hop Security. 3. Right-click "First Hop Security" to open Create Feature Policy and fill out the form. - Check the "Source Guard" option box. - Enable for both IPv4 and IPv6. 4. Click "Submit".

b
The Cisco ACI layer 2 switch must have Dynamic Address Resolution Protocol (ARP) Inspection enabled on all user VLANs.
SC-5 - Medium - CCI-002385 - V-272036 - SV-272036r1064439_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
CACI-L2-000008
Vuln IDs
  • V-272036
Rule IDs
  • SV-272036r1064439_rule
DAI intercepts Address Resolution Protocol (ARP) requests and verifies that each of these packets has a valid IP-to-MAC address binding before updating the local ARP cache and before forwarding the packet to the appropriate destination. Invalid ARP packets are dropped and logged. DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in the DHCP snooping binding database. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.
Checks: C-76086r1063503_chk

In the Cisco APIC GUI, navigate to Tenants and repeat the following steps for all tenants: 1. On the menu bar, click Tenants &gt;&gt; Tenant_name. 2. In the Navigation pane, click Policies &gt;&gt; Protocol &gt;&gt; First Hop Security. 3. Expand "Feature Policy" and verify ARP Inspection is enabled for both IPv4 and IPv6. If the switch does not have ARP Inspection-enabled user-facing or untrusted access switch ports, this is a finding.

Fix: F-75993r1063504_fix

In the Cisco APIC GUI, navigate to Tenants and repeat the following steps for all tenants: 1. On the menu bar, click Tenants >> Tenant_name. 2. In the Navigation pane, click Policies >> Protocol >> First Hop Security. 3. Right-click "First Hop Security" to open Create Feature Policy and fill out the form. - Check the "ARP Inspection" option box. - Enable for both IPv4 and IPv6. 4. Click "Submit".

b
The Cisco ACI layer 2 switch must enable port security.
SC-5 - Medium - CCI-002385 - V-272037 - SV-272037r1064440_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
CACI-L2-000009
Vuln IDs
  • V-272037
Rule IDs
  • SV-272037r1064440_rule
The port security feature protects the ACI fabric from being flooded with unknown MAC addresses by limiting the number of MAC addresses learned per port. The port security feature support is available for physical ports, port channels, and virtual port channels.
Checks: C-76087r1064133_chk

Review the port security policies for compliance: 1. In the GUI menu bar, click Fabric &gt;&gt; Access Policies. 2. In the Navigation pane, expand Policies &gt;&gt; Interface &gt;&gt; Port Security. 3. Select each port security policy used and verify the following: - Port Security Timeout is set to "600 seconds". - Violation Action is set to "Protect mode". - Maximum Endpoints is set to "1". Verify port security is active on all appropriate host-facing interfaces: 1. In the Navigation pane, click Fabric &gt;&gt; Inventory &gt;&gt; Topology. 2. Verify that each leaf has been configured to use a correctly configured port security policy. If port security is not configured and enabled, this is a finding.

Fix: F-75994r1064134_fix

Create a port security policy. The port security policy can be created new or chosen from the list of available port security policies. 1. In the GUI menu bar, click Fabric >> Access Policies. 2. In the Navigation pane, expand Policies >> Interface >> Port Security. 3. Right-click "Port Security" and click "Create Port Security Policy". 4. In the Create Port Security Policy dialog box: - In the Port Security Timeout field, enter "600" before reenabling MAC learning on an interface. - In the Maximum Endpoints field, enter "1" for the maximum number of endpoints that can be learned on an interface. - In the Violation Action field, select "Protect". 5. Click "Submit". Configure each host-facing interface for the leaf switches: 1. In the Navigation pane, click Fabric >> Inventory >> Topology, and navigate to the desired leaf switch. 2. Choose the appropriate port to configure the interface. 3. From the port security policy drop-down list, choose the desired port security policy to associate.

