An error occurred:

Check: CACI-L2-000014

Cisco ACI Layer 2 Switch STIG: CACI-L2-000014 (in version v1 r1)

Title

The Cisco ACI layer 2 switch must have all disabled switch ports assigned to an unused VLAN. (Cat II impact)

Discussion

It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member.

Check Content

If the switchport is configured for 802.1X, this is not applicable. 1. In the ACI GUI, navigate to Fabric >> Inventory >> Pod number. 2. Click the "Topology" tab to view the fabric topology. 3. Double-click the leaf switch or spine switch to view port-level connectivity. 4. Navigate to the VLAN section. 5. Review the switch configuration for the VLAN designated as the inactive VLAN. No applications or endpoints assigned. Review the disabled ports. 1. Navigate to Fabric >> Inventory >> Pod number, then navigate to the desired switch. 2. Navigate to the port profile and verify it is assigned to the designated unused VLAN. 3. Each access switch identified as not in use should have membership to a designated unused VLAN. If there are any access switch ports not in use and not in an inactive VLAN, this is a finding.

Fix Text

Identify ports that are unused. Assign all switch ports not in use to an inactive VLAN. Create an Unused VLAN. 1. In the ACI GUI, Navigate to Fabric >> Inventory >> Pod number. 2. Click on the "Topology" tab to view the fabric topology. 3. Double-click the leaf switch or spine switch to view port-level connectivity. 4. Navigate to the VLAN section and create a new VLAN profile but do not assign any applications or endpoints. Assign Ports to the Unused VLAN. 1. Navigate to Fabric >> Inventory >> Pod number, then navigate to the desired switch. 2. Select the specific port you want to disable (or not use) and assign to the unused VLAN. 3. Navigate to the port profile and select the unused VLAN. 4. Disable the port as needed.

Additional Identifiers

Rule ID: SV-272042r1114329_rule

Vulnerability ID: V-272042

Group Title: SRG-NET-000512-L2S-000007

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

Implement the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings