Title

The Cisco ACI layer 2 switch must have all disabled switch ports assigned to an unused VLAN. (Cat II impact)

Discussion

It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member.

Check Content

If the switchport is configured for 802.1X, this is not applicable. Review the switch configuration for the VLAN designated as the inactive VLAN. Each access switch identified as not in use should have membership to an inactive VLAN. Verify traffic from the inactive VLAN is not allowed on any trunk links. [APIC1(config-if)] # show #show vlan id 999 If there are any access switch ports not in use and not in an inactive VLAN, this is a finding.

Fix Text

Identify ports that are unused. Assign all switch ports not in use to an inactive VLAN. [APIC1] # configure terminal [APIC1(config)] # interface Ethernet 1/1/1 [APIC1(config-if)] # switchport access vlan 999

Additional Identifiers

Rule ID: SV-272042r1064445_rule

Vulnerability ID: V-272042

Group Title: SRG-NET-000512-L2S-000007

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.