Rule ID
SV-272101r1168417_rule
Version
V1R2
CCIs
As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of site-local addresses has the potential to adversely affect network security through leaks, ambiguity, and potential misrouting as documented in section 2 of RFC3879. RFC3879 formally deprecates the IPv6 site-local unicast prefix FEC0::/10 as defined in RFC3513. Specify the appropriate IPv6 address range within the relevant configuration objects like bridge domains and L3Out, ensuring the addresses fall within the allocated site local unicast prefix, and enable IPv6 routing on the fabric level, allowing the ACI switches to learn and route traffic based on these IPv6 addresses.
Review the router configuration to ensure FEC0::/10 IP addresses are not defined.
Tenants >> {{your_Tenant}} >> Networking >> VRF >> {{your_VRF}} >> Operational >> Route Table >> IPV6 Routes
and
Tenants >> {{your_Tenant}} >> Networking >> VRF >> {{your_VRF}} >> Operational >> Client Endpoints
This will display all IPV6 address in this VRF and on which leaf they reside.
If the CLI is preferred, the command is as follows when run from the APIC:
fabric {{node_ID}} show ipv6 interface brief
or from each node:
show ipv6 interface brief
If IPv6 site local unicast addresses are defined, this is a finding.Delete unauthorized addresses. Configure the IPv6 addresses on the ACI fabric's leaf switches and virtual network segments (bridge domains) within the desired tenant to use site local unicast addresses.
Tenants >> {{your_Tenant}} >> Networking >> VRF >> {{your_VRF}} >> Operational >> Route Table >> IPV6 Routes
Remove unauthorized addresses. Remove unauthorized addresses from the Client Endpoints list.
Tenants >> {{your_Tenant}} >> Networking >> VRF >> {{your_VRF}} >> Operational >> Client Endpoints