CISC-RT-000010 - The Cisco switch must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.

CAT|II

CCI|CCI-001368

Rule-ID|SV-221071r622190_rule

STIG-ID|CISC-RT-000010

STIG-Legacy|SV-110961

STIG-Legacy|V-101857

Vuln-ID|V-221071

CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - bgp

800-53|AC-4(17)

800-53|CM-6

CCI|CCI-000366

CCI|CCI-002205

Rule-ID|SV-221072r622190_rule

STIG-ID|CISC-RT-000020

STIG-Legacy|SV-110963

STIG-Legacy|V-101859

Vuln-ID|V-221072

CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - eigrp

800-53|SC-8(1)

CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - is-is

800-53|IA-7

CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - ospf

CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - rip

CISC-RT-000030 - The Cisco switch must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.

Rule-ID|SV-221073r622190_rule

STIG-ID|CISC-RT-000030

STIG-Legacy|SV-110965

STIG-Legacy|V-101861

Vuln-ID|V-221073

CISC-RT-000040 - The Cisco switch must be configured to use encryption for routing protocol authentication - bgp

CCI|CCI-000803

Rule-ID|SV-221074r622190_rule

STIG-ID|CISC-RT-000040

STIG-Legacy|SV-110967

STIG-Legacy|V-101863

Vuln-ID|V-221074

CISC-RT-000040 - The Cisco switch must be configured to use encryption for routing protocol authentication - eigrp

CISC-RT-000040 - The Cisco switch must be configured to use encryption for routing protocol authentication - is-is

CISC-RT-000040 - The Cisco switch must be configured to use encryption for routing protocol authentication - ospf

CISC-RT-000040 - The Cisco switch must be configured to use encryption for routing protocol authentication - rip

CISC-RT-000050 - The Cisco switch must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.

Rule-ID|SV-221075r622190_rule

STIG-ID|CISC-RT-000050

STIG-Legacy|SV-110969

STIG-Legacy|V-101865

Vuln-ID|V-221075

CISC-RT-000060 - The Cisco switch must be configured to have all inactive layer 3 interfaces disabled.

800-53|AC-4

CAT|III

CCI|CCI-001414

Rule-ID|SV-221076r622190_rule

STIG-ID|CISC-RT-000060

STIG-Legacy|SV-110971

STIG-Legacy|V-101867

Vuln-ID|V-221076

CISC-RT-000070 - The Cisco switch must be configured to have all non-essential capabilities disabled.

800-53|CM-7

CCI|CCI-000381

Rule-ID|SV-221077r622190_rule

STIG-ID|CISC-RT-000070

STIG-Legacy|SV-110973

STIG-Legacy|V-101869

Vuln-ID|V-221077

CISC-RT-000080 - The Cisco switch must not be configured to have any feature enabled that calls home to the vendor.

800-53|SC-7(11)

CCI|CCI-002403

Rule-ID|SV-221078r622190_rule

STIG-ID|CISC-RT-000080

STIG-Legacy|SV-110975

STIG-Legacy|V-101871

Vuln-ID|V-221078

CISC-RT-000120 - The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.

CCI|CCI-002385

CSCv6|3.1

Rule-ID|SV-221079r622190_rule

STIG-ID|CISC-RT-000120

STIG-Legacy|SV-110977

STIG-Legacy|V-101873

Vuln-ID|V-221079

CISC-RT-000130 - The Cisco switch must be configured to restrict traffic destined to itself.

CAT|I

CCI|CCI-001097

Rule-ID|SV-221080r622190_rule

STIG-ID|CISC-RT-000130

STIG-Legacy|SV-110979

STIG-Legacy|V-101875

Vuln-ID|V-221080

CISC-RT-000140 - The Cisco switch must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself - external

Rule-ID|SV-221081r622190_rule

STIG-ID|CISC-RT-000140

STIG-Legacy|SV-110981

STIG-Legacy|V-101877

Vuln-ID|V-221081

CISC-RT-000140 - The Cisco switch must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself - internal

CISC-RT-000150 - The Cisco switch must be configured to have Gratuitous ARP disabled on all external interfaces.

800-53|SC-5

Rule-ID|SV-221082r622190_rule

STIG-ID|CISC-RT-000150

STIG-Legacy|SV-110983

STIG-Legacy|V-101879

Vuln-ID|V-221082

CISC-RT-000160 - The Cisco switch must be configured to have IP directed broadcast disabled on all interfaces.

Rule-ID|SV-221083r622190_rule

STIG-ID|CISC-RT-000160

STIG-Legacy|SV-110985

STIG-Legacy|V-101881

Vuln-ID|V-221083

CISC-RT-000170 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces - DODIN Backbone

Rule-ID|SV-221084r622190_rule

STIG-ID|CISC-RT-000170

STIG-Legacy|SV-110987

STIG-Legacy|V-101883

Vuln-ID|V-221084

CISC-RT-000170 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces - ip unreachables

800-53|SC-7(16)

CISC-RT-000190 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces.

