Rule ID
SV-272037r1168273_rule
Version
V1R2
CCIs
The port security feature protects the ACI fabric from being flooded with unknown MAC addresses by limiting the number of MAC addresses learned per port. The port security feature support is available for physical ports, port channels, and virtual port channels.
Review the port security policies for compliance. Navigate to Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >>Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies.
Select each port security policy used and verify the following:
- Port Security Timeout is set to "600 seconds".
- Violation Action is set to "Protect mode".
- Maximum Endpoints is set to "1".
Verify port security is active on all appropriate host-facing interfaces. Verify each leaf has been configured to use a correctly configured port security policy.
If port security is not configured and enabled, this is a finding.Create a port security policy. The port security policy can be created new or chosen from the list of available port security policies.
Path to use Port Security setting: Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >>Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies.
If the Policy group is not on the Appropriate interface, navigate to the following to add it:
Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles >> {{your_profile}}
In the Create Port Security Policy dialog box:
1. In the Port Security Timeout field, enter "600" before re-enabling MAC learning on an interface.
2. In the Maximum Endpoints field, enter "1" for the maximum number of endpoints that can be learned on an interface.
3. In the Violation Action field, select "Protect".
4. Click "Submit".