Title

The Cisco ACI layer 2 switch must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions. (Cat II impact)

Discussion

Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic or debilitating breach or compromise that results in system failure. For example, physically separating the command and control function from the in-flight entertainment function through separate subnetworks in a commercial aircraft provides an increased level of assurance in the trustworthiness of critical system functions. Cisco ACI provides numerous features to cover different use cases to restrict traffic between EPGs to help organizations in the segmentation and micro-segmentation journey. This includes features such as: - Inter-VRF and Intra-VRF Contracts. - Policy-based Redirection and layer 4 to layer 7 Services Insertion. - Intra-EPG Isolation and Intra-EPG Contracts. - vzAny Contracts. - Endpoint Security Groups (ESG). Organizations must make use of one or more of these Cisco ACI contracts and segmentation capabilities to provide segmentation within the data center for east-west traffic flows, as well as for north-south traffic flows, combined in this former case with other security devices or solutions to implement a defense-in-depth strategy.

Check Content

Verify one or more Cisco ACI contracts and/or segmentation capabilities to provide segmentation within the data center for east-west traffic and north-south traffic flows, combined in this former case with other security devices or solutions to implement a defense-in-depth strategy. The following is an example of deploying an EPG through an interface policy group to multiple interfaces to provide separation and isolation of traffic. Associate the target EPG with the interface policy group. The sample command sequence specifies an interface policy group pg3 associated with VLAN domain, domain1, and with VLAN 1261. The application EPG, epg47 is deployed to all interfaces associated with this policy group. Check the target ports to verify deployment of the policies of the interface policy group associated with application EPG. The output of the sample "show command" sequence indicates that policy group pg3 is deployed on Ethernet port 1/20 on leaf switch 1017. apic1# show run leaf 1017 int eth 1/20 # Command: show running-config leaf 1017 int eth 1/20 # Time: Mon Jun 27 22:12:10 2016 leaf 1017 interface ethernet 1/20 policy-group pg3 If physical or logical separation of subnetworks to isolate organization-defined critical system components and functions has not been implemented, this is a finding.

Fix Text

Configure one or more Cisco ACI contracts and/or segmentation capabilities to provide segmentation within the data center for east-west traffic and north-south traffic flows, combined in this former case with other security devices or solutions to implement a defense-in-depth strategy. The following is an example of deploying an EPG through an interface policy group to multiple interfaces in order to provide separation and isolation of traffic. Before beginning, ensure the following: - The target application EPG is created. - The VLAN pools have been created containing the range of VLANs to use for EPG deployment on the AEP. - The physical domain has been created and linked to the VLAN Pool and AEP. - The target attached entity profile is created and associated with the ports on which the application EPG will be deployed. 1. Associate the target EPG with the interface policy group. The sample command sequence specifies an interface policy group pg3 associated with VLAN domain, domain1, and with VLAN 1261. The application EPG, epg47 is deployed to all interfaces associated with this policy group. apic1# configure terminal apic1(config)# template policy-group pg3 Deploying an EPG through an Interface Policy Group to Multiple Interfaces apic1(config-pol-grp-if)# vlan-domain member domain1 apic1(config-pol-grp-if)# switchport trunk allowed vlan 1261 tenant tn10 application pod1-AP epg epg47 2. Check the target ports to ensure deployment of the policies of the interface policy group associated with application EPG. The output of the sample "show command" sequence indicates that policy group pg3 is deployed on Ethernet port 1/20 on leaf switch 1017. apic1# show run leaf 1017 int eth 1/20 # Command: show running-config leaf 1017 int eth 1/20 # Time: Mon Jun 27 22:12:10 2016 leaf 1017 interface ethernet 1/20 policy-group pg3 exit exit ifav28-ifc1#

Additional Identifiers

Rule ID: SV-272046r1064449_rule

Vulnerability ID: V-272046

Group Title: SRG-NET-000715-L2S-000120

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.