Title

The Cisco ACI layer 2 switches should authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available. (Cat II impact)

Discussion

VTP provides central management of VLAN domains, thus reducing administration in a switched network. When configuring a new VLAN on a VTP server, the VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN everywhere. VTP pruning preserves bandwidth by preventing VLAN traffic (unknown MAC, broadcast, multicast) from being sent down trunk links when not needed, that is, there are no access switch ports in neighboring switches belonging to such VLANs. An attack can force a digest change for the VTP domain enabling a rogue device to become the VTP server, which could allow unauthorized access to previously blocked VLANs or allow the addition of unauthorized switches into the domain. Authenticating VTP messages with a cryptographic hash function can reduce the risk of the VTP domains being compromised.

Check Content

Review the switch configuration to verify if VTP authentication is configured. 1. Navigate to Fabric >> Fabric Policies >> Policies >> Pod >> VLAN. 2. Verify that a VTP password is configured. If a password is not configured, this is a finding.

Fix Text

Configure VLANs for VTP authentication by configuring the VLAN pool within the APIC and then associate it with the appropriate Endpoint Groups (EPGs). All switches in the VTP domain must have the same VTP domain name. All switches in the domain must have the same VTP password. 1. Navigate to Fabric >> Fabric Policies >> Policies >> Pod >> VLAN. 2. Specify the VTP domain name. 3. Set the VTP password. 4. Click "Apply" to save the changes.

Additional Identifiers

Rule ID: SV-272030r1114331_rule

Vulnerability ID: V-272030

Group Title: SRG-NET-000168-L2S-000019

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.