a
The Cisco ACI layer 2 switch must have Storm Control configured on all host-facing switch ports.
CM-6 - Low - CCI-000366 - V-272038 - SV-272038r1064441_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
CACI-L2-000010
Vuln IDs
  • V-272038
Rule IDs
  • SV-272038r1064441_rule
A traffic storm occurs when packets flood a LAN, creating excessive traffic and degrading network performance. Traffic storm control prevents network disruption by suppressing ingress traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors ingress traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any one-second interval.
Checks: C-76088r1063509_chk

Review the switch configuration to verify that storm control is enabled on all host-facing interfaces as shown in the example below: APIC1(config-leaf-if)# storm-control unicast level 35 burst-rate 45 APIC1(config-leaf-if)# storm-control broadcast level 36 burst-rate 36 APIC1(config-leaf-if)# storm-control broadcast level 37 burst-rate 38 If storm control is not enabled at a minimum for broadcast traffic, this is a finding.

Fix: F-75995r1064136_fix

Configure storm control for each host-facing interface: SW1(config)#int range g0/2 - 8 SW1(config-if-range)#storm-control unicast bps 62000000 SW1(config-if-range)#storm-control broadcast level bps 20000000 storm-control [unicast|multicast|broadcast] level <percentage> [burst-rate <percentage>] storm-control [unicast|multicast|broadcast] pps <packet-per-second> [burst-rate <packet-per-second>] Example: APIC1(config)# leaf 102 APIC1(config-leaf)# interface ethernet 1/19 APIC1(config-leaf-if)# storm-control unicast level 35 burst-rate 45 APIC1(config-leaf-if)# storm-control broadcast level 36 burst-rate 36 APIC1(config-leaf-if)# storm-control broadcast level 37 burst-rate 38

a
The Cisco ACI layer 2 switch must have Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping configured on all VLANs.
CM-6 - Low - CCI-000366 - V-272039 - SV-272039r1064442_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
CACI-L2-000011
Vuln IDs
  • V-272039
Rule IDs
  • SV-272039r1064442_rule
IGMP and MLD snooping provides a way to constrain multicast traffic at layer 2. By monitoring the IGMP or MLD membership reports sent by hosts within a VLAN, the snooping application can set up Layer 2 multicast forwarding tables to deliver specific multicast traffic only to interfaces connected to hosts interested in receiving the traffic, thereby significantly reducing the volume of multicast traffic that would otherwise flood the VLAN.
Checks: C-76089r1064138_chk

Verify the switch configuration enables IGMP or MLD snooping for IPv4 and IPv6 multicast traffic. Below is an example of the steps to verify that IGMP snooping is enabled for each VLAN: apic1(config-tenant-template-ip-igmp-snooping)# show run all If the switch is not configured to implement IGMP or MLD snooping for each VLAN, this is a finding.

Fix: F-75996r1063513_fix

Configure IGMP or MLD snooping for IPv4 and IPv6 multicast traffic respectively globally. Example: apic1(config-tenant)# template ip igmp snooping policy <policy name>

b
The Cisco ACI layer 2 switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections.
CM-6 - Medium - CCI-000366 - V-272040 - SV-272040r1064443_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
CACI-L2-000012
Vuln IDs
  • V-272040
Rule IDs
  • SV-272040r1064443_rule
In topologies where fiber optic interconnections are used, physical misconnections can occur that allow a link to appear to be up when there is a mismatched set of transmit/receive pairs. When such a physical misconfiguration occurs, protocols such as STP can cause network instability. UDLD is a layer 2 protocol that can detect these physical misconfigurations by verifying that traffic is flowing bidirectionally between neighbors. Ports with UDLD enabled periodically transmit packets to neighbor devices. If the packets are not echoed back within a specific time frame, the link is flagged as unidirectional and the interface is shut down.
Checks: C-76090r1064140_chk

If any of the switch ports have fiber optic interconnections with neighbors, review the switch configuration to verify that either UDLD is enabled globally or not explicitly disabled on a per interface basis as shown in the example below: show udld &lt;interface&gt; If the switch has fiber optic interconnections with neighbors and UDLD is not enabled, this is a finding.

