Title

The Cisco ACI layer 2 switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks. (Cat II impact)

Discussion

DoS is a condition that occurs when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch by using readily available tools such as Low Orbit Ion Cannon or by using botnets. Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, quality of service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages).

Check Content

Verify a VPC Interface policy is applied to the host-facing VLAN tunnels: 1. Click Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles. 2. Right-click "Profiles", select "Leaf Interface Profile". 3. In the Interface IDs field, review the interfaces for VLAN tunnels and verify a Dot1q Tunnel interface policy has been included. Verify a static binding of the tunnel configuration to the VLAN ports: 1. Click Tenant >> Networking >> Dot1Q Tunnels. 2. Expand Dot1Q Tunnels and verify that one or multiple Dot1Q Tunnels have been applied bound to the interface using Static Binding. If quality of service (QoS) has not been enabled, this is a finding.

Fix Text

Configuring 802.1Q Tunnel Interfaces. Configure the interfaces that will use the tunnel. Create an L2 Interface Policy: 1. On the menu bar, click Fabric >> Access Policies. 2. On the Navigation bar, click Policies >> Interface >> L2 Interface. 3. Right-click "L2 Interface", select "Create L2 Interface Policy", and fill in the form. - To create an interface policy that enables an interface to be used as an edge port in a Dot1q Tunnel, in the QinQ field, click "edgePort". - To create an interface policy that enables an interface to be used as a core port in Dot1q Tunnels, in the QinQ field, click "corePort". Apply the L2 Interface policy to a Policy Group: 1. Click Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Policy Groups. 2. Right-click "VPC Interface", choose "Create VPC Policy Group", and fill out the form. 3. In the L2 Interface Policy field, click the down arrow and choose the L2 Interface Policy previously created. 4. To use VTP for Layer 2 protocol tunneling, CDP must be enabled on the tunnel. Click the "CDP Policy" down-arrow. 5. In the policy dialog box, add a name for the policy and disable the Admin State. 6. Click "Submit". Create a Leaf Interface Profile: 1. Click on Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles. 2. Right-click "Profiles", select "Create Leaf Interface Profile", and fill out the form. 3. In the Interface Selectors field, click the "+" and fill out the form. - In the Interface IDs field, enter the Dot1q Tunnel interface or multiple interfaces to be included in the tunnel. - In the Interface Policy Group field, click the down arrow and select the previously created interface policy group. Create a static binding of the tunnel configuration to a port: 1. Click Tenant >> Networking >> Dot1Q Tunnels. 2. Expand Dot1Q Tunnels, click the previously created Dot1Q Tunnels policy_name, and fill out the form. 3. Expand the Static Bindings table to open Create Static Binding dialog box. - In the Port field, select the type of port. - In the Node field, select a node from the drop-down. - In the Path field, select the interface path from the drop-down. 4. Click "Submit".

Additional Identifiers

Rule ID: SV-272031r1064434_rule

Vulnerability ID: V-272031

Group Title: SRG-NET-000193-L2S-000020

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.