| CISC-L2-000030 - The Cisco switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available. | DISA Cisco NX OS Switch L2S STIG v3r3 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CISC-L2-000100 - The Cisco switch must have BPDU Guard enabled on all user-facing or untrusted access switch ports. | DISA Cisco NX OS Switch L2S STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000150 - The Cisco switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs. | DISA Cisco NX OS Switch L2S STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000150 - The Cisco switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs. | DISA Cisco IOS XE Switch L2S STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000160 - The Cisco switch must have Storm Control configured on all host-facing switchports. | DISA Cisco NX OS Switch L2S STIG v3r3 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-L2-000170 - The Cisco switch must have IGMP or MLD Snooping configured on all VLANs. | DISA Cisco NX OS Switch L2S STIG v3r3 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-L2-000230 - The Cisco switch must have the default VLAN pruned from all trunk ports that do not require it. | DISA Cisco IOS XE Switch L2S STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000260 - The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links. | DISA Cisco NX OS Switch L2S STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-ND-000010 - The Cisco switch must be configured to limit the number of concurrent management sessions to an organization-defined number. | DISA Cisco NX OS Switch NDM STIG v3r6 | Cisco | ACCESS CONTROL |
| CISC-ND-000090 - The Cisco switch must be configured to automatically audit account creation. | DISA Cisco NX OS Switch NDM STIG v3r6 | Cisco | ACCESS CONTROL |
| CISC-ND-000100 - The Cisco switch must be configured to automatically audit account modification. | DISA Cisco IOS XE Switch NDM STIG v3r6 | Cisco | ACCESS CONTROL |
| CISC-ND-000110 - The Cisco switch must be configured to automatically audit account disabling actions. | DISA Cisco NX OS Switch NDM STIG v3r6 | Cisco | ACCESS CONTROL |
| CISC-ND-000110 - The Cisco switch must be configured to automatically audit account disabling actions. | DISA Cisco IOS XE Switch NDM STIG v3r6 | Cisco | ACCESS CONTROL |
| CISC-ND-000140 - The Cisco switch must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies. | DISA Cisco NX OS Switch NDM STIG v3r6 | Cisco | ACCESS CONTROL |
| CISC-ND-000160 - The Cisco switch must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device. | DISA Cisco IOS XE Switch NDM STIG v3r6 | Cisco | ACCESS CONTROL |
| CISC-ND-000290 - The Cisco switch must produce audit records containing information to establish where the events occurred. | DISA Cisco NX OS Switch NDM STIG v3r6 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-ND-000290 - The Cisco switch must produce audit records containing information to establish where the events occurred. | DISA Cisco IOS XE Switch NDM STIG v3r6 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-ND-001240 - The Cisco switch must be configured to generate log records when administrator privileges are modified. | DISA Cisco NX OS Switch NDM STIG v3r6 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-ND-001370 - The Cisco switch must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access. | DISA Cisco IOS XE Switch NDM STIG v3r6 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-ND-001440 - The Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider. | DISA Cisco NX OS Switch NDM STIG v3r6 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-ND-001450 - The Cisco switch must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO). | DISA Cisco NX OS Switch NDM STIG v3r6 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000050 - The Cisco switch must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CISC-RT-000060 - The Cisco switch must be configured to have all inactive layer 3 interfaces disabled. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-RT-000060 - The Cisco switch must be configured to have all inactive layer 3 interfaces disabled. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-RT-000320 - The Cisco perimeter switch must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000350 - The Cisco perimeter switch must be configured to block all packets with any IP options. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000390 - The Cisco perimeter switch must be configured to block all outbound management traffic. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000392 - The Cisco perimeter switch must be configured to drop IPv6 undetermined transport packets. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000397 - The Cisco perimeter switch must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000398 - The Cisco perimeter switch must be configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000450 - The Cisco switch must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000480 - The Cisco BGP switch must be configured to use a unique key for each autonomous system (AS) that it peers with. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| CISC-RT-000500 - The Cisco BGP switch must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS). | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-RT-000530 - The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes belonging to the IP core. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000550 - The Cisco BGP switch must be configured to reject route advertisements from CE switches with an originating AS in the AS_PATH attribute that does not belong to that customer. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-RT-000600 - The Cisco MPLS switch must be configured to synchronize Interior Gateway Protocol (IGP) and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000630 - The Cisco PE switch must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000680 - The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000690 - The Cisco PE switch must be configured to enforce the split-horizon rule for all pseudowires within a Virtual Private LAN Services (VPLS) bridge domain. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000700 - The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000720 - The Cisco PE switch must be configured to limit the number of MAC addresses it can learn for each Virtual Private LAN Services (VPLS) bridge domain. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000740 - The Cisco PE switch must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000800 - The Cisco multicast switch must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | ACCESS CONTROL |
| CISC-RT-000820 - The Cisco multicast Rendezvous Point (RP) switch must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000860 - The Cisco multicast Designated switch (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000870 - The Cisco multicast Designated switch (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000880 - The Cisco multicast Designated switch (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000890 - The Cisco multicast Designated switch (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000900 - The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to only accept MSDP packets from known MSDP peers. | DISA Cisco NX OS Switch RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000910 - The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to authenticate all received MSDP packets. | DISA Cisco IOS XE Switch RTR STIG v3r4 | Cisco | IDENTIFICATION AND AUTHENTICATION |