Fix: F-75997r1064141_fix

Configure the switch to enable UDLD to protect against one-way connections: APIC1(config)# udld enable

b
The Cisco ACI layer 2 switch must have all trunk links enabled statically.
CM-6 - Medium - CCI-000366 - V-272041 - SV-272041r1064444_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
CACI-L2-000013
Vuln IDs
  • V-272041
Rule IDs
  • SV-272041r1064444_rule
When trunk negotiation is enabled via Dynamic Trunk Protocol (DTP), considerable time can be spent negotiating trunk settings (802.1q or ISL) when a node or interface is restored. While this negotiation is happening, traffic is dropped because the link is up from a layer 2 perspective. Packet loss can be eliminated by setting the interface statically to trunk mode, thereby avoiding dynamic trunk protocol negotiation and significantly reducing any outage when restoring a failed link or switch.
Checks: C-76091r1063518_chk

Review the switch configuration and examine all switchports configured for trunk. Display information for all Ethernet interfaces, including access and trunk interfaces. Each switchport configured for trunk mode must have a specific VLAN assigned. Example: [apic1] configure terminal [apic1(config)#] show interface switchport If switchports are configured as a trunk but do not have a specific VLAN assigned, this is a finding.

Fix: F-75998r1064143_fix

An EPG can be created on a specific node or a specific port on a node. The following is an example of deploying EPG trunks on a specific port. The vlan-domain and vlan-domain member commands in the example are a prerequisite for deploying an EPG on a port. Associate the EPG with a specific port. apic1(config)# leaf 1017 apic1(config-leaf)# interface ethernet 1/13 apic1(config-leaf-if)# vlan-domain member dom1 apic1(config-leaf-if)# switchport trunk allowed vlan 20 tenant t1 application AP1 epg EPG1

b
The Cisco ACI layer 2 switch must have all disabled switch ports assigned to an unused VLAN.
CM-6 - Medium - CCI-000366 - V-272042 - SV-272042r1064445_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
CACI-L2-000014
Vuln IDs
  • V-272042
Rule IDs
  • SV-272042r1064445_rule
It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member.
Checks: C-76092r1063521_chk

If the switchport is configured for 802.1X, this is not applicable. Review the switch configuration for the VLAN designated as the inactive VLAN. Each access switch identified as not in use should have membership to an inactive VLAN. Verify traffic from the inactive VLAN is not allowed on any trunk links. [APIC1(config-if)] # show #show vlan id 999 If there are any access switch ports not in use and not in an inactive VLAN, this is a finding.

Fix: F-75999r1064145_fix

Identify ports that are unused. Assign all switch ports not in use to an inactive VLAN. [APIC1] # configure terminal [APIC1(config)] # interface Ethernet 1/1/1 [APIC1(config-if)] # switchport access vlan 999

b
The Cisco ACI layer 2 switch must have all user-facing or untrusted ports configured as access switch ports.
CM-6 - Medium - CCI-000366 - V-272043 - SV-272043r1064446_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
CACI-L2-000015
Vuln IDs
  • V-272043
Rule IDs
  • SV-272043r1064446_rule
Double encapsulation can be initiated by an attacker who has access to a switch port belonging to the native VLAN of the trunk port. Knowing the victim's MAC address, and with the victim attached to a different switch belonging to the same trunk group, thereby requiring the trunk link and frame tagging, the malicious user can begin the attack by sending frames with two sets of tags. The outer tag that will have the attacker's VLAN ID (probably the well-known and omnipresent default VLAN) is stripped off by the switch, and the inner tag that will have the victim's VLAN ID is used by the switch as the next hop and sent out the trunk port.
Checks: C-76093r1063524_chk

Review the switch configuration and examine all user-facing or untrusted switchports. Display information for all Ethernet interfaces, including access and trunk interfaces. Example: [apic1] configure terminal [apic1(config)#] show interface switchport If any of the user-facing switch ports are configured as a trunk, this is a finding.

