Title

The Cisco ACI layer 2 switch must have Storm Control configured on all host-facing switch ports. (Cat III impact)

Discussion

A traffic storm occurs when packets flood a LAN, creating excessive traffic and degrading network performance. Traffic storm control prevents network disruption by suppressing ingress traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors ingress traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any one-second interval.

Check Content

Review the switch configuration to verify that storm control is enabled on all host-facing interfaces as shown in the example below. 1. Navigate to Fabric >> Access Policies >> Policies >> Interface >> Storm Control. 2. Review each Storm Control policy. 3. Navigate to the Application Profile containing the EPGs to be protected. 4. Select each EPG and go to the "Policies" tab to verify that a storm control policy that is configured for to protect broadcast, at a minimum, has been applied. If storm control is not enabled for host-facing interfaces for broadcast traffic at a, minimum, for broadcast traffic, this is a finding.

Fix Text

Configure one or more storm control policies for all host-facing interfaces and external interfaces and apply the policy to an ESG. 1. Navigate to Fabric >> Access Policies >> Policies >> Interface >> Storm Control. 2. Click "Add" to create a new policy and define the following parameters: - Give the policy a descriptive name. - Choose "Broadcast" as the type of traffic to control and other types as needed (e.g., Multicast, Unknown Unicast). - Set the threshold for the traffic type. (Refer to note below.) - Specify "log" as the action to take when the threshold is exceeded (e.g., drop, log). - Enable monitoring to track storm control events. Apply the Storm Control Policy to an EPG: 1. Navigate to the Application Profile containing the EPGs to be protected. 2. Select the EPG and navigate to the "Policies" tab. 3. Under "Interface", select the newly created "Storm Control" policy. 4. Click "Apply". Note: The acceptable range is 10000000-1000000000 for a gigabit Ethernet interface, and 100000000-10000000000 for a ten gigabit interface. Storm control is not supported on most FastEthernet interfaces.

Additional Identifiers

Rule ID: SV-272038r1114350_rule

Vulnerability ID: V-272038

Group Title: SRG-NET-000512-L2S-000001

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.