Detections
Analytics

CIS Cisco NX-OS L2 v1.0.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Cisco NX-OS L2 v1.0.0

Updated: 7/10/2024

Authority: CIS

Plugin: Cisco

Revision: 1.11

Estimated Item Count: 56

File Details

Filename: CIS_Cisco_NX-OS-v1.0.0_Level_2.audit

Size: 223 kB

MD5: c3a2c3f9e29a98ab24ffde44bb877458
SHA256: 91da2a5d313814fd5f0b17ba89d546a650ec63e53b7159b8e1142fce7789725f

Audit Items

DescriptionCategories
1.1.1 Configure AAA Authentication - TACACS - aaa authentication
1.1.1 Configure AAA Authentication - TACACS - aaa group
1.1.1 Configure AAA Authentication - TACACS - feature tacacs+
1.1.1 Configure AAA Authentication - TACACS - tacacs-server
1.1.2 Configure AAA Authentication - RADIUS - aaa authentication
1.1.2 Configure AAA Authentication - RADIUS - aaa group
1.1.2 Configure AAA Authentication - RADIUS - radius-server host
1.2.1 Ensure Idle Timeout for Login Sessions is set to 5 minutes - console exec-timeout
1.2.1 Ensure Idle Timeout for Login Sessions is set to 5 minutes - ssh idle-timeout
1.2.2 Restrict Access to VTY Sessions - line vty access-class
1.2.2 Restrict Access to VTY Sessions - VTY ACL
1.3.1 Enable Password Complexity Requirements for Local Credentials
1.3.2 Configure Password Encryption
1.3.3 Set password lifetime, warning time and grace time for local credentials
1.3.4 Set password length for local credentials
1.4.3 Configure SNMPv3 - engineID
1.4.3 Configure SNMPv3 - group v3
1.4.4 Configure SNMP Traps
1.4.5 Configure SNMP Source Interface for Traps - snmp-server host
1.4.5 Configure SNMP Source Interface for Traps - snmp-server traps/informs
1.4.6 Do not Configure a Read Write SNMP Community String
1.5.1 Ensure Syslog Logging is configured - logging level
1.5.1 Ensure Syslog Logging is configured - logging server/source-interface
1.5.2 Log all Successful and Failed Administrative Logins
1.5.3 Configure Netflow on Strategic Ports
1.6.1 Configure at least 3 external NTP Servers - ntp server
1.6.1 Configure at least 3 external NTP Servers - ntp source-interface
1.6.2 Configure a Time Zone
1.6.3 If a Local Time Zone is used, Configure Daylight Savings
1.6.4 Configure NTP Authentication
1.8.1 Disable Power on Auto Provisioning (POAP)
1.8.2 Disable iPXE (Pre-boot eXecution Environment)
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - logging
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - ntp
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server host
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server traps/informs
3.1.1.1 Configure EIGRP Authentication on all EIGRP Routing Devices
3.1.1.2 Configure EIGRP Passive interfaces for interfaces that do not have peers
3.1.1.3 Configure EIGRP log-adjacency-changes
3.1.2.1 Configure BGP to Log Neighbor Changes
3.1.2.2 If Possible, Limit the BGP Routes Accepted from Peers
3.1.2.3 Configure BGP Authentication
3.1.3.1 Set Interfaces with no Peers to Passive-Interface
3.1.3.2 Authenticate OSPF peers with MD5 authentication keys
3.1.3.3 Log OSPF Adjacency Changes
3.1.4.1 If VLAN interfaces have IP addreses, configure anti spoofing / ingress filtering protections
3.1.4.2 Create and use a single Loopback Address for Routing Protocol Peering
3.1.4.3 Use Unicast Routing Protocols Only
3.1.4.4 Configure HSRP protections - hsrp version 2
3.1.4.4 Configure HSRP protections - interface md5