1.1.1 Configure AAA Authentication - TACACS - aaa authentication | IDENTIFICATION AND AUTHENTICATION |
1.1.1 Configure AAA Authentication - TACACS - aaa group | IDENTIFICATION AND AUTHENTICATION |
1.1.1 Configure AAA Authentication - TACACS - feature tacacs+ | IDENTIFICATION AND AUTHENTICATION |
1.1.1 Configure AAA Authentication - TACACS - tacacs-server | IDENTIFICATION AND AUTHENTICATION |
1.1.2 Configure AAA Authentication - RADIUS - aaa authentication | IDENTIFICATION AND AUTHENTICATION |
1.1.2 Configure AAA Authentication - RADIUS - aaa group | IDENTIFICATION AND AUTHENTICATION |
1.1.2 Configure AAA Authentication - RADIUS - radius-server host | IDENTIFICATION AND AUTHENTICATION |
1.1.3 Configure AAA Authentication - Local SSH keys | IDENTIFICATION AND AUTHENTICATION |
1.2.1 Ensure Idle Timeout for Login Sessions is set to 5 minutes - console exec-timeout | ACCESS CONTROL |
1.2.1 Ensure Idle Timeout for Login Sessions is set to 5 minutes - ssh idle-timeout | ACCESS CONTROL |
1.2.2 Restrict Access to VTY Sessions - line vty access-class | SYSTEM AND COMMUNICATIONS PROTECTION |
1.2.2 Restrict Access to VTY Sessions - VTY ACL | SYSTEM AND COMMUNICATIONS PROTECTION |
1.3.1 Enable Password Complexity Requirements for Local Credentials | IDENTIFICATION AND AUTHENTICATION |
1.3.3 Set password lifetime, warning time and grace time for local credentials | IDENTIFICATION AND AUTHENTICATION |
1.3.4 Set password length for local credentials | IDENTIFICATION AND AUTHENTICATION |
1.4.1 If SNMPv2 is in use, use a Complex Community String | CONFIGURATION MANAGEMENT |
1.4.2 If SNMPv2 is in use, set Restrictions on Access - ACL | SYSTEM AND COMMUNICATIONS PROTECTION |
1.4.2 If SNMPv2 is in use, set Restrictions on Access - snmp-server | SYSTEM AND COMMUNICATIONS PROTECTION |
1.4.3 Configure SNMPv3 - engineID | IDENTIFICATION AND AUTHENTICATION |
1.4.3 Configure SNMPv3 - group v3 | IDENTIFICATION AND AUTHENTICATION |
1.4.4 Configure SNMP Traps | CONFIGURATION MANAGEMENT |
1.4.5 Configure SNMP Source Interface for Traps - snmp-server host | CONFIGURATION MANAGEMENT |
1.4.5 Configure SNMP Source Interface for Traps - snmp-server traps/informs | CONFIGURATION MANAGEMENT |
1.4.6 Do not Configure a Read Write SNMP Community String | SYSTEM AND INFORMATION INTEGRITY |
1.5.1 Ensure Syslog Logging is configured - logging level | AUDIT AND ACCOUNTABILITY |
1.5.1 Ensure Syslog Logging is configured - logging server/source-interface | AUDIT AND ACCOUNTABILITY |
1.5.2 Log all Successful and Failed Administrative Logins | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
1.5.3 Configure Netflow on Strategic Ports | AUDIT AND ACCOUNTABILITY |
1.5.4 Configure Logging Timestamps | AUDIT AND ACCOUNTABILITY |
1.6.1 Configure at least 3 external NTP Servers - ntp server | AUDIT AND ACCOUNTABILITY |
1.6.1 Configure at least 3 external NTP Servers - ntp source-interface | AUDIT AND ACCOUNTABILITY |
1.6.2 Configure a Time Zone | AUDIT AND ACCOUNTABILITY |
1.6.3 If a Local Time Zone is used, Configure Daylight Savings | AUDIT AND ACCOUNTABILITY |
1.7.1 Configure an MOTD (Message of the day) Banner | AWARENESS AND TRAINING |
1.7.2 Configure an EXEC Banner | AWARENESS AND TRAINING |
1.8.1 Disable Power on Auto Provisioning (POAP) | CONFIGURATION MANAGEMENT |
1.8.2 Disable iPXE (Pre-boot eXecution Environment) | CONFIGURATION MANAGEMENT |
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - logging | SYSTEM AND COMMUNICATIONS PROTECTION |
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - ntp | SYSTEM AND COMMUNICATIONS PROTECTION |
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server host | SYSTEM AND COMMUNICATIONS PROTECTION |
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server traps/informs | SYSTEM AND COMMUNICATIONS PROTECTION |
2.1.1 Configure Control Plane Policing | CONFIGURATION MANAGEMENT |
3.1.1.2 Configure EIGRP Passive interfaces for interfaces that do not have peers | CONFIGURATION MANAGEMENT |
3.1.1.3 Configure EIGRP log-adjacency-changes | SECURITY ASSESSMENT AND AUTHORIZATION |
3.1.2.1 Configure BGP to Log Neighbor Changes | CONFIGURATION MANAGEMENT |
3.1.3.1 Set Interfaces with no Peers to Passive-Interface | CONFIGURATION MANAGEMENT |
3.1.3.3 Log OSPF Adjacency Changes | CONFIGURATION MANAGEMENT |
3.1.4.1 If VLAN interfaces have IP addreses, configure anti spoofing / ingress filtering protections | AUDIT AND ACCOUNTABILITY, SECURITY ASSESSMENT AND AUTHORIZATION |
3.1.4.4 Configure HSRP protections - hsrp version 2 | SYSTEM AND COMMUNICATIONS PROTECTION |
3.1.4.4 Configure HSRP protections - interface md5 | IDENTIFICATION AND AUTHENTICATION |