The Cisco ACI layer 2 switch must enable port security.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-272037	SRG-NET-000362-L2S-000027	CACI-L2-000009	SV-272037r1168273_rule	2025-12-11	1

Description
The port security feature protects the ACI fabric from being flooded with unknown MAC addresses by limiting the number of MAC addresses learned per port. The port security feature support is available for physical ports, port channels, and virtual port channels.

ℹ️ Check
Review the port security policies for compliance. Navigate to Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >>Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies. Select each port security policy used and verify the following: - Port Security Timeout is set to "600 seconds". - Violation Action is set to "Protect mode". - Maximum Endpoints is set to "1". Verify port security is active on all appropriate host-facing interfaces. Verify each leaf has been configured to use a correctly configured port security policy. If port security is not configured and enabled, this is a finding.

ℹ️ Check

Review the port security policies for compliance. Navigate to Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >>Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies. Select each port security policy used and verify the following: - Port Security Timeout is set to "600 seconds". - Violation Action is set to "Protect mode". - Maximum Endpoints is set to "1". Verify port security is active on all appropriate host-facing interfaces. Verify each leaf has been configured to use a correctly configured port security policy. If port security is not configured and enabled, this is a finding.

✔️ Fix
Create a port security policy. The port security policy can be created new or chosen from the list of available port security policies. Path to use Port Security setting: Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >>Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies. If the Policy group is not on the Appropriate interface, navigate to the following to add it: Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles >> {{your_profile}} In the Create Port Security Policy dialog box: 1. In the Port Security Timeout field, enter "600" before re-enabling MAC learning on an interface. 2. In the Maximum Endpoints field, enter "1" for the maximum number of endpoints that can be learned on an interface. 3. In the Violation Action field, select "Protect". 4. Click "Submit".

✔️ Fix

Create a port security policy. The port security policy can be created new or chosen from the list of available port security policies. Path to use Port Security setting: Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >>Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies. If the Policy group is not on the Appropriate interface, navigate to the following to add it: Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles >> {{your_profile}} In the Create Port Security Policy dialog box: 1. In the Port Security Timeout field, enter "600" before re-enabling MAC learning on an interface. 2. In the Maximum Endpoints field, enter "1" for the maximum number of endpoints that can be learned on an interface. 3. In the Violation Action field, select "Protect". 4. Click "Submit".