CISC-RT-000010 - The Cisco switch must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.

CAT|II

CCI|CCI-001368

Rule-ID|SV-220986r622190_rule

STIG-ID|CISC-RT-000010

STIG-Legacy|SV-110793

STIG-Legacy|V-101689

Vuln-ID|V-220986

CISC-RT-000050 - The Cisco switch must be configured to enable routing protocol authentication using FIPS 198-1 algorithms with keys not exceeding 180 days of lifetime.

CCI|CCI-000803

CCI|CCI-002205

Rule-ID|SV-220990r929064_rule

STIG-ID|CISC-RT-000050

STIG-Legacy|SV-110801

STIG-Legacy|V-101697

Vuln-ID|V-220990

CISC-RT-000060 - The Cisco switch must be configured to have all inactive layer 3 interfaces disabled.

CAT|III

CCI|CCI-001414

Rule-ID|SV-220991r622190_rule

STIG-ID|CISC-RT-000060

STIG-Legacy|SV-110803

STIG-Legacy|V-101699

Vuln-ID|V-220991

CISC-RT-000090 - The Cisco switch must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.

CCI|CCI-002385

Rule-ID|SV-220994r856401_rule

STIG-ID|CISC-RT-000090

STIG-Legacy|SV-110809

STIG-Legacy|V-101705

Vuln-ID|V-220994

CISC-RT-000120 - The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.

CAT|I

CCI|CCI-001097

CCI|CCI-004866

Rule-ID|SV-220995r991944_rule

STIG-ID|CISC-RT-000120

STIG-Legacy|SV-110811

STIG-Legacy|V-101707

Vuln-ID|V-220995

CISC-RT-000150 - The Cisco switch must be configured to have Gratuitous ARP disabled on all external interfaces.

Rule-ID|SV-220998r856403_rule

STIG-ID|CISC-RT-000150

STIG-Legacy|SV-110817

STIG-Legacy|V-101713

Vuln-ID|V-220998

CISC-RT-000160 - The Cisco switch must be configured to have IP directed broadcast disabled on all interfaces.

Rule-ID|SV-220999r856404_rule

STIG-ID|CISC-RT-000160

STIG-Legacy|SV-110819

STIG-Legacy|V-101715

Vuln-ID|V-220999

CISC-RT-000170 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.

Rule-ID|SV-221000r856405_rule

STIG-ID|CISC-RT-000170

STIG-Legacy|SV-110821

STIG-Legacy|V-101717

Vuln-ID|V-221000

CISC-RT-000180 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces.

Rule-ID|SV-221001r856406_rule

STIG-ID|CISC-RT-000180

STIG-Legacy|SV-110823

STIG-Legacy|V-101719

Vuln-ID|V-221001

CISC-RT-000190 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces.

Rule-ID|SV-221002r856407_rule

STIG-ID|CISC-RT-000190

STIG-Legacy|SV-110825

STIG-Legacy|V-101721

Vuln-ID|V-221002

CISC-RT-000200 - The Cisco switch must be configured to log all packets that have been dropped at interfaces via an ACL.

CCI|CCI-000134

Rule-ID|SV-221003r622190_rule

STIG-ID|CISC-RT-000200

STIG-Legacy|SV-110827

STIG-Legacy|V-101723

Vuln-ID|V-221003

CISC-RT-000210 - The Cisco switch must be configured to produce audit records containing information to establish where the events occurred.

CCI|CCI-000132

Rule-ID|SV-221004r622190_rule

STIG-ID|CISC-RT-000210

STIG-Legacy|SV-110829

STIG-Legacy|V-101725

Vuln-ID|V-221004

CISC-RT-000220 - The Cisco switch must be configured to produce audit records containing information to establish the source of the events.

CCI|CCI-000133

Rule-ID|SV-221005r622190_rule

STIG-ID|CISC-RT-000220

STIG-Legacy|SV-110831

STIG-Legacy|V-101727

Vuln-ID|V-221005

CISC-RT-000230 - The Cisco switch must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.

Rule-ID|SV-221006r622190_rule

STIG-ID|CISC-RT-000230

STIG-Legacy|SV-110833

STIG-Legacy|V-101729

Vuln-ID|V-221006

CISC-RT-000235 - The Cisco switch must be configured to have Cisco Express Forwarding enabled.

CCI|CCI-000366

Rule-ID|SV-237750r648776_rule

STIG-ID|CISC-RT-000235

Vuln-ID|V-237750

CISC-RT-000236 - The Cisco switch must be configured to advertise a hop limit of at least 32 in Switch Advertisement messages for IPv6 stateless auto-configuration deployments.

Rule-ID|SV-237752r648780_rule

STIG-ID|CISC-RT-000236

Vuln-ID|V-237752

CISC-RT-000237 - The Cisco switch must not be configured to use IPv6 Site Local Unicast addresses.

Rule-ID|SV-237756r648787_rule

STIG-ID|CISC-RT-000237

Vuln-ID|V-237756

CISC-RT-000240 - The Cisco perimeter switch must be configured to deny network traffic by default and allow network traffic by exception.

