Detections
Analytics

DISA STIG Cisco IOS XE Switch RTR v1r1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Cisco IOS XE Switch RTR v1r1

Updated: 8/11/2021

Authority: DISA STIG

Plugin: Cisco

Revision: 1.5

Estimated Item Count: 121

Audit Changelog

 
Revision 1.5

Aug 11, 2021

Miscellaneous
  • Audit deprecated.
  • Metadata updated.
  • References updated.
Revision 1.4

Jul 30, 2021

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.3

Jun 17, 2021

Miscellaneous
  • Metadata updated.
Revision 1.2

Apr 28, 2021

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.1

Nov 9, 2020

Informational Update
  • CISC-RT-000560 - The Cisco BGP switch must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
  • CISC-RT-000640 - The Cisco PE switch must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT).
  • CISC-RT-000920 - The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.
Miscellaneous
  • Metadata updated.
  • References updated.
  • See also link updated.
Added
  • CISC-RT-000490 - The Cisco BGP switch must be configured to reject inbound route advertisements for any Bogon prefixes - neighbor
  • CISC-RT-000490 - The Cisco BGP switch must be configured to reject inbound route advertisements for any Bogon prefixes - show ip prefix-list
  • CISC-RT-000500 - The Cisco BGP switch must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS) - neighbor
  • CISC-RT-000500 - The Cisco BGP switch must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS) - show ip prefix-list
  • CISC-RT-000510 - The Cisco BGP switch must be configured to reject inbound route advertisements from a customer edge (CE) switch for prefixes that are not allocated to that customer - neighbor
  • CISC-RT-000510 - The Cisco BGP switch must be configured to reject inbound route advertisements from a customer edge (CE) switch for prefixes that are not allocated to that customer - show ip prefix-list
  • CISC-RT-000520 - The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS) - ip prefix-list
  • CISC-RT-000520 - The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS) - neighbor
  • CISC-RT-000530 - The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes belonging to the IP core - ip prefix-list
  • CISC-RT-000530 - The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes belonging to the IP core - neighbor prefix-list
  • CISC-RT-000550 - The Cisco BGP switch must be configured to reject route advertisements from CE switches with an originating AS in the AS_PATH attribute that does not belong to that customer - ip as-path access-list
  • CISC-RT-000570 - The Cisco BGP switch must be configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer - ip prefix-list
  • CISC-RT-000570 - The Cisco BGP switch must be configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer - neighbor
  • CISC-RT-000580 - The Cisco BGP switch must be configured to use its loopback address as the source address for iBGP peering sessions - bgp neighbor
  • CISC-RT-000580 - The Cisco BGP switch must be configured to use its loopback address as the source address for iBGP peering sessions - interface
  • CISC-RT-000600 - The Cisco MPLS switch must be configured to synchronize Interior Gateway Protocol (IGP) and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange - IS-IS
  • CISC-RT-000600 - The Cisco MPLS switch must be configured to synchronize Interior Gateway Protocol (IGP) and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange - OSPF
  • CISC-RT-000660 - The Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm - VC information using a FIPS-approved message authentication code algorithm
  • CISC-RT-000680 - The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN - bridge-domain
  • CISC-RT-000680 - The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN - l2vpn vfi
Removed
  • CISC-RT-000490 - The Cisco BGP switch must be configured to reject inbound route advertisements for any Bogon prefixes. - neighbor
  • CISC-RT-000490 - The Cisco BGP switch must be configured to reject inbound route advertisements for any Bogon prefixes. - show ip prefix-list
  • CISC-RT-000500 - The Cisco BGP switch must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS). - neighbor
  • CISC-RT-000500 - The Cisco BGP switch must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS). - show ip prefix-list
  • CISC-RT-000510 - The Cisco BGP switch must be configured to reject inbound route advertisements from a customer edge (CE) switch for prefixes that are not allocated to that customer. - neighbor
  • CISC-RT-000510 - The Cisco BGP switch must be configured to reject inbound route advertisements from a customer edge (CE) switch for prefixes that are not allocated to that customer. - show ip prefix-list
  • CISC-RT-000520 - The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS). - ip prefix-list
  • CISC-RT-000520 - The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS). - neighbor
  • CISC-RT-000530 - The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes belonging to the IP core. - ip prefix-list
  • CISC-RT-000530 - The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes belonging to the IP core. - neighbor prefix-list
  • CISC-RT-000550 - The Cisco BGP switch must be configured to reject route advertisements from CE switches with an originating AS in the AS_PATH attribute that does not belong to that customer. - ip as-path access-list
  • CISC-RT-000570 - The Cisco BGP switch must be configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer. - ip prefix-list
  • CISC-RT-000570 - The Cisco BGP switch must be configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer. - neighbor
  • CISC-RT-000580 - The Cisco BGP switch must be configured to use its loopback address as the source address for iBGP peering sessions. - bgp neighbor
  • CISC-RT-000580 - The Cisco BGP switch must be configured to use its loopback address as the source address for iBGP peering sessions. - interface
  • CISC-RT-000600 - The Cisco MPLS switch must be configured to synchronize Interior Gateway Protocol (IGP) and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange. - IS-IS
  • CISC-RT-000600 - The Cisco MPLS switch must be configured to synchronize Interior Gateway Protocol (IGP) and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange. - OSPF
  • CISC-RT-000660 - The Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm
  • CISC-RT-000680 - The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN. - bridge-domain
  • CISC-RT-000680 - The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN. - l2vpn vfi