Title

The Cisco ACI must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions. (Cat II impact)

Discussion

Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic or debilitating breach or compromise that results in system failure. For example, physically separating the command and control function from the in-flight entertainment function through separate subnetworks in a commercial aircraft provides an increased level of assurance in the trustworthiness of critical system functions. In Cisco ACI, subnetwork addresses are configured logically using the policy model, defining separate subnets within different endpoint groups (EPGs) within a tenant, effectively creating logically separate network segments without needing to physically partition the network on the underlying hardware; this separation is achieved through policy-based routing and access control based on the EPGs assigned to different applications or workloads.

Check Content

Review the configuration to verify logical separation using EPGs, bridge domains, and/or tenants is configured. The following is an example of an EPG: apic1(config)# leaf 1017 apic1(config-leaf)# interface ethernet 1/13 apic1(config-leaf-if)# vlan-domain member dom1 apic1(config-leaf-if)# switchport trunk allowed vlan 20 tenant t1 application AP1 epg EPG1 If subnetworks are not configured to isolate organization-defined critical system components and functions, this is a finding.

Fix Text

Configure logical separation using EPGs, bridge domains, and/or tenants. The following is an example of an EPG. Step 1: Configure a VLAN domain. Example: apic1(config)# vlan-domain dom1 apic1(config-vlan)# vlan 10-100 Step 2: Create a tenant. Example: apic1# configure apic1(config)# tenant t1 Step 3: Create a private network/VRF. Example: apic1(config-tenant)# vrf context ctx1 apic1(config-tenant-vrf)# exit Step 4: Create a bridge domain. Example: apic1(config-tenant)# bridge-domain bd1 apic1(config-tenant-bd)# vrf member ctx1 apic1(config-tenant-bd)# exit Step 5: Create an application profile and an application EPG. Example: apic1(config-tenant)# application AP1 apic1(config-tenant-app)# epg EPG1 apic1(config-tenant-app-epg)# bridge-domain member bd1 apic1(config-tenant-app-epg)# exit apic1(config-tenant-app)# exit apic1(config-tenant)# exit Step 6: Associate the EPG with a specific port. Example: apic1(config)# leaf 1017 apic1(config-leaf)# interface ethernet 1/13 apic1(config-leaf-if)# vlan-domain member dom1 apic1(config-leaf-if)# switchport trunk allowed vlan 20 tenant t1 application AP1 epg EPG1

Additional Identifiers

Rule ID: SV-272102r1064505_rule

Vulnerability ID: V-272102

Group Title: SRG-NET-000715-RTR-000120

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.