DISA STIG Cisco IOS Router RTR v2r1

Audit Details

Name: DISA STIG Cisco IOS Router RTR v2r1

Updated: 12/7/2022

Authority: DISA STIG

Plugin: Cisco

Revision: 1.8

Estimated Item Count: 146

File Details

Filename: DISA_STIG_Cisco_IOS_Router_RTR_v2r1.audit

Size: 482 kB

MD5: 2fa0120e16350fdd6bf5a5a4e2b1ef02
SHA256: fcef222ed17cfd90578322ee63f47c8a29eae22b1360a4e85b440141266b979d

Audit Changelog

 
Revision 1.8

Dec 7, 2022

Functional Update
  • CISC-RT-000600 - The Cisco MPLS router must be configured to synchronize IGP and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange - IS-IS
  • CISC-RT-000610 - The MPLS router with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.
Revision 1.7

Aug 9, 2022

Functional Update
  • CISC-RT-000600 - The Cisco MPLS router must be configured to synchronize IGP and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange - IS-IS
  • CISC-RT-000610 - The MPLS router with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.
Miscellaneous
  • Metadata updated.
  • See also link updated.
Revision 1.6

Apr 25, 2022

Functional Update
  • CISC-RT-000600 - The Cisco MPLS router must be configured to synchronize IGP and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange - IS-IS
  • CISC-RT-000610 - The MPLS router with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.
Revision 1.5

Apr 5, 2022

Functional Update
  • CISC-RT-000600 - The Cisco MPLS router must be configured to synchronize IGP and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange - IS-IS
  • CISC-RT-000610 - The MPLS router with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.
Miscellaneous
  • Metadata updated.
  • References updated.
  • See also link updated.
Revision 1.4

Jul 30, 2021

Functional Update
  • CISC-RT-000600 - The Cisco MPLS router must be configured to synchronize IGP and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange - IS-IS
  • CISC-RT-000610 - The MPLS router with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.
Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.3

Jun 17, 2021

Functional Update
  • CISC-RT-000600 - The Cisco MPLS router must be configured to synchronize IGP and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange - IS-IS
  • CISC-RT-000610 - The MPLS router with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.
Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.2

Jun 7, 2021

Functional Update
  • CISC-RT-000600 - The Cisco MPLS router must be configured to synchronize IGP and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange - IS-IS
  • CISC-RT-000610 - The MPLS router with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.
Informational Update
  • CISC-RT-000236 - The Cisco router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
  • CISC-RT-000391 - The Cisco perimeter router must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces.
Miscellaneous
  • Metadata updated.
  • See also link updated.
Added
  • CISC-RT-000235 - The Cisco router must be configured to have Cisco Express Forwarding enabled - ip
  • CISC-RT-000235 - The Cisco router must be configured to have Cisco Express Forwarding enabled - ipv6
  • CISC-RT-000392 - The Cisco perimeter router must be configured to drop IPv6 undetermined transport packets - outside interface
  • CISC-RT-000392 - The Cisco perimeter router must be configured to drop IPv6 undetermined transport packets.
  • CISC-RT-000393 - The Cisco perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3-255 - deny ipv6 any any
  • CISC-RT-000393 - The Cisco perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3-255 - outside interface
  • CISC-RT-000393 - The Cisco perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3-255 - permit 0, 1, or 3-255
  • CISC-RT-000394 - The Cisco perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values - dest-option-type
  • CISC-RT-000394 - The Cisco perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values - outside interface
  • CISC-RT-000395 - The Cisco perimeter router must be configured to drop IPv6 packets containing a Destination Option header with invalid option type values - dest-option-type
  • CISC-RT-000395 - The Cisco perimeter router must be configured to drop IPv6 packets containing a Destination Option header with invalid option type values - outside interface
  • CISC-RT-000396 - The Cisco perimeter router must be configured to drop IPv6 packets containing an extension header with the Endpoint Identification option - dest-option-type
  • CISC-RT-000396 - The Cisco perimeter router must be configured to drop IPv6 packets containing an extension header with the Endpoint Identification option - outside interface
  • CISC-RT-000397 - The Cisco perimeter router must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header - dest-option-type
  • CISC-RT-000397 - The Cisco perimeter router must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header - outside interface
  • CISC-RT-000398 - The Cisco perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type - dest-option-type
  • CISC-RT-000398 - The Cisco perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type - outside interface
Removed
  • CISC-RT-000235 - The Cisco router must be configured to have Cisco Express Forwarding enabled. - ip
  • CISC-RT-000235 - The Cisco router must be configured to have Cisco Express Forwarding enabled. - ipv6
  • CISC-RT-000392 - The Cisco perimeter router must be configured to drop IPv6 undetermined transport packets. - outside interface
  • CISC-RT-000392 - The Cisco perimeter router must be configured to drop IPv6 undetermined transport packets. ipv6 ingress acl
  • CISC-RT-000393 - The Cisco perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3-255. - deny ipv6 any any
  • CISC-RT-000393 - The Cisco perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3-255. - outside interface
  • CISC-RT-000393 - The Cisco perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3-255. - permit 0, 1, or 3-255
  • CISC-RT-000394 - The Cisco perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values. - dest-option-type
  • CISC-RT-000394 - The Cisco perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values. - outside interface
  • CISC-RT-000395 - The Cisco perimeter router must be configured to drop IPv6 packets containing a Destination Option header with invalid option type values. - dest-option-type
  • CISC-RT-000395 - The Cisco perimeter router must be configured to drop IPv6 packets containing a Destination Option header with invalid option type values. - outside interface
  • CISC-RT-000396 - The Cisco perimeter router must be configured to drop IPv6 packets containing an extension header with the Endpoint Identification option. - dest-option-type
  • CISC-RT-000396 - The Cisco perimeter router must be configured to drop IPv6 packets containing an extension header with the Endpoint Identification option. - outside interface
  • CISC-RT-000397 - The Cisco perimeter router must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header. - dest-option-type
  • CISC-RT-000397 - The Cisco perimeter router must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header. - outside interface
  • CISC-RT-000398 - The Cisco perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type. - dest-option-type
  • CISC-RT-000398 - The Cisco perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type. - outside interface
Revision 1.1

Apr 28, 2021

Functional Update
  • CISC-RT-000600 - The Cisco MPLS router must be configured to synchronize IGP and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange - IS-IS
  • CISC-RT-000610 - The MPLS router with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.
Miscellaneous
  • Metadata updated.
  • References updated.