Title

The Cisco ACI layer 2 switch must establish organization-defined alternate communication paths for system operations organizational command and control. (Cat II impact)

Discussion

An incident, whether adversarial- or nonadversarial-based, can disrupt established communication paths used for system operations and organizational command and control. Alternate communication paths reduce the risk of all communication paths being affected by the same incident. To compound the problem, the inability of organizational officials to obtain timely information about disruptions or to provide timely direction to operational elements after a communication path incident, can impact the ability of the organization to respond to such incidents in a timely manner. Establishing alternate communication paths for command and control purposes, including designating alternative decision makers if primary decision makers are unavailable and establishing the extent and limitations of their actions, can greatly facilitate the organization's ability to continue to operate and take appropriate actions during an incident. To establish alternate communication paths for system operations and organizational command and control within a Cisco ACI cluster using the CLI, configure a multi-pod ACI architecture with separate APIC clusters, ensuring redundancy across pods by using external IP-routed networks (Inter-Pod Network) to maintain connectivity even if one pod experiences a failure. This effectively creates diverse communication pathways for management and control functions.

Check Content

If the connection type is remotely attached through a layer 3 network, this is not applicable. Verify the cluster status. apic1# cluster_health If the status of the clustered nodes is not "OK", this is a finding.

Fix Text

Configure a multi-pod ACI architecture with separate APIC clusters with redundancy across pods using external IP-routed networks (Interpod Network) to connect them, allowing management access even if one pod experiences a failure. Deploy at least two separate APIC clusters (pods). apic1# conf t apic1(config)# pod <pod_name> apic1(config)# ip address <management_ip> <subnet_mask> apic1(config)# ip route <destination_network> <next_hop_ip>

Additional Identifiers

Rule ID: SV-272047r1064450_rule

Vulnerability ID: V-272047

Group Title: SRG-NET-000760-L2S-000160

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.