Fix: F-76000r1063525_fix

Disable trunking on all user-facing or untrusted switch ports. To disable trunking on all user-facing or untrusted switch ports on a Cisco APIC, use the command "switchport mode access" on each relevant interface within the APIC configuration, effectively setting each port to "access mode", which only allows traffic for a single VLAN, preventing trunking functionality. Identify which physical ports on the APIC are considered "user-facing" or "untrusted" as those will need to be configured as access ports. [apic1] configure terminal [apic1(config)#] interface <interface name> [apic1(config-if)#] switchport mode access [apic1(config-if)#] switchport access vlan <vlan-id> or To prevent any accidental trunking negotiation, use the "switchport nonegotiate" command on the interface.

b
The Cisco ACI layer 2 switch, for all 802.1q trunk links, must have the native VLAN assigned to an ID other than the default VLAN.
CM-6 - Medium - CCI-000366 - V-272044 - SV-272044r1064447_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
CACI-L2-000016
Vuln IDs
  • V-272044
Rule IDs
  • SV-272044r1064447_rule
VLAN hopping can be initiated by an attacker who has access to a switch port belonging to the same VLAN as the native VLAN of the trunk link connecting to another switch that the victim is connected to. If the attacker knows the victim's MAC address, it can forge a frame with two 802.1q tags and a layer 2 header with the destination address of the victim. Since the frame will ingress the switch from a port belonging to its native VLAN, the trunk port connecting to the victim's switch will simply remove the outer tag because native VLAN traffic is to be untagged. The switch will forward the frame on to the trunk link unaware of the inner tag with a VLAN ID of which the victim's switch port is a member.
Checks: C-76094r1063527_chk

Review the switch configurations and examine all trunk links. Verify the native VLAN has been configured to a VLAN ID other than the ID of the default VLAN (i.e., VLAN 1) as shown in the example below: [apic1(config)#] show vlan dot1q tag native or [apic1(config)#] show interface If the native VLAN has the same VLAN ID as the default VLAN, this is a finding.

Fix: F-76001r1063528_fix

To ensure the integrity of the trunk link and prevent unauthorized access, the ID of the native VLAN of the trunk port must be changed from the default VLAN (i.e., VLAN 1) to its own unique VLAN ID. [apic1] configure terminal [apic1(config)#] interface <interface name> [apic1(config-if)#] vlan dot1q tag native or [apic1] configure terminal [apic1(config)#] interface {interface name} [apic1(config-if)#] switchport trunk native vlan <vlan-id> Note: An alternative to configuring a dedicated native VLAN is to ensure all native VLAN traffic is tagged. This will mitigate the risk of VLAN hopping because there will always be an outer tag for native traffic as it traverses an 802.1q trunk link. Note: The native VLAN ID must be the same on both ends of the trunk link; otherwise, traffic could accidentally leak between broadcast domains.

b
The Cisco ACI layer 2 switch must employ a first-hop-security (FHS) policy to protect against denial-of-service (DoS) attacks.
- Medium - CCI-004866 - V-272045 - SV-272045r1064448_rule
RMF Control
Severity
Medium
CCI
CCI-004866
Version
CACI-L2-000017
Vuln IDs
  • V-272045
Rule IDs
  • SV-272045r1064448_rule
DoS events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of DoS events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of DoS attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to DoS events. FHS features enable a better IPv4 and IPv6 link security and management over the layer 2 links. In a service provider environment, these features closely control address assignment and derived operations.
Checks: C-76095r1064149_chk

Verify the FHS policy is configured. Note: This is an example. The exact configuration may vary with the site's architecture. leaf4# show fhs bt all If an FHS policy is not configured, this is a finding.

