| V-272029 | | The Cisco ACI layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection. | Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inje... |
| V-272030 | | The Cisco ACI layer 2 switches should authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available. | VTP provides central management of VLAN domains, thus reducing administration in a switched network. When configuring a new VLAN on a VTP server, the ... |
| V-272032 | | The Cisco ACI layer 2 switch must authenticate all network-connected endpoint devices before establishing any connection. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
For distributed architect... |
| V-272033 | | The Cisco ACI layer 2 switch must have Unknown Unicast Flood Blocking (UUFB) set to "Hardware Proxy". | Access layer switches use the Content Addressable Memory (CAM) table to direct traffic to specific ports based on the VLAN number and the destination ... |
| V-272037 | | The Cisco ACI layer 2 switch must enable port security. | The port security feature protects the ACI fabric from being flooded with unknown MAC addresses by limiting the number of MAC addresses learned per po... |
| V-272042 | | The Cisco ACI layer 2 switch must have all disabled switch ports assigned to an unused VLAN. | It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains ... |
| V-272043 | | The Cisco ACI layer 2 switch must have all user-facing or untrusted ports configured as access switch ports. | Double encapsulation can be initiated by an attacker who has access to a switch port belonging to the native VLAN of the trunk port. Knowing the victi... |
| V-272044 | | The Cisco ACI layer 2 switch, for all 802.1q trunk links, must have the native VLAN assigned to an ID other than the default VLAN. | VLAN hopping can be initiated by an attacker who has access to a switch port belonging to the same VLAN as the native VLAN of the trunk link connectin... |
| V-272045 | | The Cisco ACI layer 2 switch must employ a first-hop-security (FHS) policy to protect against denial-of-service (DoS) attacks. | DoS events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organization... |
| V-272046 | | The Cisco ACI layer 2 switch must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions. | Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessa... |
| V-272047 | | The Cisco ACI layer 2 switch must establish organization-defined alternate communication paths for system operations organizational command and control. | An incident, whether adversarial- or nonadversarial-based, can disrupt established communication paths used for system operations and organizational c... |
| V-272038 | | The Cisco ACI layer 2 switch must have Storm Control configured on all host-facing switch ports. | A traffic storm occurs when packets flood a LAN, creating excessive traffic and degrading network performance. Traffic storm control prevents network ... |
| V-272039 | | The Cisco ACI layer 2 switch must have Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping configured on all VLANs. | IGMP and MLD snooping provides a way to constrain multicast traffic at layer 2. By monitoring the IGMP or MLD membership reports sent by hosts within ... |
