| Finding ID |
Severity |
Title |
Description |
|
V-272029
|
High |
The Cisco ACI layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection. |
Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection.
In ACI, VLANs are used for traffic segmentation and identification, but their primary function is for identifying traffic,... |
|
V-272047
|
Medium |
The Cisco ACI layer 2 switch must establish organization-defined alternate communication paths for system operations organizational command and control. |
An incident, whether adversarial- or nonadversarial-based, can disrupt established communication paths used for system operations and organizational command and control. Alternate communication paths reduce the risk of all communication paths being affected by the same incident. To compound the problem, the inability of organizational officials to obtain timely information about... |
|
V-272046
|
Medium |
The Cisco ACI layer 2 switch must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions. |
Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic or debilitating breach or compromise that results in system failure. For example, physically separating the command and control function from the in-flight entertainment function through... |
|
V-272045
|
Medium |
The Cisco ACI layer 2 switch must employ a first-hop-security (FHS) policy to protect against denial-of-service (DoS) attacks. |
DoS events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth.
FHS features enable a better IPv4 and IPv6 link security and management over the layer... |
|
V-272044
|
Medium |
The Cisco ACI layer 2 switch, for all 802.1q trunk links, must have the native VLAN assigned to an ID other than the default VLAN. |
VLAN hopping can be initiated by an attacker who has access to a switch port belonging to the same VLAN as the native VLAN of the trunk link connecting to another switch that the victim is connected to. If the attacker knows the victim's MAC address, it can forge a... |
|
V-272043
|
Medium |
The Cisco ACI layer 2 switch must have all user-facing or untrusted ports configured as access switch ports. |
Double encapsulation can be initiated by an attacker who has access to a switch port belonging to the native VLAN of the trunk port. Knowing the victim's MAC address, and with the victim attached to a different switch belonging to the same trunk group, thereby requiring the trunk link and... |
|
V-272042
|
Medium |
The Cisco ACI layer 2 switch must have all disabled switch ports assigned to an unused VLAN. |
It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member. |
|
V-272037
|
Medium |
The Cisco ACI layer 2 switch must enable port security. |
The port security feature protects the ACI fabric from being flooded with unknown MAC addresses by limiting the number of MAC addresses learned per port. The port security feature support is available for physical ports, port channels, and virtual port channels. |
|
V-272033
|
Medium |
The Cisco ACI layer 2 switch must have Unknown Unicast Flood Blocking (UUFB) set to "Hardware Proxy". |
Access layer switches use the Content Addressable Memory (CAM) table to direct traffic to specific ports based on the VLAN number and the destination MAC address of the frame. When a router has an Address Resolution Protocol (ARP) entry for a destination host and forwards it to the access layer... |
|
V-272032
|
Medium |
The Cisco ACI layer 2 switch must authenticate all network-connected endpoint devices before establishing any connection. |
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
For distributed architectures (e.g., service-oriented architectures [SOA]), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide... |
|
V-272030
|
Medium |
The Cisco ACI layer 2 switches should authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available. |
VTP provides central management of VLAN domains, thus reducing administration in a switched network. When configuring a new VLAN on a VTP server, the VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN everywhere. VTP pruning preserves bandwidth by preventing VLAN... |
|
V-272039
|
Low |
The Cisco ACI layer 2 switch must have Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping configured on all VLANs. |
IGMP and MLD snooping provides a way to constrain multicast traffic at layer 2. By monitoring the IGMP or MLD membership reports sent by hosts within a VLAN, the snooping application can set up Layer 2 multicast forwarding tables to deliver specific multicast traffic only to interfaces connected to hosts... |
|
V-272038
|
Low |
The Cisco ACI layer 2 switch must have Storm Control configured on all host-facing switch ports. |
A traffic storm occurs when packets flood a LAN, creating excessive traffic and degrading network performance. Traffic storm control prevents network disruption by suppressing ingress traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors ingress traffic levels on a port and drops traffic when the... |