Title

The Cisco ACI must be configured to only permit management traffic that ingresses and egresses the OOBM interface. (Cat II impact)

Discussion

To configure OOB management on an ACI fabric, use the Application Policy Infrastructure Controller (APIC), which is the central management point for the network. When setting up OOB access, a specific "contract" that controls which traffic is allowed on the OOB management network is typically defined. All management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM port, the interface functioning as the management interface must be configured so that management traffic does not leak into the managed network and that production traffic does not leak into the management network.

Check Content

Use the "show" command to verify the contract is attached to the management interface and that only permitted management traffic is allowed. If the router does not restrict traffic that ingresses and egresses the management interface, this is a finding. Step 1: Verify the OOB contract is configured to explicitly permit only management traffic. apic1(config)# contract MGMT_OOB apic1(config)# filter ingress apic1(config)# protocol icmp apic1(config)# protocol tcp port 22, 80, 443 apic1(config)# protocol udp port 68, 67 apic1(config)# filter egress apic1(config)# protocol icmp apic1(config)# protocol tcp port 22, 80, 443 apic1(config)# protocol udp port 68, 67 Step 2: Verify the contract attached to the OOB Interface. apic1(config)# interface <leaf_switch_name>/<oob_interface_number> apic1(config-if)# contract mgmt_oob

Fix Text

Create a dedicated "OOB" contract that explicitly permits necessary management protocols on the OOB subnet, then apply this contract to the relevant node management interface. Step 1: Navigate to the relevant tenant and create a new external network instance profile for the OOB subnet. apic1(config)# tenant <tenant_name> Step 2: Create the OOB contract. apic1(config)# contract MGMT_OOB apic1(config)# filter ingress apic1(config)# protocol icmp apic1(config)# protocol tcp port 22, 80, 443 apic1(config)# protocol udp port 68, 67 apic1(config)# filter egress apic1(config)# protocol icmp apic1(config)# protocol tcp port 22, 80, 443 apic1(config)# protocol udp port 68, 67 Step 3: Apply the Contract to the OOB Interface. apic1(config)# interface <leaf_switch_name>/<oob_interface_number> apic1(config-if)# contract mgmt_oob

Additional Identifiers

Rule ID: SV-272081r1064484_rule

Vulnerability ID: V-272081

Group Title: SRG-NET-000205-RTR-000012

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.