Title

The Cisco ACI must be configured to have gratuitous ARP (GARP) disabled on all external interfaces. (Cat II impact)

Discussion

A GARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used to inform the network about a host IP address. A spoofed gratuitous ARP message can cause network mapping information to be stored incorrectly, causing network malfunction.

Check Content

Review the configuration for each L3OUT Bridge Domain to determine if gratuitous ARP is disabled: 1. In the APIC GUI Navigation pane, select "Tenant" and inspect each Tenant's Bridge Domain configuration. 2. Expand "Networking" and right-click each Bridge Domain. 3. View the Layer 3 configuration tab. Verify GARP-based detection is not enabled. If GARP is enabled on any external interface, this is a finding.

Fix Text

Disable GARP for each L3OUT Bridge Domain: 1. In the APIC GUI navigation pane, select "Tenant" and complete the following for each tenant listed. 2. Expand "Networking", right-click, "Create Bridge Domain" to open the dialog box, and fill out the form. - In the Layer 3 Configurations tab, GARP based detection must not be enabled. 3. Click "NEXT". 4. Complete the Bridge Domain configuration. 5. Click "Finish".

Additional Identifiers

Rule ID: SV-272086r1064591_rule

Vulnerability ID: V-272086

Group Title: SRG-NET-000362-RTR-000111

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.