Rule-ID|SV-221085r622190_rule

STIG-ID|CISC-RT-000190

STIG-Legacy|SV-110989

STIG-Legacy|V-101885

Vuln-ID|V-221085

CISC-RT-000200 - The Cisco switch must be configured to log all packets that have been dropped at interfaces via an ACL.

CCI|CCI-000134

Rule-ID|SV-221086r622190_rule

STIG-ID|CISC-RT-000200

STIG-Legacy|SV-110991

STIG-Legacy|V-101887

Vuln-ID|V-221086

CISC-RT-000236 - The Cisco switch must be configured to advertise a hop limit of at least 32 in Switch Advertisement messages for IPv6 stateless auto-configuration deployments.

Rule-ID|SV-237754r648783_rule

STIG-ID|CISC-RT-000236

Vuln-ID|V-237754

CISC-RT-000237 - The Cisco switch must not be configured to use IPv6 Site Local Unicast addresses.

Rule-ID|SV-237757r648788_rule

STIG-ID|CISC-RT-000237

Vuln-ID|V-237757

CISC-RT-000240 - The Cisco perimeter switch must be configured to deny network traffic by default and allow network traffic by exception - access-group in

CCI|CCI-001109

Rule-ID|SV-221087r622190_rule

STIG-ID|CISC-RT-000240

STIG-Legacy|SV-110993

STIG-Legacy|V-101889

Vuln-ID|V-221087

CISC-RT-000240 - The Cisco perimeter switch must be configured to deny network traffic by default and allow network traffic by exception - deny rule

CISC-RT-000250 - The Cisco perimeter switch must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.

Rule-ID|SV-221088r622190_rule

STIG-ID|CISC-RT-000250

STIG-Legacy|SV-110995

STIG-Legacy|V-101891

Vuln-ID|V-221088

CISC-RT-000260 - The Cisco perimeter switch must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.

Rule-ID|SV-221089r622190_rule

STIG-ID|CISC-RT-000260

STIG-Legacy|SV-110997

STIG-Legacy|V-101893

Vuln-ID|V-221089

CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - access-group in

Rule-ID|SV-221090r622190_rule

STIG-ID|CISC-RT-000270

STIG-Legacy|SV-110999

STIG-Legacy|V-101895

Vuln-ID|V-221090

CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 0.0.0.0

CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 10.0.0.0

CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 100.64.0.0

CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 127.0.0.0

CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 169.254.0.0

CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 172.16.0.0

CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 192.0.0.0

CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 192.0.2.0

CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 192.18.0.0

CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 192.168.0.0

CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 198.51.100.0

CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 203.0.113.0

CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 224.0.0.0

CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 240.0.0.0

CISC-RT-000310 - The Cisco perimeter switch must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).

CCI|CCI-001094

Rule-ID|SV-221091r622190_rule

STIG-ID|CISC-RT-000310

STIG-Legacy|SV-111001

STIG-Legacy|V-101897

Vuln-ID|V-221091

CISC-RT-000320 - The Cisco perimeter switch must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.

Rule-ID|SV-221092r622190_rule

STIG-ID|CISC-RT-000320

STIG-Legacy|SV-111003

STIG-Legacy|V-101899

Vuln-ID|V-221092

CISC-RT-000330 - The Cisco perimeter switch must be configured to filter ingress traffic at the external interface on an inbound direction.

Rule-ID|SV-221093r622190_rule

STIG-ID|CISC-RT-000330

STIG-Legacy|SV-111005

STIG-Legacy|V-101901

Vuln-ID|V-221093

CISC-RT-000340 - The Cisco perimeter switch must be configured to filter egress traffic at the internal interface on an inbound direction.

Detections

Analytics

DISA STIG Cisco NX-OS Switch RTR v2r1

Warning! Audit Deprecated

Audit Details

File Details

Audit Changelog

Revision 1.7

Miscellaneous

Revision 1.6

Miscellaneous

Revision 1.5

Miscellaneous

Revision 1.4

Miscellaneous

Revision 1.3

Miscellaneous

Added

Revision 1.2

Miscellaneous

Revision 1.1

Miscellaneous

Detections

Analytics

DISA STIG Cisco NX-OS Switch RTR v2r1 Download File

Warning! Audit Deprecated

Audit Details

File Details

Audit Changelog

Revision 1.7

Miscellaneous

Revision 1.6

Miscellaneous

Revision 1.5

Miscellaneous

Revision 1.4

Miscellaneous

Revision 1.3

Miscellaneous

Added

Revision 1.2

Miscellaneous

Revision 1.1

Miscellaneous

DISA STIG Cisco NX-OS Switch RTR v2r1