Sunday, 7 September 2025

Rogue Endpoint Detection in Cisco ACI

 🔐 Rogue Endpoint Detection in Cisco ACI

⚠️ Problem Addressed

Rogue endpoints or misconfigured devices can cause frequent MAC/IP moves across leaf switches, leading to:

  • Network instability
  • High CPU usage
  • Crashes in endpoint mapper (EPM) and client (EPMC)
  • Rapid log rollover, making debugging difficult

🛡️ How Rogue Endpoint Control Works

The feature helps mitigate these issues by:

  • Detecting rapidly moving endpoints (MAC/IP)
  • Quarantining them by making their entries static
  • Deleting the unauthorized MAC/IP after a set interval
  • Raising a fault for visibility
  • Generating a host tracking packet to re-learn the endpoint

🔄 Behavior Based on Software Version

Version

Quarantine Behavior

Traffic Handling

Final Action

Before 3.2(6)

Endpoint is made static

Traffic is dropped during quarantine

MAC/IP is deleted after the interval

3.2(6) and later

Endpoint is made static

Traffic is allowed during quarantine

MAC/IP is deleted after the interval

 Improvement: From 3.2(6) onwards, the system is less disruptive, allowing traffic to continue while still monitoring rogue behavior.


📝 Rogue/COOP Exception List

 Purpose

Allows higher tolerance for endpoint movement before marking as rogue.

📋 Behavior

  • Endpoints in the list are marked rogue only after 3,000 moves in 10 minutes
  • Once marked:
    • Endpoint is made static
    • Deleted after 30 seconds

🆕 From APIC 6.0(3) Onwards

  • You can:
    • Create global exception lists
    • Exclude MACs from rogue detection across all bridge domains or L3Outs
    • Exclude all MACs for a specific bridge domain or L3Out

 

No comments:

Post a Comment