| CISC-L2-000030 - The Cisco switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available. | DISA Cisco NX OS Switch L2S STIG v3r2 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CISC-L2-000130 - The Cisco switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources. | DISA Cisco IOS XE Switch L2S STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000150 - The Cisco switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs. | DISA Cisco IOS XE Switch L2S STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000270 - The Cisco switch must not have any switchports assigned to the native VLAN. | DISA Cisco NX OS Switch L2S STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-ND-000100 - The Cisco switch must be configured to automatically audit account modification. | DISA Cisco NX OS Switch NDM STIG v3r3 | Cisco | ACCESS CONTROL |
| CISC-ND-000120 - The Cisco switch must be configured to automatically audit account removal actions. | DISA Cisco IOS XE Switch NDM STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-ND-000140 - The Cisco switch must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies. | DISA Cisco NX OS Switch NDM STIG v3r3 | Cisco | ACCESS CONTROL |
| CISC-ND-000290 - The Cisco switch must produce audit records containing information to establish where the events occurred. | DISA Cisco IOS XE Switch NDM STIG v3r4 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-ND-000330 - The Cisco switch must be configured to generate audit records containing the full-text recording of privileged commands. | DISA Cisco NX OS Switch NDM STIG v3r3 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-ND-000380 - The Cisco switch must be configured to protect audit information from unauthorized modification. | DISA Cisco IOS XE Switch NDM STIG v3r4 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-ND-000490 - The Cisco switch must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. | DISA Cisco IOS XE Switch NDM STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-ND-000530 - The Cisco switch must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts. | DISA Cisco NX OS Switch NDM STIG v3r3 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CISC-ND-000720 - The Cisco switch must be configured to terminate all network connections associated with device management after five minutes of inactivity. | DISA Cisco IOS XE Switch NDM STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-ND-000880 - The Cisco switch must be configured to automatically audit account enabling actions. | DISA Cisco NX OS Switch NDM STIG v3r3 | Cisco | ACCESS CONTROL |
| CISC-ND-001250 - The Cisco switch must be configured to generate log records when administrator privileges are deleted. | DISA Cisco NX OS Switch NDM STIG v3r3 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-ND-001280 - The Cisco switch must generate audit records showing starting and ending time for administrator access to the system. | DISA Cisco NX OS Switch NDM STIG v3r3 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-ND-001410 - The Cisco switch must be configured to support organizational requirements to conduct backups of the configuration when changes occur. | DISA Cisco IOS XE Switch NDM STIG v3r4 | Cisco | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING |
| CISC-ND-001450 - The Cisco switch must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO). | DISA Cisco IOS XE Switch NDM STIG v3r4 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000010 - The Cisco switch must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies. | DISA Cisco IOS XE Switch RTR STIG v3r2 | Cisco | ACCESS CONTROL |
| CISC-RT-000010 - The Cisco switch must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | ACCESS CONTROL |
| CISC-RT-000080 - The Cisco switch must not be configured to have any feature enabled that calls home to the vendor. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000160 - The Cisco switch must be configured to have IP directed broadcast disabled on all interfaces. | DISA Cisco IOS XE Switch RTR STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000160 - The Cisco switch must be configured to have IP directed broadcast disabled on all interfaces. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000180 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces. | DISA Cisco IOS XE Switch RTR STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000200 - The Cisco switch must be configured to log all packets that have been dropped at interfaces via an ACL. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000230 - The Cisco switch must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication. | DISA Cisco IOS XE Switch RTR STIG v3r2 | Cisco | ACCESS CONTROL |
| CISC-RT-000236 - The Cisco switch must be configured to advertise a hop limit of at least 32 in Switch Advertisement messages for IPv6 stateless auto-configuration deployments. | DISA Cisco IOS XE Switch RTR STIG v3r2 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000237 - The Cisco switch must not be configured to use IPv6 Site Local Unicast addresses. | DISA Cisco IOS XE Switch RTR STIG v3r2 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000250 - The Cisco perimeter switch must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy. | DISA Cisco IOS XE Switch RTR STIG v3r2 | Cisco | ACCESS CONTROL |
| CISC-RT-000320 - The Cisco perimeter switch must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1. | DISA Cisco IOS XE Switch RTR STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000398 - The Cisco perimeter switch must be configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type. | DISA Cisco IOS XE Switch RTR STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000490 - The Cisco BGP switch must be configured to reject inbound route advertisements for any Bogon prefixes. | DISA Cisco IOS XE Switch RTR STIG v3r2 | Cisco | ACCESS CONTROL |
| CISC-RT-000510 - The Cisco BGP switch must be configured to reject inbound route advertisements from a customer edge (CE) switch for prefixes that are not allocated to that customer. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | ACCESS CONTROL |
| CISC-RT-000560 - The Cisco BGP switch must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000580 - The Cisco BGP switch must be configured to use its loopback address as the source address for iBGP peering sessions. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000610 - The MPLS switch with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core switches. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000620 - The Cisco MPLS switch must be configured to have TTL Propagation disabled. | DISA Cisco IOS XE Switch RTR STIG v3r2 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000660 - The Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CISC-RT-000670 - The Cisco PE switch providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000680 - The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000700 - The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000700 - The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces. | DISA Cisco IOS XE Switch RTR STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000750 - The Cisco PE switch must be configured to ignore or drop all packets with any IP options. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000760 - The Cisco PE switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000770 - The Cisco P switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications. | DISA Cisco IOS XE Switch RTR STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000800 - The Cisco multicast switch must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled. | DISA Cisco IOS XE Switch RTR STIG v3r2 | Cisco | ACCESS CONTROL |
| CISC-RT-000810 - The Cisco multicast edge switch must be configured to establish boundaries for administratively scoped multicast traffic. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | ACCESS CONTROL |
| CISC-RT-000820 - The Cisco multicast Rendezvous Point (RP) switch must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries. | DISA Cisco IOS XE Switch RTR STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000890 - The Cisco multicast Designated switch (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed. | DISA Cisco IOS XE Switch RTR STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000930 - The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | ACCESS CONTROL |
