STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cisco ACI Router Security Technical Implementation Guide

V-272079

CAT II (Medium)

The Cisco ACI must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Rule ID

SV-272079r1168423_rule

STIG

Cisco ACI Router Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-001097

Discussion

Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

Check Content

If this review is for the DODIN Backbone, mark as Not Applicable.

When creating a contract, create a Deny statement that looks at all the fragmented bits and denies only those packets. Review the following two locations:

Option 1: Review any standard contract (whitelist) with an explicit deny for the fragment bit to counter act any allows.
Tenant >> Contracts >> Standard >> {{your_Contract}} >> {{your_contract_Subject}} >> Policy >> General >> Filters >> create/ add a deny for ICMP traffic. The filter entries should include the following: Ethertype set to IP/ipv6, IP Protocol set to ICMP/ICMPv6, and the Match Only Fragments box checked. 

Option 2: Review any taboo contract (blacklist) for the fragment bits:
Tenant >> Contracts >> Taboo >> {{your_Contract}} >> Policy >> General >> {{your_contract_Subject}} >> Filters >> create/ add a deny for ICMP traffic. The filter entries should include the following: Ethertype set to IP/ipv6, IP Protocol set to ICMP/ICMPv6, and the Match Only Fragments box checked3. Verify ICMP and Fragmented are selected to be denied.

If all fragmented ICMP packets destined to Cisco ACI IP addresses are not dropped, this is a finding.

Fix Text

Place the deny rule before any permit rules for ICMP traffic to ensure fragmented ICMP packets are dropped first. When you are creating a contract you would want to create a Deny statement that looks at all the fragmented bits and denies only those packets. There are 2 ways to do this.

Option 1: Create a standard contract (whitelist) with an explicit deny for the fragment bit to counter act any allows. Navigate to the following location and configure settings:
Tenant >> Contracts >> Standard >> {{your_Contract}} >> {{your_contract_Subject}} >> Policy >> General >> Filters >> create/ add a deny for ICMP traffic. 
The filter entries should include the following: Ethertype set to IP/ipv6, IP Protocol set to ICMP/ICMPv6, and the Match Only Fragments box checked.

Option 2: Create a taboo contract (blacklist) for the fragment bits by navigating to the following location:
Tenant >> Contracts >> Taboo >> {{your_Contract}} >> Policy >> General >> {{your_contract_Subject}} >> Filters >> create/ add a deny for ICMP traffic. 
The filter entries should include the following: Ethertype set to IP/ipv6, IP Protocol set to ICMP/ICMPv6, and the Match Only Fragments box checked.