Title

The Cisco ACI layer 2 switch must have all trunk links enabled statically. (Cat II impact)

Discussion

When trunk negotiation is enabled via Dynamic Trunk Protocol (DTP), considerable time can be spent negotiating trunk settings (802.1q or ISL) when a node or interface is restored. While this negotiation is happening, traffic is dropped because the link is up from a layer 2 perspective. Packet loss can be eliminated by setting the interface statically to trunk mode, thereby avoiding dynamic trunk protocol negotiation and significantly reducing any outage when restoring a failed link or switch.

Check Content

Review the switch configuration and examine all switchports configured for trunk. Display information for all Ethernet interfaces, including access and trunk interfaces. Each switchport configured for trunk mode must have a specific VLAN assigned. Example: [apic1] configure terminal [apic1(config)#] show interface switchport If switchports are configured as a trunk but do not have a specific VLAN assigned, this is a finding.

Fix Text

An EPG can be created on a specific node or a specific port on a node. The following is an example of deploying EPG trunks on a specific port. The vlan-domain and vlan-domain member commands in the example are a prerequisite for deploying an EPG on a port. Associate the EPG with a specific port. apic1(config)# leaf 1017 apic1(config-leaf)# interface ethernet 1/13 apic1(config-leaf-if)# vlan-domain member dom1 apic1(config-leaf-if)# switchport trunk allowed vlan 20 tenant t1 application AP1 epg EPG1

Additional Identifiers

Rule ID: SV-272041r1064444_rule

Vulnerability ID: V-272041

Group Title: SRG-NET-000512-L2S-000005

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.