Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Cisco ACI Layer 2 Switch Security Technical Implementation Guide - V1R2

  • Version/Release: V1R2
  • Published: 2025-12-11
  • Released: 2026-01-05
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
c
The Cisco ACI layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection.
IA-3 - High - CCI-000778 - V-272029 - SV-272029r1168259_rule
RMF Control
IA-3
Severity
High
CCI
CCI-000778
Version
CACI-L2-000001
Vuln IDs
  • V-272029
Rule IDs
  • SV-272029r1168259_rule
Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection. In ACI, VLANs are used for traffic segmentation and identification, but their primary function is for identifying traffic, not directly configuring the leaf switch ports.
Checks: C-76079r1168257_chk

Verify if the switch configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. MAC Authentication Bypass (MAB) must be configured on those switch ports connected to devices that do not support an 802.1x supplicant. 1. Navigate to Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies. 2. Select the port profile that is used for host-facing access ports. 3. Within the port profile configuration, locate the 802.1x settings and verify 802.1x is and MAB are enabled. 4. Navigate to the Endpoints section. 5. Choose the leaf nodes that host the host-facing ports and verify the port profile is applied. Verify the policy group is assigned to an interface: Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles >> {{your_profile}}. If 802.1x authentication or MAB is not configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.

Fix: F-75986r1168258_fix

Enable 802.1X authentication on host-facing access ports in Cisco APIC and accommodate devices lacking 802.1X support, configure MAB (MAC Authentication Bypass). The following is an example. 1. Navigate to Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies. 2. Select the port profile that is used for host-facing access ports. 3. Within the port profile configuration, locate the 802.1x settings and enable it. 4. Specify the 802.1x authentication parameters are set. 5. Enable MAB and specify the MAC address range and relevant settings. 6. For Host Mode, select "Single Host". 7. The MAC Auth should be EAP_FALLBACK_MAB. 8. In the Failed-auth VLAN field, select the VLAN to deploy to if authentication failed. 9. In the Failed-auth EPG field, choose the tenant, application profile, or EPG to deploy to if authentication failed. 10. Go to the Endpoints section. 11. Choose the leaf nodes that host the host-facing ports. 12. Apply the configured port profile to the host-facing ports. Apply the policy group to an interface: Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles >> {{your_profile}}.

b
The Cisco ACI layer 2 switch must authenticate all network-connected endpoint devices before establishing any connection.
IA-3 - Medium - CCI-001958 - V-272032 - SV-272032r1168262_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001958
Version
CACI-L2-000004
Vuln IDs
  • V-272032
Rule IDs
  • SV-272032r1168262_rule
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. For distributed architectures (e.g., service-oriented architectures [SOA]), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions. This requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers [outside a datacenter], VoIP Phones, and VTC CODECs). Gateways and SOA applications are examples of where this requirement would apply. Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system.
Checks: C-76082r1168260_chk

Verify the switch authenticates all network-connected endpoint devices before establishing any connection. 1. On the menu bar, click Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies. 2. Path to Validate the policy group is assigned to an interface: Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles >> {{your_profile}}. If The Cisco ACI layer 2 switch does not authenticate all network-connected endpoint devices before establishing any connection, this is a finding.

Fix: F-75989r1168261_fix

Create Authentication Policy and associate with a policy group. 1. On the menu bar, click Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies. 2. Path to Validate the policy group is assigned to an interface: Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles >> {{your_profile}}.

b
The Cisco ACI layer 2 switch must have Unknown Unicast Flood Blocking (UUFB) set to "Hardware Proxy".
SC-5 - Medium - CCI-002385 - V-272033 - SV-272033r1168251_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
CACI-L2-000005
Vuln IDs
  • V-272033
Rule IDs
  • SV-272033r1168251_rule
Access layer switches use the Content Addressable Memory (CAM) table to direct traffic to specific interfaces based on the VLAN number and the destination MAC address of the frame. When a router has an Address Resolution Protocol (ARP) entry for a destination host and forwards it to the access layer switch and there is no entry corresponding to the frame's destination MAC address in the incoming VLAN, the frame will be sent to all forwarding interfaces within the respective VLAN, which causes flooding. Large amounts of flooded traffic can saturate low-bandwidth links, causing network performance issues or complete connectivity outage to the connected devices. Unknown unicast flooding has been a nagging problem in networks that have asymmetric routing and default timers. To mitigate the risk of a connectivity outage, the unknown unicast traffic must not be flooded to all access interfaces.
Checks: C-76083r1168250_chk

