STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cisco ACI Router Security Technical Implementation Guide

V-272061

CAT II (Medium)

The Cisco ACI must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.

Rule ID

SV-272061r1168386_rule

STIG

Cisco ACI Router Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-001368CCI-001414CCI-004891

Discussion

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems. In Cisco ACI, the administrator uses "contracts" to define security policies that control traffic between different endpoint groups (EPGs), essentially acting as a more granular and flexible ACL mechanism by specifying source and destination addresses, ports, and protocols based on the desired network segmentation needs. Add multiple filter rules to create a comprehensive set of allowed traffic patterns. Satisfies: SRG-NET-000019-RTR-000005, SRG-NET-000715-RTR-000120

Check Content

Review the switch configuration to verify that contracts are configured.

1. To check contract configuration, navigate to Tenants >> {{Your_Tenant}} >> Contracts >> Standard (whitelist)/Taboos (blacklist) >> {{Your_Contract}} >> {{your_subject}}.
2. To check the configuration for the Provider and Consumer of the contract, navigate to Tenants >> {{Your_Tenant}} >> Application Profiles >> {{ your_Application_Profile}} >> Application EPGs >> {{Your_EPG}} >> Contracts.
 
If the switch is not configured to use contract filters to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies, this is a finding.

Fix Text

Configure "contracts" to define security policies that control traffic between different EPGs. Contract subjects must combine filters that will designate what traffic is allowed to pass through the contract, but for the contract to work it must be applied where the Provider contract is attached to the service side and the Consumer is attached to the user side. Traffic must be initiated from the Consumer EPG to the Provider EPG, including filters and security policies.

1. Configure the details of each contract. Navigate to Tenants >> {{Your_Tenant}} >> Contracts >> Standard (whitelist)/Taboos (blacklist) >> {{Your_Contract}} >> {{your_subject}}. 
2. Configure the details of each Provider and Consumer of the contract. Navigate to Tenants >> {{Your_Tenant}} >> Application Profiles >> {{ your_Application_Profile}} >> Application EPGs >> {{Your_EPG}} >> Contracts.