An error occurred:

Check: CACI-RT-000020

Cisco ACI Router STIG: CACI-RT-000020 (in version v1 r0.1)

Title

The BGP Cisco ACI must be configured to reject outbound route advertisements for any prefixes belonging to the IP core. (Cat II impact)

Discussion

Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a nonoptimized path.

Check Content

If this review is for the DODIN Backbone, mark as not applicable. Verify the router is configured to deny router-advertisements. apic1(config-tenant-fhs-secpol)# router-advertisement-guard If the router is not configured to reject outbound route advertisements for prefixes belonging to the IP core, this is a finding.

Fix Text

Configure the router with FHS to suppress Router Advertisements on all external IPv6-enabled interfaces as shown in the example below. View the FHS requirement in the Layer 2 STIG. apic1(config-tenant-fhs-secpol)# router-advertisement-guard

Additional Identifiers

Rule ID: SV-272080r1064483_rule

Vulnerability ID: V-272080

Group Title: SRG-NET-000205-RTR-000006

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001097

Monitor and control communications at the external managed interfaces to the system and at key managed interfaces within the system.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-7

Boundary Protection