The Cisco ACI must be configured to have gratuitous ARP (GARP) disabled on all external interfaces.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-272086 | CACI-RT-000026 | SV-272086r1114094_rule | Medium |
| Description |
| A GARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used to inform the network about a host IP address. A spoofed gratuitous ARP message can cause network mapping information to be stored incorrectly, causing network malfunction. |
| STIG | Date |
| Cisco ACI Router Security Technical Implementation Guide | 2025-06-18 |
Details
| Check Text (C-76136r1064209_chk) |
| Review the configuration for each L3OUT Bridge Domain to determine if gratuitous ARP is disabled: 1. In the APIC GUI Navigation pane, select "Tenant" and inspect each Tenant's Bridge Domain configuration. 2. Expand "Networking" and right-click each Bridge Domain. 3. View the Layer 3 configuration tab. Verify GARP-based detection is not enabled. If GARP is enabled on any external interface, this is a finding. |
| Fix Text (F-76043r1114093_fix) |
| Disable GARP for each L3OUT Bridge Domain: 1. In the APIC GUI navigation pane, select "Tenant" and complete the following for each tenant listed. 2. Expand "Networking", right-click, "Create Bridge Domain" to open the dialog box, and fill out the form. - In the Layer 3 Configurations tab, GARP based detection must not be enabled. 3. Click "NEXT". 4. Complete the Bridge Domain configuration. 5. Click "Finish". |