The Cisco ACI layer 2 switch must enable port security.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-272037 | CACI-L2-000009 | SV-272037r1113943_rule | Medium |
| Description |
| The port security feature protects the ACI fabric from being flooded with unknown MAC addresses by limiting the number of MAC addresses learned per port. The port security feature support is available for physical ports, port channels, and virtual port channels. |
| STIG | Date |
| Cisco ACI Layer 2 Switch Security Technical Implementation Guide | 2025-06-13 |
Details
| Check Text (C-76087r1064133_chk) |
| Review the port security policies for compliance: 1. In the GUI menu bar, click Fabric >> Access Policies. 2. In the Navigation pane, expand Policies >> Interface >> Port Security. 3. Select each port security policy used and verify the following: - Port Security Timeout is set to "600 seconds". - Violation Action is set to "Protect mode". - Maximum Endpoints is set to "1". Verify port security is active on all appropriate host-facing interfaces: 1. In the Navigation pane, click Fabric >> Inventory >> Topology. 2. Verify that each leaf has been configured to use a correctly configured port security policy. If port security is not configured and enabled, this is a finding. |
| Fix Text (F-75994r1064134_fix) |
| Create a port security policy. The port security policy can be created new or chosen from the list of available port security policies. 1. In the GUI menu bar, click Fabric >> Access Policies. 2. In the Navigation pane, expand Policies >> Interface >> Port Security. 3. Right-click "Port Security" and click "Create Port Security Policy". 4. In the Create Port Security Policy dialog box: - In the Port Security Timeout field, enter "600" before reenabling MAC learning on an interface. - In the Maximum Endpoints field, enter "1" for the maximum number of endpoints that can be learned on an interface. - In the Violation Action field, select "Protect". 5. Click "Submit". Configure each host-facing interface for the leaf switches: 1. In the Navigation pane, click Fabric >> Inventory >> Topology, and navigate to the desired leaf switch. 2. Choose the appropriate port to configure the interface. 3. From the port security policy drop-down list, choose the desired port security policy to associate. |