The Cisco ACI must not be configured to use IPv6 site local unicast addresses.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-272101	SRG-NET-000512-RTR-000013	CACI-RT-000041	SV-272101r1168417_rule	2025-12-11	1

Description
As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of site-local addresses has the potential to adversely affect network security through leaks, ambiguity, and potential misrouting as documented in section 2 of RFC3879. RFC3879 formally deprecates the IPv6 site-local unicast prefix FEC0::/10 as defined in RFC3513. Specify the appropriate IPv6 address range within the relevant configuration objects like bridge domains and L3Out, ensuring the addresses fall within the allocated site local unicast prefix, and enable IPv6 routing on the fabric level, allowing the ACI switches to learn and route traffic based on these IPv6 addresses.

Description

As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of site-local addresses has the potential to adversely affect network security through leaks, ambiguity, and potential misrouting as documented in section 2 of RFC3879. RFC3879 formally deprecates the IPv6 site-local unicast prefix FEC0::/10 as defined in RFC3513. Specify the appropriate IPv6 address range within the relevant configuration objects like bridge domains and L3Out, ensuring the addresses fall within the allocated site local unicast prefix, and enable IPv6 routing on the fabric level, allowing the ACI switches to learn and route traffic based on these IPv6 addresses.

ℹ️ Check
Review the router configuration to ensure FEC0::/10 IP addresses are not defined. Tenants >> {{your_Tenant}} >> Networking >> VRF >> {{your_VRF}} >> Operational >> Route Table >> IPV6 Routes and Tenants >> {{your_Tenant}} >> Networking >> VRF >> {{your_VRF}} >> Operational >> Client Endpoints This will display all IPV6 address in this VRF and on which leaf they reside. If the CLI is preferred, the command is as follows when run from the APIC: fabric {{node_ID}} show ipv6 interface brief or from each node: show ipv6 interface brief If IPv6 site local unicast addresses are defined, this is a finding.

ℹ️ Check

Review the router configuration to ensure FEC0::/10 IP addresses are not defined. Tenants >> {{your_Tenant}} >> Networking >> VRF >> {{your_VRF}} >> Operational >> Route Table >> IPV6 Routes and Tenants >> {{your_Tenant}} >> Networking >> VRF >> {{your_VRF}} >> Operational >> Client Endpoints This will display all IPV6 address in this VRF and on which leaf they reside. If the CLI is preferred, the command is as follows when run from the APIC: fabric {{node_ID}} show ipv6 interface brief or from each node: show ipv6 interface brief If IPv6 site local unicast addresses are defined, this is a finding.

✔️ Fix
Delete unauthorized addresses. Configure the IPv6 addresses on the ACI fabric's leaf switches and virtual network segments (bridge domains) within the desired tenant to use site local unicast addresses. Tenants >> {{your_Tenant}} >> Networking >> VRF >> {{your_VRF}} >> Operational >> Route Table >> IPV6 Routes Remove unauthorized addresses. Remove unauthorized addresses from the Client Endpoints list. Tenants >> {{your_Tenant}} >> Networking >> VRF >> {{your_VRF}} >> Operational >> Client Endpoints

✔️ Fix

Delete unauthorized addresses. Configure the IPv6 addresses on the ACI fabric's leaf switches and virtual network segments (bridge domains) within the desired tenant to use site local unicast addresses. Tenants >> {{your_Tenant}} >> Networking >> VRF >> {{your_VRF}} >> Operational >> Route Table >> IPV6 Routes Remove unauthorized addresses. Remove unauthorized addresses from the Client Endpoints list. Tenants >> {{your_Tenant}} >> Networking >> VRF >> {{your_VRF}} >> Operational >> Client Endpoints