Fix: F-76002r1064150_fix

Configure the FHS policy. Note: This is an example. The exact configuration may vary with the site's architecture. Example: apic1(config)# tenant <tennant name> apic1(config-tenant)# first-hop-security apic1(config-tenant-fhs)# security-policy secpol1 apic1(config-tenant-fhs-secpol)# apic1(config-tenant-fhs-secpol)# ip-inspection-admin-status enabled-both apic1(config-tenant-fhs-secpol)# source-guard-admin-status enabled-both apic1(config-tenant-fhs-secpol)# router-advertisement-guard-admin-status enabled apic1(config-tenant-fhs-secpol)# router-advertisement-guard apic1(config-tenant-fhs-raguard)# apic1(config-tenant-fhs-raguard)# managed-config-check apic1(config-tenant-fhs-raguard)# managed-config-flag apic1(config-tenant-fhs-raguard)# other-config-check apic1(config-tenant-fhs-raguard)# other-config-flag apic1(config-tenant-fhs-raguard)# maximum-router-preference low apic1(config-tenant-fhs-raguard)# minimum-hop-limit 10 apic1(config-tenant-fhs-raguard)# maximum-hop-limit 100 apic1(config-tenant-fhs-raguard)# exit apic1(config-tenant-fhs-secpol1)# exit apic1(config-tenant-fhs)# trust-control tcpol1 pic1(config-tenant-fhs-trustctrl)# arp apic1(config-tenant-fhs-trustctrl)# dhcpv4-server apic1(config-tenant-fhs-trustctrl)# dhcpv6-server apic1(config-tenant-fhs-trustctrl)# ipv6-router apic1(config-tenant-fhs-trustctrl)# router-advertisement apic1(config-tenant-fhs-trustctrl)# neighbor-discovery apic1(config-tenant-fhs-trustctrl)# exit apic1(config-tenant-fhs)# exit apic1(config-tenant)# bridge-domain bd1 apic1(config-tenant-bd)# first-hop-security security-policy pol1 apic1(config-tenant-bd)# exit apic1(config-tenant)# application ap1 apic1(config-tenant-app)# epg epg1 apic1(config-tenant-app-epg)# first-hop-security trust-control tcpol1

b
The Cisco ACI layer 2 switch must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.
- Medium - CCI-004891 - V-272046 - SV-272046r1064449_rule
RMF Control
Severity
Medium
CCI
CCI-004891
Version
CACI-L2-000018
Vuln IDs
  • V-272046
Rule IDs
  • SV-272046r1064449_rule
Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic or debilitating breach or compromise that results in system failure. For example, physically separating the command and control function from the in-flight entertainment function through separate subnetworks in a commercial aircraft provides an increased level of assurance in the trustworthiness of critical system functions. Cisco ACI provides numerous features to cover different use cases to restrict traffic between EPGs to help organizations in the segmentation and micro-segmentation journey. This includes features such as: - Inter-VRF and Intra-VRF Contracts. - Policy-based Redirection and layer 4 to layer 7 Services Insertion. - Intra-EPG Isolation and Intra-EPG Contracts. - vzAny Contracts. - Endpoint Security Groups (ESG). Organizations must make use of one or more of these Cisco ACI contracts and segmentation capabilities to provide segmentation within the data center for east-west traffic flows, as well as for north-south traffic flows, combined in this former case with other security devices or solutions to implement a defense-in-depth strategy.
Checks: C-76096r1064152_chk

Verify one or more Cisco ACI contracts and/or segmentation capabilities to provide segmentation within the data center for east-west traffic and north-south traffic flows, combined in this former case with other security devices or solutions to implement a defense-in-depth strategy. The following is an example of deploying an EPG through an interface policy group to multiple interfaces to provide separation and isolation of traffic. Associate the target EPG with the interface policy group. The sample command sequence specifies an interface policy group pg3 associated with VLAN domain, domain1, and with VLAN 1261. The application EPG, epg47 is deployed to all interfaces associated with this policy group. Check the target ports to verify deployment of the policies of the interface policy group associated with application EPG. The output of the sample "show command" sequence indicates that policy group pg3 is deployed on Ethernet port 1/20 on leaf switch 1017. apic1# show run leaf 1017 int eth 1/20 # Command: show running-config leaf 1017 int eth 1/20 # Time: Mon Jun 27 22:12:10 2016 leaf 1017 interface ethernet 1/20 policy-group pg3 If physical or logical separation of subnetworks to isolate organization-defined critical system components and functions has not been implemented, this is a finding.