Verify each Bridge Domain used is configured to block unknown unicast traffic. 1. Navigate to Tenant >> Networking >> Bridge Domains >> Policy >> General and inspect each Tenant's Bridge Domain configuration. 2. Expand Networking and right-click each Bridge Domain. - Verify the L2 Unknown Unicast box is set to "Hardware Proxy". If any user-facing or untrusted access switch ports do not have UUFB set to "Hardware Proxy", this is a finding.

Fix: F-75990r1114237_fix

Configure each Bridge Domain to handle unknown unicast flood blocking. 1. Navigate to Tenant >> Networking >> Bridge Domains >> Policy >> General. 2. Expand Networking and right-click "Create Bridge Domain" to open the dialog box and fill out the form. - In the L2 Unknown Unicast box, select "Hardware Proxy". 3. Click "NEXT". 4. Complete the Bridge Domain configuration and click "Finish".

b
The Cisco ACI layer 2 switch must enable port security.
SC-5 - Medium - CCI-002385 - V-272037 - SV-272037r1168273_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
CACI-L2-000009
Vuln IDs
  • V-272037
Rule IDs
  • SV-272037r1168273_rule
The port security feature protects the ACI fabric from being flooded with unknown MAC addresses by limiting the number of MAC addresses learned per port. The port security feature support is available for physical ports, port channels, and virtual port channels.
Checks: C-76087r1168056_chk

Review the port security policies for compliance. Navigate to Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >>Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies. Select each port security policy used and verify the following: - Port Security Timeout is set to "600 seconds". - Violation Action is set to "Protect mode". - Maximum Endpoints is set to "1". Verify port security is active on all appropriate host-facing interfaces. Verify each leaf has been configured to use a correctly configured port security policy. If port security is not configured and enabled, this is a finding.

Fix: F-75994r1168272_fix

Create a port security policy. The port security policy can be created new or chosen from the list of available port security policies. Path to use Port Security setting: Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >>Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies. If the Policy group is not on the Appropriate interface, navigate to the following to add it: Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles >> {{your_profile}} In the Create Port Security Policy dialog box: 1. In the Port Security Timeout field, enter "600" before re-enabling MAC learning on an interface. 2. In the Maximum Endpoints field, enter "1" for the maximum number of endpoints that can be learned on an interface. 3. In the Violation Action field, select "Protect". 4. Click "Submit".

a
The Cisco ACI layer 2 switch must have Storm Control configured on all host-facing switch ports.
CM-6 - Low - CCI-000366 - V-272038 - SV-272038r1168256_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
CACI-L2-000010
Vuln IDs
  • V-272038
Rule IDs
  • SV-272038r1168256_rule
A traffic storm occurs when packets flood a LAN, creating excessive traffic and degrading network performance. Traffic storm control prevents network disruption by suppressing ingress traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors ingress traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any one-second interval.
Checks: C-76088r1168254_chk

Review the switch configuration to verify storm control is enabled on all host-facing interfaces as shown in the example below: 1. To verify Storm Control settings, navigate to Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >>Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies. 2. Review each Storm Control policy. 3. Navigate to the Application Profile containing the EPGs to be protected. 4. Select each EPG, then go to the Policies tab to verify that a storm control policy configured to protect broadcast, at a minimum, has been applied. If storm control is not enabled for host-facing interfaces for broadcast traffic at a minimum, this is a finding.

