STIGQter: STIG Summary: Cisco IOS XE Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco router must be configured to have Gratuitous ARP disabled on all external interfaces.

DISA Rule

SV-216653r531086_rule

Vulnerability Number

V-216653

Group Title

SRG-NET-000362-RTR-000111

Rule Version

CISC-RT-000150

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Disable gratuitous ARP as shown in the example below:

R5(config)#no ip gratuitous-arps

Check Contents

Review the configuration to determine if gratuitous ARP is disabled. The following command should not be found in the router configuration:

ip gratuitous-arps

Note: With Cisco IOS, Gratuitous ARP is enabled and disabled globally.

If gratuitous ARP is enabled on any external interface, this is a finding.

Vulnerability Number

V-216653

Documentable

False

Rule Version

CISC-RT-000150

Severity Override Guidance

Review the configuration to determine if gratuitous ARP is disabled. The following command should not be found in the router configuration:

ip gratuitous-arps

Note: With Cisco IOS, Gratuitous ARP is enabled and disabled globally.

If gratuitous ARP is enabled on any external interface, this is a finding.

Check Content Reference

M

Target Key

4028

Comments