DISA STIGS Viewer

The Cisco ACI must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Overview

Finding ID Version Rule ID IA Controls Severity
V-272079 CACI-RT-000019 SV-272079r1114312_rule   Medium
Description
Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.
STIG Date
Cisco ACI Router Security Technical Implementation Guide 2025-06-18

Details

Check Text (C-76129r1114310_chk)
If this review is for the DODIN Backbone, mark as not applicable.

Review the external and internal ACLs to verify that the router is configured to only allow specific management and control plane traffic from specific sources destined to itself.

1. Navigate Tenant >> Contract >> Filter.
2. Select the "Drop Fragmented ICMP" filter.
3. Verify ICMP and Fragmented are selected to be denied.

If all fragmented ICMP packets destined to Cisco ACI IP addresses are not dropped, this is a finding.
Fix Text (F-76036r1114311_fix)
Ensure this deny rule is placed before any permit rules for ICMP traffic to ensure fragmented ICMP packets are dropped first.

1. Navigate Tenant >> Contract >> Filter.
2. Create or edit a filter (e.g., "Drop Fragmented ICMP").
3. Set Match to include:
Protocol: ICMP
Fragmentation: "Fragmented"
4. Set Action to "Deny".