An error occurred:

Check: CACI-L2-000009

Cisco ACI Layer 2 Switch STIG: CACI-L2-000009 (in version v1 r2)

Title

The Cisco ACI layer 2 switch must enable port security. (Cat II impact)

Discussion

The port security feature protects the ACI fabric from being flooded with unknown MAC addresses by limiting the number of MAC addresses learned per port. The port security feature support is available for physical ports, port channels, and virtual port channels.

Check Content

Review the port security policies for compliance. Navigate to Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >>Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies. Select each port security policy used and verify the following: - Port Security Timeout is set to "600 seconds". - Violation Action is set to "Protect mode". - Maximum Endpoints is set to "1". Verify port security is active on all appropriate host-facing interfaces. Verify each leaf has been configured to use a correctly configured port security policy. If port security is not configured and enabled, this is a finding.

Fix Text

Create a port security policy. The port security policy can be created new or chosen from the list of available port security policies. Path to use Port Security setting: Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >>Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies. If the Policy group is not on the Appropriate interface, navigate to the following to add it: Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles >> {{your_profile}} In the Create Port Security Policy dialog box: 1. In the Port Security Timeout field, enter "600" before re-enabling MAC learning on an interface. 2. In the Maximum Endpoints field, enter "1" for the maximum number of endpoints that can be learned on an interface. 3. In the Violation Action field, select "Protect". 4. Click "Submit".

Additional Identifiers

Rule ID: SV-272037r1168273_rule

Vulnerability ID: V-272037

Group Title: SRG-NET-000362-L2S-000027

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002385

Protect against or limit the effects of organization-defined types of denial-of-service events.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-5

Denial-of-service Protection