The BGP Cisco ACI must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-272080	CACI-RT-000020	SV-272080r1113986_rule		Medium

Description

Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a nonoptimized path.

STIG	Date
Cisco ACI Router Security Technical Implementation Guide	2025-06-18

Details

Check Text (C-76130r1063635_chk)

If this review is for the DODIN Backbone, mark as not applicable.

Verify the router is configured to deny router-advertisements.

apic1(config-tenant-fhs-secpol)# router-advertisement-guard

If the router is not configured to reject outbound route advertisements for prefixes belonging to the IP core, this is a finding.

Fix Text (F-76037r1063636_fix)

Configure the router with FHS to suppress Router Advertisements on all external IPv6-enabled interfaces as shown in the example below. View the FHS requirement in the Layer 2 STIG.

apic1(config-tenant-fhs-secpol)# router-advertisement-guard