Fix: F-76003r1063920_fix

Configure one or more Cisco ACI contracts and/or segmentation capabilities to provide segmentation within the data center for east-west traffic and north-south traffic flows, combined in this former case with other security devices or solutions to implement a defense-in-depth strategy. The following is an example of deploying an EPG through an interface policy group to multiple interfaces in order to provide separation and isolation of traffic. Before beginning, ensure the following: - The target application EPG is created. - The VLAN pools have been created containing the range of VLANs to use for EPG deployment on the AEP. - The physical domain has been created and linked to the VLAN Pool and AEP. - The target attached entity profile is created and associated with the ports on which the application EPG will be deployed. 1. Associate the target EPG with the interface policy group. The sample command sequence specifies an interface policy group pg3 associated with VLAN domain, domain1, and with VLAN 1261. The application EPG, epg47 is deployed to all interfaces associated with this policy group. apic1# configure terminal apic1(config)# template policy-group pg3 Deploying an EPG through an Interface Policy Group to Multiple Interfaces apic1(config-pol-grp-if)# vlan-domain member domain1 apic1(config-pol-grp-if)# switchport trunk allowed vlan 1261 tenant tn10 application pod1-AP epg epg47 2. Check the target ports to ensure deployment of the policies of the interface policy group associated with application EPG. The output of the sample "show command" sequence indicates that policy group pg3 is deployed on Ethernet port 1/20 on leaf switch 1017. apic1# show run leaf 1017 int eth 1/20 # Command: show running-config leaf 1017 int eth 1/20 # Time: Mon Jun 27 22:12:10 2016 leaf 1017 interface ethernet 1/20 policy-group pg3 exit exit ifav28-ifc1#

b
The Cisco ACI layer 2 switch must establish organization-defined alternate communication paths for system operations organizational command and control.
- Medium - CCI-004931 - V-272047 - SV-272047r1064450_rule
RMF Control
Severity
Medium
CCI
CCI-004931
Version
CACI-L2-000019
Vuln IDs
  • V-272047
Rule IDs
  • SV-272047r1064450_rule
An incident, whether adversarial- or nonadversarial-based, can disrupt established communication paths used for system operations and organizational command and control. Alternate communication paths reduce the risk of all communication paths being affected by the same incident. To compound the problem, the inability of organizational officials to obtain timely information about disruptions or to provide timely direction to operational elements after a communication path incident, can impact the ability of the organization to respond to such incidents in a timely manner. Establishing alternate communication paths for command and control purposes, including designating alternative decision makers if primary decision makers are unavailable and establishing the extent and limitations of their actions, can greatly facilitate the organization's ability to continue to operate and take appropriate actions during an incident. To establish alternate communication paths for system operations and organizational command and control within a Cisco ACI cluster using the CLI, configure a multi-pod ACI architecture with separate APIC clusters, ensuring redundancy across pods by using external IP-routed networks (Inter-Pod Network) to maintain connectivity even if one pod experiences a failure. This effectively creates diverse communication pathways for management and control functions.
Checks: C-76097r1064154_chk

If the connection type is remotely attached through a layer 3 network, this is not applicable. Verify the cluster status. apic1# cluster_health If the status of the clustered nodes is not "OK", this is a finding.

Fix: F-76004r1064155_fix

Configure a multi-pod ACI architecture with separate APIC clusters with redundancy across pods using external IP-routed networks (Interpod Network) to connect them, allowing management access even if one pod experiences a failure. Deploy at least two separate APIC clusters (pods). apic1# conf t apic1(config)# pod <pod_name> apic1(config)# ip address <management_ip> <subnet_mask> apic1(config)# ip route <destination_network> <next_hop_ip>