Fix: F-75995r1168255_fix

Configure one or more storm control policies for all host-facing interfaces and external interfaces and apply the policy to an ESG. Enable monitoring to track storm control events. Path to use storm control setting: Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies. If the storm control is not on the appropriate interface, add it by navigating to Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles >> {{your_profile}}. Note: The acceptable range is 10000000-1000000000 for a gigabit Ethernet interface, and 100000000-10000000000 for a ten gigabit interface. Storm control is not supported on most FastEthernet interfaces.

a
The Cisco ACI layer 2 switch must have Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping configured on all VLANs.
CM-6 - Low - CCI-000366 - V-272039 - SV-272039r1168265_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
CACI-L2-000011
Vuln IDs
  • V-272039
Rule IDs
  • SV-272039r1168265_rule
IGMP and MLD snooping provides a way to constrain multicast traffic at layer 2. By monitoring the IGMP or MLD membership reports sent by hosts within a VLAN, the snooping application can set up Layer 2 multicast forwarding tables to deliver specific multicast traffic only to interfaces connected to hosts interested in receiving the traffic, thereby significantly reducing the volume of multicast traffic that would otherwise flood the VLAN.
Checks: C-76089r1168263_chk

Verify the switch configuration enables IGMP and MLD snooping for IPv4 and IPv6 multicast traffic. To show that the IGMP or MLD policy is assigned to the correct Bridge domain, navigate to Tenants >> {{Your_Tenant}} >> Networking >> Bridge Domains >> {{your_BridgeDomain}} >> Policy >> General. Select the IGMP snoop Policy and MLD Snoop Policy. If the switch is not configured to implement IGMP or MLD snooping for each bridge domain, this is a finding.

Fix: F-75996r1168264_fix

Configure IGMP and MLD snooping for IPv4 and IPv6 multicast traffic respectively globally. To show that the IGMP and/or MLD policy is assigned to the correct Bridge domain, navigate to Tenants >> {{Your_Tenant}} >> Networking >> Bridge Domains >> {{your_BridgeDomain}} >> Policy >> General. Select the IGMP snoop Policy and MLD Snoop Policy.

b
The Cisco ACI layer 2 switch must employ a first-hop-security (FHS) policy to protect against denial-of-service (DoS) attacks.
- Medium - CCI-004866 - V-272045 - SV-272045r1168271_rule
RMF Control
Severity
Medium
CCI
CCI-004866
Version
CACI-L2-000017
Vuln IDs
  • V-272045
Rule IDs
  • SV-272045r1168271_rule
DoS events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Each Bridge Domain is going to have the option to configure First hop Security Policies. If nothing is listed on the FHS policy, the Common tenant Default policy should be the enforced settings. FHS features enable a better IPv4 and IPv6 link security and management over the layer 2 links. In a service provider environment, these features closely control address assignment and derived operations. Setting include the following DOD required configurations: - Unknown Unicast Flood Blocking (UUFB) enabled. - DHCP snooping enabled for all user VLANs to validate DHCP messages from untrusted sources. - IP Source Guard enabled on all user-facing or untrusted access switch ports. - Dynamic Address Resolution Protocol (ARP) Inspection enabled on all user VLANs. Satisfies: SRG-NET-000362-L2S-000025, SRG-NET-000362-L2S-000026, SRG-NET-000362-L2S-000027
Checks: C-76095r1168270_chk

Verify the FHS policy is configured. To validate the BD has FHS configured, navigate to Tenants >> {{Your_Tenant}} >> Networking >> Bridge domains >> {{your_BridgeDomain_Name}} >> Policy >> Advanced/Troubleshooting. Search for First Hop Security Policy. To validate the First hop Security Policy settings, navigate to Tenants >> Policies >> Protocol >> First Hop Security. If an FHS policy is not configured with all required settings, this is a finding.

Fix: F-76002r1168075_fix

Configure the FHS policy. Tenants >> {{Your_Tenant}} >> Networking >> Bridge domains >> {{your_BridgeDomain_Name}} >> Policy >> Advanced/Troubleshooting Create a First Hop Security Policy.