STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

STIGs updated 13 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Cisco ACI Router Security Technical Implementation Guide

Version

V1R2

Release Date

Dec 11, 2025

SCAP Benchmark ID

Cisco_ACI_RTR_STIG

Total Checks

26

Tags

network

CAT I: 0CAT II: 18CAT III: 8

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (26)

V-272061MEDIUMThe Cisco ACI must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.V-272062MEDIUMThe BGP Cisco ACI must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).V-272063MEDIUMThe BGP Cisco ACI must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).V-272064LOWThe BGP Cisco ACI must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.V-272069MEDIUMThe multicast Cisco ACI must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.V-272073LOWThe Cisco ACI multicast rendezvous point (RP) must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the designated router (DR) for any undesirable multicast groups and sources.V-272074LOWThe multicast rendezvous point (RP) Cisco ACI must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the designated router (DR) for any undesirable multicast groups.V-272075LOWThe Cisco ACI must be configured to log all packets that have been dropped.V-272076MEDIUMThe Cisco ACI must not be configured to have any feature enabled that calls home to the vendor.V-272077MEDIUMThe Cisco ACI must be configured to use encryption for routing protocol authentication.V-272078MEDIUMThe Cisco ACI must be configured to authenticate all routing protocol messages using a NIST-validated FIPS 198-1 message authentication code algorithm.V-272079MEDIUMThe Cisco ACI must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.V-272081MEDIUMThe Cisco ACI must be configured to only permit management traffic that ingresses and egresses the OOBM interface.V-272082MEDIUMThe Cisco ACI must be configured to implement message authentication and secure communications for all control plane protocols.V-272086MEDIUMThe Cisco ACI must be configured to have gratuitous ARP (GARP) disabled on all external interfaces.V-272087MEDIUMThe Cisco ACI must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.V-272088MEDIUMThe BGP Cisco ACI must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.V-272089LOWThe BGP Cisco ACI must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.V-272091MEDIUMThe multicast rendezvous point (RP) must be configured to rate limit the number of Protocol Independent Multicast (PIM) Register messages.V-272092MEDIUMThe Cisco ACI must be configured to limit the mroute states created by Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) reports on a Cisco APIC Bridge Domain (BD) or interface.V-272094LOWCisco ACI must be configured so the BGP neighbor is directly connected and will not connect a BGP session to a directly connected neighbor device's loopback address.V-272095LOWThe Cisco ACI multicast must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups and only from sources that have been approved by the organization.V-272098LOWThe Cisco ACI must be configured to use its loopback address as the source address for internal Border Gateway Protocol (iBGP) peering sessions.V-272101MEDIUMThe Cisco ACI must not be configured to use IPv6 site local unicast addresses.V-272103MEDIUMThe Cisco ACI must establish organization-defined alternate communication paths for system operations organizational command and control.V-272104MEDIUMThe Cisco ACI must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.