Title

The Cisco ACI layer 2 switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available. (Cat II impact)

Discussion

VTP provides central management of VLAN domains, thus reducing administration in a switched network. When configuring a new VLAN on a VTP server, the VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN everywhere. VTP pruning preserves bandwidth by preventing VLAN traffic (unknown MAC, broadcast, multicast) from being sent down trunk links when not needed, that is, there are no access switch ports in neighboring switches belonging to such VLANs. An attack can force a digest change for the VTP domain enabling a rogue device to become the VTP server, which could allow unauthorized access to previously blocked VLANs or allow the addition of unauthorized switches into the domain. Authenticating VTP messages with a cryptographic hash function can reduce the risk of the VTP domain's being compromised.

Check Content

Verify a VPC Interface policy is applied to the host-facing VLAN tunnels: 1. Click Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles. 2. Right-click "Profiles", select "Leaf Interface Profile". 3. In the Interface IDs field, review the interfaces for VLAN tunnels and verify a Dot1q Tunnel interface policy has been included. Verify a static binding of the tunnel configuration to the VLAN ports: 1. Click Tenant >> Networking >> Dot1Q Tunnels. 2. Expand Dot1Q Tunnels and verify that one or multiple Dot1Q Tunnels have been applied bound to the interface using Static Binding. If VTP is enabled on the switch and is not authenticating VTP messages with a hash function using a configured password, this is a finding.

Fix Text

Configure 802.1 x authentications on all host-facing access switch ports. To authenticate those devices that do not support 802.1x, MAC Authentication Bypass must be configured. When configuring the interface for a leaf switch, the port security policy can be chosen from the list of available port security policies. Create an 802.1X Port Authentication Policy: 1. On the menu bar, click Fabric >> External Access Policies >> Policies >> Interface >> 802.1X Port Authentication. 2. Right-click "802.1X Port Authentication" to open Create "802.1X Port Authentication Policy" and fill out the form. - In the Host Mode field, select "Single Host—For allowing only one host per port". - In the MAC Auth field, select "EAP_FALLBACK_MAB". - Click "Submit". Configure 802.1X Node Authentication: Associate the 802.1X Port Authentication Policy to a Fabric Access Group. 1. On the menu bar, click Fabric >> External Access Policies >> Policies >> Switch >> 802.1X Node Authentication. - Right-click "802.1X Node Authentication" to open Create 802.1X Node Authentication Policy. - In the Failed-auth EPG field, select the tenant, application profile, and EPG to deploy to in the case of failed authentication. - In the Failed-auth VLAN, select the VLAN to deploy to in the case of failed authentication. 2. To associate the 802.1X Node Authentication Policy to a Leaf Switch Policy Group, navigate to Fabric >> External Access Policies >> Switches >> Leaf Switches >> Policy Groups. - Right-click "Policy Groups" to open Create Access Switch Policy Group. - In the 802.1X Node Authentication Policy field, select the policy previously created. - Click "Submit". 3. To associate the 802.1X Node Authentication Policy to a Leaf Interface Profile, navigate to Fabric >> External Access Policies >> Interfaces >> Leaf Interfaces >> Profiles. - Right-click "Profiles" to open Create Leaf Interface Profile. - Expand the Interface Selectors table to open the Create Access Port Selector dialog box and fill out the form. - In the Interface Policy Group field, select the previously created policy and click "OK". - Click "Submit".

Additional Identifiers

Rule ID: SV-272030r1064433_rule

Vulnerability ID: V-272030

Group Title: SRG-NET-000168-L2S-000019

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.