Check: CACI-L2-000015
      
      
        
  Cisco ACI Layer 2 Switch STIG:
  CACI-L2-000015
  
    (in versions v1 r1 through v1 r0.1)
  
      
      
    
  Title
The Cisco ACI layer 2 switch must have all user-facing or untrusted ports configured as access switch ports. (Cat II impact)
Discussion
Double encapsulation can be initiated by an attacker who has access to a switch port belonging to the native VLAN of the trunk port. Knowing the victim's MAC address, and with the victim attached to a different switch belonging to the same trunk group, thereby requiring the trunk link and frame tagging, the malicious user can begin the attack by sending frames with two sets of tags. The outer tag that will have the attacker's VLAN ID (probably the well-known and omnipresent default VLAN) is stripped off by the switch, and the inner tag that will have the victim's VLAN ID is used by the switch as the next hop and sent out the trunk port.
Check Content
Review the switch configuration and examine all user-facing or untrusted switchports. Display information for all Ethernet interfaces, including access and trunk interfaces. Example: [apic1] configure terminal [apic1(config)#] show interface switchport If any of the user-facing switch ports are configured as a trunk, this is a finding.
Fix Text
Disable trunking on all user-facing or untrusted switch ports. To disable trunking on all user-facing or untrusted switch ports on a Cisco APIC, use the command "switchport mode access" on each relevant interface within the APIC configuration, effectively setting each port to "access mode", which only allows traffic for a single VLAN, preventing trunking functionality. Identify which physical ports on the APIC are considered "user-facing" or "untrusted" as those will need to be configured as access ports. [apic1] configure terminal [apic1(config)#] interface <interface name> [apic1(config-if)#] switchport mode access [apic1(config-if)#] switchport access vlan <vlan-id> or To prevent any accidental trunking negotiation, use the "switchport nonegotiate" command on the interface.
Additional Identifiers
Rule ID: SV-272043r1113949_rule
Vulnerability ID: V-272043
Group Title: SRG-NET-000512-L2S-000011
Expert Comments
      
        
        
      
      
        
  CCIs
      
      
        
        
      
    
  | Number | Definition | 
|---|---|
| CCI-000366 | Implement the security configuration settings. | 
      
        
        
      
      
        
  Controls
      
      
        
        
      
    
  | Number | Title | 
|---|---|
| CM-6 | Configuration Settings |