Title

The Cisco ACI layer 2 switch must have Dynamic Address Resolution Protocol (ARP) Inspection enabled on all user VLANs. (Cat II impact)

Discussion

DAI intercepts Address Resolution Protocol (ARP) requests and verifies that each of these packets has a valid IP-to-MAC address binding before updating the local ARP cache and before forwarding the packet to the appropriate destination. Invalid ARP packets are dropped and logged. DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in the DHCP snooping binding database. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.

Check Content

In the Cisco APIC GUI, navigate to Tenants and repeat the following steps for all tenants: 1. On the menu bar, click Tenants >> Tenant_name. 2. In the Navigation pane, click Policies >> Protocol >> First Hop Security. 3. Expand "Feature Policy" and verify ARP Inspection is enabled for both IPv4 and IPv6. If the switch does not have ARP Inspection-enabled user-facing or untrusted access switch ports, this is a finding.

Fix Text

In the Cisco APIC GUI, navigate to Tenants and repeat the following steps for all tenants: 1. On the menu bar, click Tenants >> Tenant_name. 2. In the Navigation pane, click Policies >> Protocol >> First Hop Security. 3. Right-click "First Hop Security" to open Create Feature Policy and fill out the form. - Check the "ARP Inspection" option box. - Enable for both IPv4 and IPv6. 4. Click "Submit".

Additional Identifiers

Rule ID: SV-272036r1064439_rule

Vulnerability ID: V-272036

Group Title: SRG-NET-000362-L2S-000027

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.