Preventing Cisco ACI Fabric from Learning Endpoints: Security Requirements

Prevent Learning of Endpoints from Unconfigured Subnets on Cisco ACI Fabric

Question

An engineer deployed a Cisco ACI fabric and noticed that the fabric learns endpoints from subnets that are not configured on a bridge domain.

To meet strict security requirements, the engineer must prevent this behavior.

Which action must be taken to prevent this behavior?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

D.

The correct answer to the question is D. Enable Enforce Subnet Check.

Explanation: When a Cisco ACI fabric is deployed, the fabric will learn endpoints by default from all subnets that are present in the network. This behavior can be prevented by enabling the "Enforce Subnet Check" feature. When this feature is enabled, the ACI fabric will only learn endpoints from subnets that are explicitly configured on a bridge domain.

Enabling the "Enforce Subnet Check" feature is important for security purposes because it ensures that the fabric only learns endpoints that are explicitly authorized to be present on the network. This prevents unauthorized endpoints from being connected to the network and helps to prevent security breaches.

The other answer options are not correct:

A. Activate Enable Data Plane Endpoint Learning: This option is incorrect because it will enable the ACI fabric to learn endpoints from all subnets in the network. This is the default behavior and will not prevent the fabric from learning endpoints from subnets that are not explicitly configured on a bridge domain.

B. Implement Pervasive Gateway: This option is incorrect because Pervasive Gateway is a feature that allows endpoints to communicate across multiple bridge domains. It does not prevent the ACI fabric from learning endpoints from subnets that are not explicitly configured on a bridge domain.

C. Configure Static Binding: This option is incorrect because Static Binding is a feature that allows administrators to statically assign an IP address to an endpoint. It does not prevent the ACI fabric from learning endpoints from subnets that are not explicitly configured on a bridge domain.