STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated just now
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to RUCKUS ICX Router Security Technical Implementation Guide

V-273632

CAT II (Medium)

The RUCKUS ICX router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.

Rule ID

SV-273632r1110938_rule

STIG

RUCKUS ICX Router Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002385

Discussion

The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messages are commonly used by attackers for network mapping and diagnosis.

Check Content

Review configuration to determine whether outgoing ICMP mask replies are blocked on external interfaces.

enable egress-acl-on-cpu-traffic

ip access-list extended BLOCK_ICMP_OUT
 sequence 10 deny icmp any any unreachable
 sequence 20 deny icmp any any mask-reply
 sequence 30 permit ip any any

interface ethernet 1/1/1
 ip address x.0.1.2 255.255.255.252
 ip access-group BLOCK_ICMP_OUT out
!

If outgoing ICMP mask replies are not blocked on external interfaces, this is a finding.

Fix Text

Configure ACL to block ICMP mask replies.

ICX(config)#enable egress-acl-on-cpu-traffic
ICX(config)#ip access ext BLOCK_ICMP_OUT
ICX(config-ext-ipacl-BLOCK_ICMP_OUT)#deny icmp any any unreachable
ICX(config-ext-ipacl-BLOCK_ICMP_OUT)#deny icmp any any mask-reply
ICX(config-ext-ipacl-BLOCK_ICMP_OUT)#permit ip any any

Apply ACL to external interface.

ICX(config)#interface ethernet 1/1/1
ICX(config-if-e1000-1/1/1)#ip access-group BLOCK_ICMP_OUT out