An error occurred:

Check: CACI-L2-000015

Cisco ACI Layer 2 Switch STIG: CACI-L2-000015 (in version v1 r0.1)

Title

The Cisco ACI layer 2 switch must have all user-facing or untrusted ports configured as access switch ports. (Cat II impact)

Discussion

Double encapsulation can be initiated by an attacker who has access to a switch port belonging to the native VLAN of the trunk port. Knowing the victim's MAC address, and with the victim attached to a different switch belonging to the same trunk group, thereby requiring the trunk link and frame tagging, the malicious user can begin the attack by sending frames with two sets of tags. The outer tag that will have the attacker's VLAN ID (probably the well-known and omnipresent default VLAN) is stripped off by the switch, and the inner tag that will have the victim's VLAN ID is used by the switch as the next hop and sent out the trunk port.

Check Content

Review the switch configuration and examine all user-facing or untrusted switchports. Display information for all Ethernet interfaces, including access and trunk interfaces. Example: [apic1] configure terminal [apic1(config)#] show interface switchport If any of the user-facing switch ports are configured as a trunk, this is a finding.

Fix Text

Disable trunking on all user-facing or untrusted switch ports. To disable trunking on all user-facing or untrusted switch ports on a Cisco APIC, use the command "switchport mode access" on each relevant interface within the APIC configuration, effectively setting each port to "access mode", which only allows traffic for a single VLAN, preventing trunking functionality. Identify which physical ports on the APIC are considered "user-facing" or "untrusted" as those will need to be configured as access ports. [apic1] configure terminal [apic1(config)#] interface <interface name> [apic1(config-if)#] switchport mode access [apic1(config-if)#] switchport access vlan <vlan-id> or To prevent any accidental trunking negotiation, use the "switchport nonegotiate" command on the interface.

Additional Identifiers

Rule ID: SV-272043r1064446_rule

Vulnerability ID: V-272043

Group Title: SRG-NET-000512-L2S-000011

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

Implement the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings