| AMLS-L3-000250 - The Arista Multilayer Switch must encrypt all methods of configured authentication for the OSPF routing protocol - ospf message-digest-key | DISA STIG Arista MLS DCS-7000 Series RTR v1r4 | Arista | IDENTIFICATION AND AUTHENTICATION |
| CISC-L2-000020 - The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection. | DISA Cisco NX OS Switch L2S STIG v3r2 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CISC-L2-000040 - The Cisco switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks - DoS attacks. | DISA STIG Cisco IOS XE Switch L2S v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000060 - The Cisco switch must be configured for authorized users to select a user session to capture. | DISA Cisco NX OS Switch L2S STIG v3r2 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-L2-000100 - The Cisco switch must have BPDU Guard enabled on all user-facing or untrusted access switch ports. | DISA Cisco NX OS Switch L2S STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000110 - The Cisco switch must have STP Loop Guard enabled. | DISA STIG Cisco IOS XE Switch L2S v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000130 - The Cisco switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources. | DISA Cisco NX OS Switch L2S STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000140 - The Cisco switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports. | DISA Cisco NX OS Switch L2S STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000150 - The Cisco switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs. | DISA STIG Cisco IOS XE Switch L2S v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000160 - The Cisco switch must have Storm Control configured on all host-facing switchports. | DISA Cisco NX OS Switch L2S STIG v3r2 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-L2-000190 - The Cisco switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections. | DISA STIG Cisco IOS XE Switch L2S v3r1 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-L2-000210 - The Cisco switch must have all disabled switch ports assigned to an unused VLAN. | DISA STIG Cisco IOS XE Switch L2S v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000210 - The Cisco switch must have all disabled switch ports assigned to an unused VLAN. | DISA Cisco NX OS Switch L2S STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000220 - The Cisco switch must not have the default VLAN assigned to any host-facing switch ports. | DISA Cisco NX OS Switch L2S STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000230 - The Cisco switch must have the default VLAN pruned from all trunk ports that do not require it. | DISA Cisco NX OS Switch L2S STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000240 - The Cisco switch must not use the default VLAN for management traffic. | DISA Cisco NX OS Switch L2S STIG v3r2 | Cisco | CONTINGENCY PLANNING |
| CISC-L2-000260 - The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links. | DISA STIG Cisco IOS XE Switch L2S v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000270 - The Cisco switch must not have any switchports assigned to the native VLAN. | DISA STIG Cisco IOS XE Switch L2S v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-ND-000160 - The Cisco switch must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device. | DISA STIG Cisco IOS XE Switch NDM v3r2 | Cisco | ACCESS CONTROL |
| CISC-ND-000280 - The Cisco switch must produce audit records containing information to establish when (date and time) the events occurred. | DISA STIG Cisco IOS XE Switch NDM v3r2 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000010 - The Cisco switch must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | ACCESS CONTROL |
| CISC-RT-000050 - The Cisco switch must be configured to enable routing protocol authentication using FIPS 198-1 algorithms with keys not exceeding 180 days of lifetime. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| CISC-RT-000090 - The Cisco switch must not be configured to have any zero-touch deployment feature enabled when connected to an operational network. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000180 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000200 - The Cisco switch must be configured to log all packets that have been dropped at interfaces via an ACL. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000200 - The Cisco switch must be configured to log all packets that have been dropped at interfaces via an ACL. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000210 - The Cisco switch must be configured to produce audit records containing information to establish where the events occurred. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000220 - The Cisco switch must be configured to produce audit records containing information to establish the source of the events. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000230 - The Cisco switch must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | ACCESS CONTROL |
| CISC-RT-000510 - The Cisco BGP switch must be configured to reject inbound route advertisements from a customer edge (CE) switch for prefixes that are not allocated to that customer. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | ACCESS CONTROL |
| CISC-RT-000530 - The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes belonging to the IP core. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000550 - The Cisco BGP switch must be configured to reject route advertisements from CE switches with an originating AS in the AS_PATH attribute that does not belong to that customer. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | ACCESS CONTROL |
| CISC-RT-000560 - The Cisco BGP switch must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000570 - The Cisco BGP switch must be configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000580 - The Cisco BGP switch must be configured to use its loopback address as the source address for iBGP peering sessions. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000640 - The Cisco PE switch must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT). | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000650 - The Cisco PE switch must be configured to have each VRF with the appropriate Route Distinguisher (RD). | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000660 - The Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CISC-RT-000680 - The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000680 - The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000750 - The Cisco PE switch must be configured to ignore or drop all packets with any IP options. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000770 - The Cisco P switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000780 - The Cisco switch must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000790 - The Cisco multicast switch must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | ACCESS CONTROL |
| CISC-RT-000820 - The Cisco multicast Rendezvous Point (RP) switch must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000850 - The Cisco multicast Rendezvous Point (RP) must be configured to rate limit the number of Protocol Independent Multicast (PIM) Register messages. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000870 - The Cisco multicast Designated switch (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000870 - The Cisco multicast Designated switch (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000940 - The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to limit the amount of source-active messages it accepts on a per-peer basis. | DISA Cisco NX OS Switch RTR STIG v3r3 | Cisco | ACCESS CONTROL |
| CISC-RT-000950 - The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to use a loopback address as the source address when originating MSDP traffic. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | CONFIGURATION MANAGEMENT |
