Title

The Cisco ACI layer 2 switch must have Unknown Unicast Flood Blocking (UUFB) enabled. (Cat II impact)

Discussion

Access layer switches use the Content Addressable Memory (CAM) table to direct traffic to specific ports based on the VLAN number and the destination MAC address of the frame. When a router has an Address Resolution Protocol (ARP) entry for a destination host and forwards it to the access layer switch and there is no entry corresponding to the frame's destination MAC address in the incoming VLAN, the frame will be sent to all forwarding ports within the respective VLAN, which causes flooding. Large amounts of flooded traffic can saturate low-bandwidth links, causing network performance issues or complete connectivity outage to the connected devices. Unknown unicast flooding has been a nagging problem in networks that have asymmetric routing and default timers. To mitigate the risk of a connectivity outage, the Unknown Unicast Flood Blocking (UUFB) feature must be implemented on all access layer switches. The UUFB feature will block unknown unicast traffic flooding and only permit egress traffic with MAC addresses that are known to exit on the port. To block unicast traffic on a Cisco APIC, configure a security policy within a bridge domain (BD) to filter specific unicast IP addresses or address ranges, effectively blocking traffic from those sources; this is achieved by leveraging the APIC's policy-based forwarding capabilities, which allow granular control over traffic based on defined criteria like source/destination IP addresses and protocols.

Check Content

Verify each Bridge Domain used is configured to block unknown unicast traffic: 1. In the APIC GUI Navigation pane, select "Tenant" and inspect each Tenant's Bridge Domain configuration. 2. Expand Networking and right-click each Bridge Domain. - Verify the L2 Unknown Unicast box, is set to "Flood". If any user-facing or untrusted access switch ports do not have UUFB enabled, this is a finding.

Fix Text

Create and configure each Bridge Domain to enable unknown unicast flood blocking: 1. In the APIC GUI Navigation pane, select "Tenant" and complete the following for each tenant listed. 2. Expand Networking and right-click "Create Bridge Domain" to open the dialog box and fill out the form. - In the L2 Unknown Unicast box, select "Flood". 3. Click "NEXT". 4. Complete the Bridge Domain configuration and click "Finish".

Additional Identifiers

Rule ID: SV-272033r1064436_rule

Vulnerability ID: V-272033

Group Title: SRG-NET-000362-L2S-000024

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.