Title

The Cisco ACI must establish organization-defined alternate communication paths for system operations organizational command and control. (Cat II impact)

Discussion

An incident, whether adversarial- or nonadversarial-based, can disrupt established communication paths used for system operations and organizational command and control. Alternate communication paths reduce the risk of all communications paths being affected by the same incident. To compound the problem, the inability of organizational officials to obtain timely information about disruptions or to provide timely direction to operational elements after a communication path incident, can impact the ability of the organization to respond to such incidents in a timely manner. Establishing alternate communication paths for command and control purposes, including designating alternative decision makers if primary decision makers are unavailable and establishing the extent and limitations of their actions, can greatly facilitate the organization's ability to continue to operate and take appropriate actions during an incident.

Check Content

Review the SSP and the ACI configuration to verify logical separation using EPGs, bridge domains, and/or tenants is configured. The following is an example of an EPG: apic1(config)# leaf 1017 apic1(config-leaf)# interface ethernet 1/13 apic1(config-leaf-if)# vlan-domain member dom1 apic1(config-leaf-if)# switchport trunk allowed vlan 20 tenant t1 application AP1 epg EPG1 If organization-defined alternate communication paths for system operations organizational command and control have not been established, this is a finding.

Fix Text

Configure logical separation using EPGs, bridge domains, and/or tenants in accordance with the SSP. The following is an example of an EPG: Step 1: Configure a VLAN domain. Example: apic1(config)# vlan-domain dom1 apic1(config-vlan)# vlan 10-100 Step 2: Create a tenant. Example: apic1# configure apic1(config)# tenant t1 Step 3: Create a private network/VRF. Example: apic1(config-tenant)# vrf context ctx1 apic1(config-tenant-vrf)# exit Step 4: Create a bridge domain. Example: apic1(config-tenant)# bridge-domain bd1 apic1(config-tenant-bd)# vrf member ctx1 apic1(config-tenant-bd)# exit Step 5: Create an application profile and an application EPG. Example: apic1(config-tenant)# application AP1 apic1(config-tenant-app)# epg EPG1 apic1(config-tenant-app-epg)# bridge-domain member bd1 apic1(config-tenant-app-epg)# exit apic1(config-tenant-app)# exit apic1(config-tenant)# exit Step 6: Associate the EPG with a specific port. Example: apic1(config)# leaf 1017 apic1(config-leaf)# interface ethernet 1/13 apic1(config-leaf-if)# vlan-domain member dom1 apic1(config-leaf-if)# switchport trunk allowed vlan 20 tenant t1 application AP1 epg EPG1

Additional Identifiers

Rule ID: SV-272103r1067379_rule

Vulnerability ID: V-272103

Group Title: SRG-NET-000760-RTR-000160

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.