Rule ID
SV-272081r1168142_rule
Version
V1R2
CCIs
To configure OOB management on an ACI fabric, use the Application Policy Infrastructure Controller (APIC), the central management point for the network. When setting up OOB access, a specific "contract" that controls which traffic is allowed on the OOB management network is typically defined. All management traffic is immediately forwarded into the management network; it is not exposed to possible tampering. The separation ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM port, the interface functioning as the management interface must be configured so that management traffic does not leak into the managed network and that production traffic does not leak into the management network.
To setup the OOB to limit what devices/ networks can access it, use the contracts in the following settings:
Tenant >> Tenant mgmt >> Node Management Addresses >> Static Node Management Addresses
Tenant >> Tenant mgmt >> Node Management EPGs >> Out-of-Band EPG default
Tenant >> Tenant mgmt >> External Management Network Instance Profiles >> {{YourInstanceProfile}}
If the Cisco ACI is not configured to only permit management traffic that ingresses and egresses the OOBM interface, this is a finding.Navigate to the relevant tenant to setup the OOB to limit what devices/ networks can access it. Utilize contracts in the following settings:
Tenant >> Tenant mgmt >> Node Management Addresses >> Static Node Management Addresses
Tenant >> Tenant mgmt >> Node Management EPGs >> Out-of-Band EPG default
Tenant >> Tenant mgmt >> External Management Network Instance Profiles >> {{YourInstanceProfile}}