The Cisco ACI must be configured to have gratuitous ARP (GARP) disabled on all external interfaces.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-272086 | CACI-RT-000026 | SV-272086r1114094_rule | CCI-002385 | medium |
| Description | ||||
| A GARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used to inform the network about a host IP address. A spoofed gratuitous ARP message can cause network mapping information to be stored incorrectly, causing network malfunction. | ||||
| STIG | Date | |||
| Cisco ACI Router Security Technical Implementation Guide | 2025-06-18 | |||
Details
Check Text (C-272086r1114094_chk)
Review the configuration for each L3OUT Bridge Domain to determine if gratuitous ARP is disabled:
1. In the APIC GUI Navigation pane, select "Tenant" and inspect each Tenant's Bridge Domain configuration.
2. Expand "Networking" and right-click each Bridge Domain.
3. View the Layer 3 configuration tab. Verify GARP-based detection is not enabled.
If GARP is enabled on any external interface, this is a finding.
Fix Text (F-76043r1114093_fix)
Disable GARP for each L3OUT Bridge Domain:
1. In the APIC GUI navigation pane, select "Tenant" and complete the following for each tenant listed.
2. Expand "Networking", right-click, "Create Bridge Domain" to open the dialog box, and fill out the form.
- In the Layer 3 Configurations tab, GARP based detection must not be enabled.
3. Click "NEXT".
4. Complete the Bridge Domain configuration.
5. Click "Finish".