The Cisco ACI must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-272079	SRG-NET-000205-RTR-000002	CACI-RT-000019	SV-272079r1114312_rule	2025-06-18	1

Description
Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

ℹ️ Check
If this review is for the DODIN Backbone, mark as not applicable. Review the external and internal ACLs to verify that the router is configured to only allow specific management and control plane traffic from specific sources destined to itself. 1. Navigate Tenant >> Contract >> Filter. 2. Select the "Drop Fragmented ICMP" filter. 3. Verify ICMP and Fragmented are selected to be denied. If all fragmented ICMP packets destined to Cisco ACI IP addresses are not dropped, this is a finding.

ℹ️ Check

If this review is for the DODIN Backbone, mark as not applicable. Review the external and internal ACLs to verify that the router is configured to only allow specific management and control plane traffic from specific sources destined to itself. 1. Navigate Tenant >> Contract >> Filter. 2. Select the "Drop Fragmented ICMP" filter. 3. Verify ICMP and Fragmented are selected to be denied. If all fragmented ICMP packets destined to Cisco ACI IP addresses are not dropped, this is a finding.

✔️ Fix
Ensure this deny rule is placed before any permit rules for ICMP traffic to ensure fragmented ICMP packets are dropped first. 1. Navigate Tenant >> Contract >> Filter. 2. Create or edit a filter (e.g., "Drop Fragmented ICMP"). 3. Set Match to include: Protocol: ICMP Fragmentation: "Fragmented" 4. Set Action to "Deny".