OpenControls Logo

STIG Viewer

Cisco ACI must be configured so the BGP neighbor is directly connected and will not connect a BGP session to a directly connected neighbor device's loopback address.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-272094CACI-RT-000034SV-272094r1168411_ruleCCI-002385low
Description
Generalized Time To Live Security Mechanism (GTSM) is designed to protect a router's IP-based control plane from denial-of-service (DoS) attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol speaking routers. ACI mitigates this risk in a different way, as currently there is no option for TTL-security or GTSM support; however, ACI, by default, is setup to validate that the BGP neighbor is directly connected and will not even connect a BGP session to a directly connected neighbor devices loopback address.
STIGDate
Cisco ACI Router Security Technical Implementation Guide2025-12-11

Details

Check Text (C-272094r1168411_chk)

Review the BGP configuration to verify that TTL security has been configured to the default settings. Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Out >> {{your_l3out}} >> Logical Node Profiles >> {{your_Logical_node_Profile}} >> Logical Interface Profiles >> {{your_logical_interface_profile}} >> BGP peer x.x.x.x >> Policy. Verify the following in the policy: Disable Connected Check is unmarked EBGP Multihop TTL = 1 If the Cisco ACI is not configured to use GTSM for all Exterior BGP peering sessions, this is a finding.

Fix Text (F-76051r1168410_fix)

If ACI is determined to be configured differently than the default settings, reconfigure to default settings by performing the actions on the BGP connectivity profile (path below). Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Out >> {{your_l3out}} >> Logical Node Profiles >> {{your_Logical_node_Profile}} >> Logical Interface Profiles >> {{your_logical_interface_profile}} >> BGP peer x.x.x.x >> Policy. Reset the following in the policy: Disable Connected Check is unmarked EBGP Multihop TTL = 1