Fabric Secure Mode Overview
Fabric Secure Mode is
a security feature in Cisco ACI that safeguards the infrastructure from
unauthorized additions. It ensures that only verified switches and APIC
controllers can join the fabric, even if someone has physical access to the
equipment.
Starting from
release 1.2(1x), Cisco ACI performs a validation check during
installation or upgrade. This check confirms that each device has a valid
serial number and a Cisco-signed digital certificate.
By default, the system
operates in Permissive Mode, allowing existing setups to continue
functioning even if some devices lack valid certificates. However,
administrators can enable Strict Mode for enhanced security,
requiring manual approval for any new device joining the fabric.
⚙️ Modes of Operation
|
Mode |
Permissive Mode (Default) |
Strict Mode |
|
Device Validation |
Valid Cisco serial
number and certificate required |
Enforces serial
number and certificate validation |
|
Existing Fabric |
Continues operating
even with invalid certificates |
Requires all devices
to be validated |
|
Authorization |
Auto-discovers and
allows devices without manual approval |
Manual authorization
needed for each new device |
|
Security Level |
Basic security |
Enhanced security
and control |
To change the
Fabric Secure Mode in Cisco ACI (e.g., from Permissive to Strict),
follow these steps using the Cisco APIC GUI:
🔧 Steps to Change Fabric Secure Mode
- Log in to the APIC GUI.
- Navigate to:
System → System Settings → Fabric Security - In the Properties pane,
locate the Fabric Secure Mode setting.
- Select Strict Mode from
the available options.
- Save the configuration.
- Reboot the APIC and affected switches to apply the change.
⚠️ Important: Changing the mode
requires a reboot for the configuration to take effect.
No comments:
Post a Comment