CCI|CCI-001109

Rule-ID|SV-221007r622190_rule

STIG-ID|CISC-RT-000240

STIG-Legacy|SV-110835

STIG-Legacy|V-101731

Vuln-ID|V-221007

CISC-RT-000250 - The Cisco perimeter switch must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.

Rule-ID|SV-221008r622190_rule

STIG-ID|CISC-RT-000250

STIG-Legacy|SV-110837

STIG-Legacy|V-101733

Vuln-ID|V-221008

CISC-RT-000260 - The Cisco perimeter switch must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.

CCI|CCI-002403

Rule-ID|SV-221009r856408_rule

STIG-ID|CISC-RT-000260

STIG-Legacy|SV-110839

STIG-Legacy|V-101735

Vuln-ID|V-221009

CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes.

Rule-ID|SV-221010r863263_rule

STIG-ID|CISC-RT-000270

STIG-Legacy|SV-110841

STIG-Legacy|V-101737

Vuln-ID|V-221010

CISC-RT-000310 - The Cisco perimeter switch must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).

CCI|CCI-001094

Rule-ID|SV-221011r945858_rule

STIG-ID|CISC-RT-000310

STIG-Legacy|SV-110843

STIG-Legacy|V-101739

Vuln-ID|V-221011

CISC-RT-000320 - The Cisco perimeter switch must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.

Rule-ID|SV-221012r622190_rule

STIG-ID|CISC-RT-000320

STIG-Legacy|SV-110845

STIG-Legacy|V-101741

Vuln-ID|V-221012

CISC-RT-000330 - The Cisco perimeter switch must be configured to filter ingress traffic at the external interface on an inbound direction.

Rule-ID|SV-221013r622190_rule

STIG-ID|CISC-RT-000330

STIG-Legacy|SV-110847

STIG-Legacy|V-101743

Vuln-ID|V-221013

CISC-RT-000340 - The Cisco perimeter switch must be configured to filter egress traffic at the internal interface on an inbound direction.

Rule-ID|SV-221014r622190_rule

STIG-ID|CISC-RT-000340

STIG-Legacy|SV-110849

STIG-Legacy|V-101745

Vuln-ID|V-221014

CISC-RT-000350 - The Cisco perimeter switch must be configured to block all packets with any IP options.

Rule-ID|SV-221015r945859_rule

STIG-ID|CISC-RT-000350

STIG-Legacy|SV-110851

STIG-Legacy|V-101747

Vuln-ID|V-221015

CISC-RT-000360 - The Cisco perimeter switch must be configured to have Link Layer Discovery Protocol (LLDP) disabled on all external interfaces.

Rule-ID|SV-221016r856411_rule

STIG-ID|CISC-RT-000360

STIG-Legacy|SV-110853

STIG-Legacy|V-101749

Vuln-ID|V-221016

CISC-RT-000370 - The Cisco perimeter switch must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.

Rule-ID|SV-221017r856412_rule

STIG-ID|CISC-RT-000370

STIG-Legacy|SV-110855

STIG-Legacy|V-101751

Vuln-ID|V-221017

CISC-RT-000380 - The Cisco perimeter switch must be configured to have Proxy ARP disabled on all external interfaces.

Rule-ID|SV-221018r856413_rule

STIG-ID|CISC-RT-000380

STIG-Legacy|SV-110857

STIG-Legacy|V-101753

Vuln-ID|V-221018

CISC-RT-000390 - The Cisco perimeter switch must be configured to block all outbound management traffic.

Rule-ID|SV-221019r945857_rule

STIG-ID|CISC-RT-000390

STIG-Legacy|SV-110859

STIG-Legacy|V-101755

Vuln-ID|V-221019

CISC-RT-000391 - The Cisco perimeter switch must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces.

Rule-ID|SV-237759r648792_rule

STIG-ID|CISC-RT-000391

Vuln-ID|V-237759

CISC-RT-000392 - The Cisco perimeter switch must be configured to drop IPv6 undetermined transport packets.

Rule-ID|SV-237762r950991_rule

STIG-ID|CISC-RT-000392

Vuln-ID|V-237762

CISC-RT-000393 - The Cisco perimeter switch must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3-255.

Rule-ID|SV-237764r856665_rule

Detections

Analytics

DISA STIG Cisco IOS XE Switch RTR v3r1

Warning! Audit Deprecated

Audit Details

File Details

Audit Changelog

Revision 1.3

Miscellaneous

Revision 1.2

Functional Update

Miscellaneous

Revision 1.1

Functional Update

Detections

Analytics

DISA STIG Cisco IOS XE Switch RTR v3r1 Download File

Warning! Audit Deprecated

Audit Details

File Details

Audit Changelog

Revision 1.3

Miscellaneous

Revision 1.2

Functional Update

Miscellaneous

Revision 1.1

Functional Update

DISA STIG Cisco IOS XE Switch RTR v3r1