Detections
Analytics

DISA STIG Cisco IOS Switch RTR v1r1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Cisco IOS Switch RTR v1r1

Updated: 6/17/2021

Authority: DISA STIG

Plugin: Cisco

Revision: 1.4

Estimated Item Count: 77

Audit Changelog

Ā 
Revision 1.4

Jun 17, 2021

Miscellaneous
  • Audit deprecated.
  • Metadata updated.
  • References updated.
Revision 1.3

Apr 28, 2021

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.2

Nov 9, 2020

Informational Update
  • CISC-RT-000050 - The Cisco switch must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.
  • CISC-RT-000060 - The Cisco switch must be configured to have all inactive Layer 3 interfaces disabled.
  • CISC-RT-000180 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces.
  • CISC-RT-000310 - The Cisco perimeter switch must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).
  • CISC-RT-000380 - The Cisco perimeter switch must be configured to have Proxy ARP disabled on all external interfaces.
  • CISC-RT-000790 - The Cisco multicast switch must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
  • CISC-RT-000860 - The Cisco multicast Designated switch (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.
  • CISC-RT-000870 - The Cisco multicast Designated switch (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.
  • CISC-RT-000880 - The Cisco multicast Designated switch (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports.
  • CISC-RT-000890 - The Cisco multicast Designated switch (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.
Miscellaneous
  • Metadata updated.
  • See also link updated.
Added
  • CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - bgp
  • CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - eigrp
  • CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - is-is
  • CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - ospf
  • CISC-RT-000040 - The Cisco switch must be configured to use encryption for routing protocol authentication - bgp
  • CISC-RT-000040 - The Cisco switch must be configured to use encryption for routing protocol authentication - eigrp
  • CISC-RT-000040 - The Cisco switch must be configured to use encryption for routing protocol authentication - is-is
  • CISC-RT-000040 - The Cisco switch must be configured to use encryption for routing protocol authentication - ospf
  • CISC-RT-000040 - The Cisco switch must be configured to use encryption for routing protocol authentication - rip
  • CISC-RT-000170 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces - DODIN Backbone
  • CISC-RT-000170 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces - ip unreachables
  • CISC-RT-000240 - The Cisco perimeter switch must be configured to deny network traffic by default and allow network traffic by exception - access-group in
  • CISC-RT-000240 - The Cisco perimeter switch must be configured to deny network traffic by default and allow network traffic by exception - deny rule
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - access-group in
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 0.0.0.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 10.0.0.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 100.64.0.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 127.0.0.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 169.254.0.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 172.16.0.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 192.0.0.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 192.0.2.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 192.168.0.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 192.18.0.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 198.51.100.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 203.0.113.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 224.0.0.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes - deny 240.0.0.0
  • CISC-RT-000390 - The Cisco perimeter switch must be configured to block all outbound management traffic - ip access-group EXTERNAL_ACL_OUTBOUND out
  • CISC-RT-000390 - The Cisco perimeter switch must be configured to block all outbound management traffic - ip access-list extended EXTERNAL_ACL_OUTBOUND
  • CISC-RT-000660 - The Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm - mpls label protocol ldp
  • CISC-RT-000660 - The Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm - mpls ldp neighbor
  • CISC-RT-000730 - The Cisco PE switch must be configured to block any traffic that is destined to the IP core infrastructure - access-group in
  • CISC-RT-000730 - The Cisco PE switch must be configured to block any traffic that is destined to the IP core infrastructure - deny ip any
  • CISC-RT-000800 - The Cisco multicast switch must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled - interface
  • CISC-RT-000800 - The Cisco multicast switch must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled - ip access-list
  • CISC-RT-000810 - The Cisco multicast edge switch must be configured to establish boundaries for administratively scoped multicast traffic - interfaces
  • CISC-RT-000810 - The Cisco multicast edge switch must be configured to establish boundaries for administratively scoped multicast traffic - ip access-list
Removed
  • CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols. - bgp
  • CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols. - eigrp
  • CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols. - is-is
  • CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols. - ospf
  • CISC-RT-000040 - The Cisco switch must be configured to use encryption for routing protocol authentication. - bgp
  • CISC-RT-000040 - The Cisco switch must be configured to use encryption for routing protocol authentication. - eigrp
  • CISC-RT-000040 - The Cisco switch must be configured to use encryption for routing protocol authentication. - is-is
  • CISC-RT-000040 - The Cisco switch must be configured to use encryption for routing protocol authentication. - ospf
  • CISC-RT-000040 - The Cisco switch must be configured to use encryption for routing protocol authentication. - rip
  • CISC-RT-000170 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces. - DODIN Backbone
  • CISC-RT-000170 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces. - ip unreachables
  • CISC-RT-000240 - The Cisco perimeter switch must be configured to deny network traffic by default and allow network traffic by exception. - access-group in
  • CISC-RT-000240 - The Cisco perimeter switch must be configured to deny network traffic by default and allow network traffic by exception. - deny rule
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes. - access-group in
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes. - deny 0.0.0.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes. - deny 10.0.0.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes. - deny 100.64.0.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes. - deny 127.0.0.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes. - deny 169.254.0.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes. - deny 172.16.0.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes. - deny 192.0.0.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes. - deny 192.0.2.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes. - deny 192.168.0.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes. - deny 192.18.0.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes. - deny 198.51.100.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes. - deny 203.0.113.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes. - deny 224.0.0.0
  • CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes. - deny 240.0.0.0
  • CISC-RT-000390 - The Cisco perimeter switch must be configured to block all outbound management traffic. - ip access-group EXTERNAL_ACL_OUTBOUND out
  • CISC-RT-000390 - The Cisco perimeter switch must be configured to block all outbound management traffic. - ip access-list extended EXTERNAL_ACL_OUTBOUND
  • CISC-RT-000660 - The Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm. - mpls label protocol ldp
  • CISC-RT-000660 - The Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm. - mpls ldp neighbor
  • CISC-RT-000730 - The Cisco PE switch must be configured to block any traffic that is destined to the IP core infrastructure. - access-group in
  • CISC-RT-000730 - The Cisco PE switch must be configured to block any traffic that is destined to the IP core infrastructure. - access-group in - deny ip any
  • CISC-RT-000800 - The Cisco multicast switch must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled. - interface
  • CISC-RT-000800 - The Cisco multicast switch must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled. - ip access-list
  • CISC-RT-000810 - The Cisco multicast edge switch must be configured to establish boundaries for administratively scoped multicast traffic. - interfaces
  • CISC-RT-000810 - The Cisco multicast edge switch must be configured to establish boundaries for administratively scoped multicast traffic. - ip access-list
Revision 1.1

Sep 29, 2020

Miscellaneous
  • References updated.