Rule ID
SV-272094r1168411_rule
Version
V1R2
CCIs
Generalized Time To Live Security Mechanism (GTSM) is designed to protect a router's IP-based control plane from denial-of-service (DoS) attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol speaking routers. ACI mitigates this risk in a different way, as currently there is no option for TTL-security or GTSM support; however, ACI, by default, is setup to validate that the BGP neighbor is directly connected and will not even connect a BGP session to a directly connected neighbor devices loopback address.
Review the BGP configuration to verify that TTL security has been configured to the default settings.
Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Out >> {{your_l3out}} >> Logical Node Profiles >> {{your_Logical_node_Profile}} >> Logical Interface Profiles >> {{your_logical_interface_profile}} >> BGP peer x.x.x.x >> Policy.
Verify the following in the policy:
Disable Connected Check is unmarked
EBGP Multihop TTL = 1
If the Cisco ACI is not configured to use GTSM for all Exterior BGP peering sessions, this is a finding.If ACI is determined to be configured differently than the default settings, reconfigure to default settings by performing the actions on the BGP connectivity profile (path below).
Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Out >> {{your_l3out}} >> Logical Node Profiles >> {{your_Logical_node_Profile}} >> Logical Interface Profiles >> {{your_logical_interface_profile}} >> BGP peer x.x.x.x >> Policy.
Reset the following in the policy:
Disable Connected Check is unmarked
EBGP Multihop TTL = 1