| 2.1 Ensure firewall filter is set for inbound traffic to the Routing Engine | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.2 Ensure RE firewall filter contains explicit term for SSH (when SSH is used) | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3 Ensure RE firewall filter includes explicit term for SNMP (when SNMP is used) | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.4 Ensure internal sources are blocked on external networks | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5 Ensure firewall filters contain explicit deny and log term | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.3 Forbid Dial in Access | CONFIGURATION MANAGEMENT |
| 3.2.1 Ensure VRRP authentication-key is set | IDENTIFICATION AND AUTHENTICATION |
| 3.2.2 Ensure authentication-type is set to MD5 | IDENTIFICATION AND AUTHENTICATION |
| 3.5 Ensure proxy-arp is disabled | CONFIGURATION MANAGEMENT |
| 3.8 Ensure Loopback interface address is set | CONFIGURATION MANAGEMENT |
| 3.10 Ensure inbound firewall filter is set for Loopback interface | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.2 Ensure peer authentication is set to IPSEC SA | IDENTIFICATION AND AUTHENTICATION |
| 4.1.4 Ensure Bogon Filtering is set (where EBGP is used) | |
| 4.2.2 Ensure IS-IS neighbor authentication is set to SHA1 | |
| 4.3.2 Ensure OSPF authentication is set to IPSEC SA with SHA | IDENTIFICATION AND AUTHENTICATION |
| 4.6.1 Ensure BFD Authentication is Set | CONFIGURATION MANAGEMENT |
| 4.6.2 Ensure BFD Authentication is Not Set to Loose-Check | CONFIGURATION MANAGEMENT |
| 4.7.2 Ensure authentication is set to AES-CMAC | IDENTIFICATION AND AUTHENTICATION |
| 4.9.1 Ensure Secure Neighbor Discovery is configured | IDENTIFICATION AND AUTHENTICATION |
| 5.5 Ensure SNMP Write Access is not set | CONFIGURATION MANAGEMENT |
| 5.6 Ensure AES128 is set for all SNMPv3 users | ACCESS CONTROL |
| 5.7 Ensure SHA1 is set for SNMPv3 authentication | ACCESS CONTROL |
| 5.9 Ensure SNMP is set to OOB management only | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.1.4 Recommend Accounting of Interactive Commands (where External AAA is used) | AUDIT AND ACCOUNTABILITY |
| 6.2.1 Ensure Archive on Commit | CONTINGENCY PLANNING |
| 6.2.2 Ensure at least one SCP Archive Site is configured | CONTINGENCY PLANNING |
| 6.5.1 Ensure ICMPv4 rate-limit is Set | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.5.2 Ensure ICMPv6 rate-limit is Set | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.6.7 Ensure Remote Login Class for Authorization through External AAA - login class | ACCESS CONTROL |
| 6.6.7 Ensure Remote Login Class for Authorization through External AAA - remote class | ACCESS CONTROL |
| 6.6.14 Ensure Multi-Factor is used with External AAA | |
| 6.7.2 Ensure NTP Boot-Server is set | AUDIT AND ACCOUNTABILITY |
| 6.7.4 Ensure Authentication Keys are used for all NTP Servers | AUDIT AND ACCOUNTABILITY |
| 6.7.5 Ensure Different Authentication Keys for each NTP Server | IDENTIFICATION AND AUTHENTICATION |
| 6.7.6 Ensure Strong Authentication Methods are used for NTP Authentication | IDENTIFICATION AND AUTHENTICATION |
| 6.10.1.7 Ensure Only Suite B Ciphers are set for SSH - ciphers restriction | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.10.1.7 Ensure Only Suite B Ciphers are set for SSH - weak ciphers | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.10.1.10 Ensure Only Suite B Key Exchange Methods are set for SSH - key-exchange restriction | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.10.1.10 Ensure Only Suite B Key Exchange Methods are set for SSH - weak key-exchange | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.10.1.12 Ensure Only Suite B Based Key Signing Algorithms are set for SSH - DSA keys | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.10.1.12 Ensure Only Suite B Based Key Signing Algorithms are set for SSH - ECDSA Key | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.10.1.13 Ensure SSH Key Authentication is Disabled | CONFIGURATION MANAGEMENT |
| 6.10.2.3 Ensure Web-Management is Set to use PKI Certificate for HTTPS | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.10.2.7 Ensure Web-Management Interface Restriction is set to OOB Management | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.10.3.2 Ensure XNM-SSL Connection Limit is Set | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.10.3.3 Ensure XNM-SSL Rate Limit is Set | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.10.5.3 Ensure REST is Set to use PKI Certificate for HTTPS | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.10.5.4 Ensure REST HTTPS is Set to use Mutual Authentication | IDENTIFICATION AND AUTHENTICATION |
| 6.10.5.6 Ensure REST HTTPS Cipher List is Set to Suite B Only | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.10.5.11 Ensure REST Service Address is Set to OOB Management Only | SYSTEM AND COMMUNICATIONS PROTECTION |
