The Cisco ACI must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-272079	SRG-NET-000205-RTR-000002	CACI-RT-000019	SV-272079r1168423_rule	2025-12-11	1

Description
Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

ℹ️ Check
If this review is for the DODIN Backbone, mark as Not Applicable. When creating a contract, create a Deny statement that looks at all the fragmented bits and denies only those packets. Review the following two locations: Option 1: Review any standard contract (whitelist) with an explicit deny for the fragment bit to counter act any allows. Tenant >> Contracts >> Standard >> {{your_Contract}} >> {{your_contract_Subject}} >> Policy >> General >> Filters >> create/ add a deny for ICMP traffic. The filter entries should include the following: Ethertype set to IP/ipv6, IP Protocol set to ICMP/ICMPv6, and the Match Only Fragments box checked. Option 2: Review any taboo contract (blacklist) for the fragment bits: Tenant >> Contracts >> Taboo >> {{your_Contract}} >> Policy >> General >> {{your_contract_Subject}} >> Filters >> create/ add a deny for ICMP traffic. The filter entries should include the following: Ethertype set to IP/ipv6, IP Protocol set to ICMP/ICMPv6, and the Match Only Fragments box checked3. Verify ICMP and Fragmented are selected to be denied. If all fragmented ICMP packets destined to Cisco ACI IP addresses are not dropped, this is a finding.

ℹ️ Check

If this review is for the DODIN Backbone, mark as Not Applicable. When creating a contract, create a Deny statement that looks at all the fragmented bits and denies only those packets. Review the following two locations: Option 1: Review any standard contract (whitelist) with an explicit deny for the fragment bit to counter act any allows. Tenant >> Contracts >> Standard >> {{your_Contract}} >> {{your_contract_Subject}} >> Policy >> General >> Filters >> create/ add a deny for ICMP traffic. The filter entries should include the following: Ethertype set to IP/ipv6, IP Protocol set to ICMP/ICMPv6, and the Match Only Fragments box checked. Option 2: Review any taboo contract (blacklist) for the fragment bits: Tenant >> Contracts >> Taboo >> {{your_Contract}} >> Policy >> General >> {{your_contract_Subject}} >> Filters >> create/ add a deny for ICMP traffic. The filter entries should include the following: Ethertype set to IP/ipv6, IP Protocol set to ICMP/ICMPv6, and the Match Only Fragments box checked3. Verify ICMP and Fragmented are selected to be denied. If all fragmented ICMP packets destined to Cisco ACI IP addresses are not dropped, this is a finding.

✔️ Fix
Place the deny rule before any permit rules for ICMP traffic to ensure fragmented ICMP packets are dropped first. When you are creating a contract you would want to create a Deny statement that looks at all the fragmented bits and denies only those packets. There are 2 ways to do this. Option 1: Create a standard contract (whitelist) with an explicit deny for the fragment bit to counter act any allows. Navigate to the following location and configure settings: Tenant >> Contracts >> Standard >> {{your_Contract}} >> {{your_contract_Subject}} >> Policy >> General >> Filters >> create/ add a deny for ICMP traffic. The filter entries should include the following: Ethertype set to IP/ipv6, IP Protocol set to ICMP/ICMPv6, and the Match Only Fragments box checked. Option 2: Create a taboo contract (blacklist) for the fragment bits by navigating to the following location: Tenant >> Contracts >> Taboo >> {{your_Contract}} >> Policy >> General >> {{your_contract_Subject}} >> Filters >> create/ add a deny for ICMP traffic. The filter entries should include the following: Ethertype set to IP/ipv6, IP Protocol set to ICMP/ICMPv6, and the Match Only Fragments box checked.

✔️ Fix

Place the deny rule before any permit rules for ICMP traffic to ensure fragmented ICMP packets are dropped first. When you are creating a contract you would want to create a Deny statement that looks at all the fragmented bits and denies only those packets. There are 2 ways to do this. Option 1: Create a standard contract (whitelist) with an explicit deny for the fragment bit to counter act any allows. Navigate to the following location and configure settings: Tenant >> Contracts >> Standard >> {{your_Contract}} >> {{your_contract_Subject}} >> Policy >> General >> Filters >> create/ add a deny for ICMP traffic. The filter entries should include the following: Ethertype set to IP/ipv6, IP Protocol set to ICMP/ICMPv6, and the Match Only Fragments box checked. Option 2: Create a taboo contract (blacklist) for the fragment bits by navigating to the following location: Tenant >> Contracts >> Taboo >> {{your_Contract}} >> Policy >> General >> {{your_contract_Subject}} >> Filters >> create/ add a deny for ICMP traffic. The filter entries should include the following: Ethertype set to IP/ipv6, IP Protocol set to ICMP/ICMPv6, and the Match Only Fragments box checked.