The Juniper router must be configured to have Gratuitous ARP disabled on all external interfaces.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-254032 | JUEX-RT-000600 | SV-254032r844129_rule | Medium |
| Description |
| A gratuitous ARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used to inform the network about a host IP address. A spoofed gratuitous ARP message can cause network mapping information to be stored incorrectly, causing network malfunction. |
| STIG | Date |
| Juniper EX Series Switches Router Security Technical Implementation Guide | 2024-06-10 |
Details
| Check Text (C-57484r844127_chk) |
| Review the configuration to determine if gratuitous ARP is disabled on all external interfaces. [edit interfaces] <external interface> { no-gratuitous-arp-reply; no-gratuitous-arp-request; unit <number> { family inet { address <IPv4 address>/<mask>; } family inet6 { address <IPv6 address>/<mask>; } } } If gratuitous ARP is enabled on any external interface, this is a finding. |
| Fix Text (F-57435r844128_fix) |
| Disable gratuitous ARP on all external interfaces. set interfaces <external interface> no-gratuitous-arp-reply set interfaces <external interface> no-gratuitous-arp-request set interfaces <external interface> unit <number> family inet address <IPv4 address>/<mask> set interfaces <external interface> unit <number> family inet6 address <IPv6 address>/<prefix> |