| 1.1.8 Session Management | CIS HPE Aruba Networking CX Switch v1.0.1 Optional Security Recommendations | ArubaOS | ACCESS CONTROL |
| CISC-L2-000020 - The Cisco switch must uniquely identify and authenticate all network-connected endpoint devices before establishing any connection. | DISA Cisco IOS XE Switch L2S STIG v3r2 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CISC-L2-000080 - The Cisco switch must authenticate all endpoint devices before establishing any connection. | DISA Cisco NX OS Switch L2S STIG v3r3 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CISC-L2-000090 - The Cisco switch must have Root Guard enabled on all switch ports connecting to access layer switches. | DISA Cisco IOS XE Switch L2S STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000200 - The Cisco switch must have all trunk links enabled statically. | DISA Cisco IOS XE Switch L2S STIG v3r2 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-L2-000220 - The Cisco switch must not have the default VLAN assigned to any host-facing switch ports. | DISA Cisco NX OS Switch L2S STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000230 - The Cisco switch must have the default VLAN pruned from all trunk ports that do not require it. | DISA Cisco NX OS Switch L2S STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000250 - The Cisco switch must have all user-facing or untrusted ports configured as access switch ports. | DISA Cisco NX OS Switch L2S STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000250 - The Cisco switch must have all user-facing or untrusted ports configured as access switch ports. | DISA Cisco IOS XE Switch L2S STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-ND-000100 - The Cisco switch must be configured to automatically audit account modification. | DISA Cisco NX OS Switch NDM STIG v3r6 | Cisco | ACCESS CONTROL |
| CISC-ND-000160 - The Cisco switch must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device. | DISA Cisco NX OS Switch NDM STIG v3r6 | Cisco | ACCESS CONTROL |
| CISC-ND-000880 - The Cisco switch must be configured to automatically audit account enabling actions. | DISA Cisco NX OS Switch NDM STIG v3r6 | Cisco | ACCESS CONTROL |
| CISC-ND-000880 - The Cisco switch must be configured to automatically audit account enabling actions. | DISA Cisco IOS XE Switch NDM STIG v3r6 | Cisco | ACCESS CONTROL |
| CISC-ND-001210 - The Cisco switch must be configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions. | DISA Cisco NX OS Switch NDM STIG v3r6 | Cisco | MAINTENANCE |
| CISC-ND-001440 - The Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider. | DISA Cisco IOS XE Switch NDM STIG v3r6 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-ND-001450 - The Cisco switch must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO). | DISA Cisco IOS XE Switch NDM STIG v3r6 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000030 - The Cisco switch must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| CISC-RT-000050 - The Cisco switch must be configured to enable routing protocol authentication using FIPS 198-1 algorithms with keys not exceeding 180 days of lifetime. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| CISC-RT-000150 - The Cisco switch must be configured to have Gratuitous ARP disabled on all external interfaces. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000160 - The Cisco switch must be configured to have IP directed broadcast disabled on all interfaces. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000190 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000220 - The Cisco switch must be configured to produce audit records containing information to establish the source of the events. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000237 - The Cisco switch must not be configured to use IPv6 Site Local Unicast addresses. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000240 - The Cisco perimeter switch must be configured to deny network traffic by default and allow network traffic by exception. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000250 - The Cisco perimeter switch must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000320 - The Cisco perimeter switch must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000330 - The Cisco perimeter switch must be configured to filter ingress traffic at the external interface on an inbound direction. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000360 - The Cisco perimeter switch must be configured to have Link Layer Discovery Protocol (LLDP) disabled on all external interfaces. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000390 - The Cisco perimeter switch must be configured to block all outbound management traffic. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000391 - The Cisco perimeter switch must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000470 - The Cisco BGP switch must be configured to enable the Generalized TTL Security Mechanism (GTSM). | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000490 - The Cisco BGP switch must be configured to reject inbound route advertisements for any Bogon prefixes. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-RT-000500 - The Cisco BGP switch must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS). | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-RT-000530 - The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes belonging to the IP core. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000580 - The Cisco BGP switch must be configured to use its loopback address as the source address for iBGP peering sessions. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000640 - The Cisco PE switch must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT). | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000670 - The Cisco PE switch providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000700 - The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000710 - The Cisco PE switch must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000750 - The Cisco PE switch must be configured to ignore or drop all packets with any IP options. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000760 - The Cisco PE switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000770 - The Cisco P switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000800 - The Cisco multicast switch must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-RT-000830 - The Cisco multicast Rendezvous Point (RP) switch must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated switch (DR) for any undesirable multicast groups and sources. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-RT-000840 - The Cisco multicast Rendezvous Point (RP) switch must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Cisco switch (DR) for any undesirable multicast groups. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-RT-000850 - The Cisco multicast Rendezvous Point (RP) must be configured to rate limit the number of Protocol Independent Multicast (PIM) Register messages. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000870 - The Cisco multicast Designated switch (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000950 - The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to use a loopback address as the source address when originating MSDP traffic. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | CONFIGURATION MANAGEMENT |
