Cisco ACI must be configured so the BGP neighbor is directly connected and will not connect a BGP session to a directly connected neighbor device's loopback address.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
low	V-272094	SRG-NET-000362-RTR-000124	CACI-RT-000034	SV-272094r1168411_rule	2025-12-11	1

Description
Generalized Time To Live Security Mechanism (GTSM) is designed to protect a router's IP-based control plane from denial-of-service (DoS) attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol speaking routers. ACI mitigates this risk in a different way, as currently there is no option for TTL-security or GTSM support; however, ACI, by default, is setup to validate that the BGP neighbor is directly connected and will not even connect a BGP session to a directly connected neighbor devices loopback address.

Description

Generalized Time To Live Security Mechanism (GTSM) is designed to protect a router's IP-based control plane from denial-of-service (DoS) attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol speaking routers. ACI mitigates this risk in a different way, as currently there is no option for TTL-security or GTSM support; however, ACI, by default, is setup to validate that the BGP neighbor is directly connected and will not even connect a BGP session to a directly connected neighbor devices loopback address.

ℹ️ Check
Review the BGP configuration to verify that TTL security has been configured to the default settings. Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Out >> {{your_l3out}} >> Logical Node Profiles >> {{your_Logical_node_Profile}} >> Logical Interface Profiles >> {{your_logical_interface_profile}} >> BGP peer x.x.x.x >> Policy. Verify the following in the policy: Disable Connected Check is unmarked EBGP Multihop TTL = 1 If the Cisco ACI is not configured to use GTSM for all Exterior BGP peering sessions, this is a finding.

ℹ️ Check

Review the BGP configuration to verify that TTL security has been configured to the default settings. Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Out >> {{your_l3out}} >> Logical Node Profiles >> {{your_Logical_node_Profile}} >> Logical Interface Profiles >> {{your_logical_interface_profile}} >> BGP peer x.x.x.x >> Policy. Verify the following in the policy: Disable Connected Check is unmarked EBGP Multihop TTL = 1 If the Cisco ACI is not configured to use GTSM for all Exterior BGP peering sessions, this is a finding.

✔️ Fix
If ACI is determined to be configured differently than the default settings, reconfigure to default settings by performing the actions on the BGP connectivity profile (path below). Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Out >> {{your_l3out}} >> Logical Node Profiles >> {{your_Logical_node_Profile}} >> Logical Interface Profiles >> {{your_logical_interface_profile}} >> BGP peer x.x.x.x >> Policy. Reset the following in the policy: Disable Connected Check is unmarked EBGP Multihop TTL = 1

✔️ Fix

If ACI is determined to be configured differently than the default settings, reconfigure to default settings by performing the actions on the BGP connectivity profile (path below). Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Out >> {{your_l3out}} >> Logical Node Profiles >> {{your_Logical_node_Profile}} >> Logical Interface Profiles >> {{your_logical_interface_profile}} >> BGP peer x.x.x.x >> Policy. Reset the following in the policy: Disable Connected Check is unmarked EBGP Multihop TTL = 1