UCF STIG Viewer Logo

The Cisco switch must be configured to have Gratuitous ARP disabled on all external interfaces.


Overview

Finding ID Version Rule ID IA Controls Severity
V-221082 CISC-RT-000150 SV-221082r622190_rule Medium
Description
A gratuitous ARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used to inform the network about a host IP address. A spoofed gratuitous ARP message can cause network mapping information to be stored incorrectly, causing network malfunction.
STIG Date
Cisco NX-OS Switch RTR Security Technical Implementation Guide 2021-03-29

Details

Check Text ( C-22797r409735_chk )
Review the configuration to determine if gratuitous ARP is disabled on all external interfaces as shown in the example below:

interface Ethernet2/7
no switchport
ip address x.22.4.2/30
no ip arp gratuitous request

Note: Gratuitous ARP is enabled on all interfaces by default.

If gratuitous ARP is enabled on any external interface, this is a finding.
Fix Text (F-22786r409736_fix)
Disable Gratuitous ARP as shown in the example below:

SW1(config)# int e2/7
SW1(config-if)# no ip arp gratuitous request
SW1(config-if)# end