🔐 Rogue Endpoint Detection in Cisco ACI
⚠️ Problem Addressed
Rogue endpoints or
misconfigured devices can cause frequent MAC/IP moves across
leaf switches, leading to:
- Network instability
- High CPU usage
- Crashes in endpoint mapper (EPM) and
client (EPMC)
- Rapid log rollover, making debugging
difficult
🛡️ How Rogue Endpoint Control Works
The feature helps
mitigate these issues by:
- Detecting rapidly moving endpoints (MAC/IP)
- Quarantining them by making their entries static
- Deleting the unauthorized MAC/IP after a set interval
- Raising a fault for visibility
- Generating a host tracking packet to re-learn the endpoint
🔄 Behavior Based on Software Version
Version |
Quarantine Behavior |
Traffic Handling |
Final Action |
Before 3.2(6) |
Endpoint is made
static |
Traffic is
dropped during quarantine |
MAC/IP is deleted
after the interval |
3.2(6) and later |
Endpoint is made
static |
Traffic is
allowed during quarantine |
MAC/IP is deleted
after the interval |
✅ Improvement: From 3.2(6)
onwards, the system is less disruptive, allowing traffic to
continue while still monitoring rogue behavior.
📝 Rogue/COOP Exception List
✅ Purpose
Allows higher
tolerance for endpoint movement before marking as rogue.
📋 Behavior
- Endpoints in the list are marked
rogue only after 3,000 moves in 10 minutes
- Once marked:
- Endpoint is made static
- Deleted after 30 seconds
🆕 From APIC 6.0(3) Onwards
- You can:
- Create global exception lists
- Exclude MACs from rogue detection
across all bridge domains or L3Outs
- Exclude all MACs for a
specific bridge domain or L3Out
No comments:
Post a Comment