An error occurred:

Check: CACI-L2-000009

Cisco ACI Layer 2 Switch STIG: CACI-L2-000009 (in versions v1 r1 through v1 r0.1)

Title

The Cisco ACI layer 2 switch must enable port security. (Cat II impact)

Discussion

The port security feature protects the ACI fabric from being flooded with unknown MAC addresses by limiting the number of MAC addresses learned per port. The port security feature support is available for physical ports, port channels, and virtual port channels.

Check Content

Review the port security policies for compliance: 1. In the GUI menu bar, click Fabric >> Access Policies. 2. In the Navigation pane, expand Policies >> Interface >> Port Security. 3. Select each port security policy used and verify the following: - Port Security Timeout is set to "600 seconds". - Violation Action is set to "Protect mode". - Maximum Endpoints is set to "1". Verify port security is active on all appropriate host-facing interfaces: 1. In the Navigation pane, click Fabric >> Inventory >> Topology. 2. Verify that each leaf has been configured to use a correctly configured port security policy. If port security is not configured and enabled, this is a finding.

Fix Text

Create a port security policy. The port security policy can be created new or chosen from the list of available port security policies. 1. In the GUI menu bar, click Fabric >> Access Policies. 2. In the Navigation pane, expand Policies >> Interface >> Port Security. 3. Right-click "Port Security" and click "Create Port Security Policy". 4. In the Create Port Security Policy dialog box: - In the Port Security Timeout field, enter "600" before reenabling MAC learning on an interface. - In the Maximum Endpoints field, enter "1" for the maximum number of endpoints that can be learned on an interface. - In the Violation Action field, select "Protect". 5. Click "Submit". Configure each host-facing interface for the leaf switches: 1. In the Navigation pane, click Fabric >> Inventory >> Topology, and navigate to the desired leaf switch. 2. Choose the appropriate port to configure the interface. 3. From the port security policy drop-down list, choose the desired port security policy to associate.

Additional Identifiers

Rule ID: SV-272037r1113943_rule

Vulnerability ID: V-272037

Group Title: SRG-NET-000362-L2S-000027

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002385

Protect against or limit the effects of organization-defined types of denial-of-service events.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-5

Denial of Service Protection