The Cisco ACI must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-272104	SRG-NET-000362-RTR-000110	CACI-RT-000044	SV-272104r1168421_rule	2025-12-11	1

Description
The route processor (RP) is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental in ongoing network management functions that keep the routers and links available for providing network services. Any disruption to the RP or the control and management planes can result in mission-critical network outages. A DoS attack targeting the RP can result in excessive CPU and memory utilization. To maintain network stability and RP security, the router must be able to handle specific control plane and management plane traffic destined to the RP. In the past, one method of filtering was to use ingress filters on forwarding interfaces to filter both forwarding path and receiving path traffic. However, this method does not scale well as the number of interfaces grows and the size of the ingress filters grows. Control plane policing increases the security of routers and multilayer switches by protecting the RP from unnecessary or malicious traffic. Filtering and rate limiting the traffic flow of control plane packets can be implemented to protect routers against reconnaissance and DoS attacks, allowing the control plane to maintain packet forwarding and protocol states despite an attack or heavy load on the router or multilayer switch.

Description

The route processor (RP) is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental in ongoing network management functions that keep the routers and links available for providing network services. Any disruption to the RP or the control and management planes can result in mission-critical network outages. A DoS attack targeting the RP can result in excessive CPU and memory utilization. To maintain network stability and RP security, the router must be able to handle specific control plane and management plane traffic destined to the RP. In the past, one method of filtering was to use ingress filters on forwarding interfaces to filter both forwarding path and receiving path traffic. However, this method does not scale well as the number of interfaces grows and the size of the ingress filters grows. Control plane policing increases the security of routers and multilayer switches by protecting the RP from unnecessary or malicious traffic. Filtering and rate limiting the traffic flow of control plane packets can be implemented to protect routers against reconnaissance and DoS attacks, allowing the control plane to maintain packet forwarding and protocol states despite an attack or heavy load on the router or multilayer switch.

ℹ️ Check
Verify a Control Plane Policing (CoPP) policy is applied to the Leaf and or interface policies accordingly: Fabric >> Access Policies >> Policies >> Switch >> CoPP Pre-Filter for Leaf / CoPP Leaf Fabric >> Access Policies >> Policies >> Interface >> CoPP Interface Verify L3Out contracts include the CoPP policy. Inspect the policy at the following location: Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_l3out}} >> External EPGs >> {{your_External_EPG}} >> Policy >> Contract If the CoPP policy is not configured on all Leaf and/or interfaces, this is a finding.

ℹ️ Check

Verify a Control Plane Policing (CoPP) policy is applied to the Leaf and or interface policies accordingly: Fabric >> Access Policies >> Policies >> Switch >> CoPP Pre-Filter for Leaf / CoPP Leaf Fabric >> Access Policies >> Policies >> Interface >> CoPP Interface Verify L3Out contracts include the CoPP policy. Inspect the policy at the following location: Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_l3out}} >> External EPGs >> {{your_External_EPG}} >> Policy >> Contract If the CoPP policy is not configured on all Leaf and/or interfaces, this is a finding.

✔️ Fix
Protect against known types of DoS attacks on the route processor by implementing a CoPP policy. To meet this requirement, configure the COPP policy on each device, QOS to ensure the correct traffic is being dropped, and verify all l3 outs have the correct contracts applied to them. These policies must be applied to the Leaf and or interface policies accordingly. CoPP Policy: Fabric >> Access Policies >> Policies >> Switch >> CoPP Pre-Filter for Leaf / CoPP Leaf Fabric >> Access Policies >> Policies >> Interface >> CoPP Interface QOS: Since there are so many locations and settings required for this aspect, reference the QOS documentation to access these settings: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/Cisco-APIC-and-QoS.html Configure L3Out contracts include the CoPP policy. Inspect the policy at the following location: Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_l3out}} >> External EPGs >> {{your_External_EPG}} >> Policy >> Contract

✔️ Fix

Protect against known types of DoS attacks on the route processor by implementing a CoPP policy. To meet this requirement, configure the COPP policy on each device, QOS to ensure the correct traffic is being dropped, and verify all l3 outs have the correct contracts applied to them. These policies must be applied to the Leaf and or interface policies accordingly. CoPP Policy: Fabric >> Access Policies >> Policies >> Switch >> CoPP Pre-Filter for Leaf / CoPP Leaf Fabric >> Access Policies >> Policies >> Interface >> CoPP Interface QOS: Since there are so many locations and settings required for this aspect, reference the QOS documentation to access these settings: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/Cisco-APIC-and-QoS.html Configure L3Out contracts include the CoPP policy. Inspect the policy at the following location: Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_l3out}} >> External EPGs >> {{your_External_EPG}} >> Policy >> Contract