DISA STIG Cisco Infrastructure L3 Switch v8r29

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Cisco Infrastructure L3 Switch v8r29

Updated: 9/12/2022

Authority: DISA STIG

Plugin: Cisco

Revision: 1.8

Estimated Item Count: 202

Audit Items

Description	Categories
NET-IPV6-025 - IPv6 Site Local Unicast ADDR must not be defined	CONFIGURATION MANAGEMENT
NET-IPV6-033 - IPv6 routers are not configured with CEF enabled	CONFIGURATION MANAGEMENT
NET-IPV6-034 - IPv6 Egress Outbound Spoofing Filter - 'deny ipv6 any any log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-034 - IPv6 Egress Outbound Spoofing Filter - 'ipv6 verify unicast source reachable-via rx OUTBOUND_TO_BACKBONE'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-059 - Maximum hop limit is less than 32	CONFIGURATION MANAGEMENT
NET-IPV6-065 - The 6-to-4 router is not filtering protocol 41 - 'ip access-group IPV4_EGRESS_FILTER'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-065 - The 6-to-4 router is not filtering protocol 41 - 'ip access-list IPV4_EGRESS_FILTER'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-065 - The 6-to-4 router is not filtering protocol 41 - 'tunnel mode ipv6ip 6to4'	ACCESS CONTROL
NET-IPV6-066 - 6-to-4 router not filtering invalid source address - 'ipv6 traffic-filter IPV6_EGRESS_ACL in'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-066 - 6-to-4 router not filtering invalid source address - 'permit ipv6 2002:V4ADDR::/48'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-MCAST-001 - PIM enabled on wrong interfaces -'interfaces enabled for PIM'
NET-MCAST-001 - PIM enabled on wrong interfaces -'ip multicast-routing'	CONFIGURATION MANAGEMENT
NET-MCAST-001 - PIM enabled on wrong interfaces -'ipv6 multicast-routing'	CONFIGURATION MANAGEMENT
NET-MCAST-002 - PIM neighbor filter is not configured - 'ip access-list standard IP_PIM_NEIGHBORS_ACL'
NET-MCAST-002 - PIM neighbor filter is not configured - 'ip pim neighbor-filter IP_PIM_NEIGHBORS_ACL'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-MCAST-002 - PIM neighbor filter is not configured - 'ipv6 access-list IPV6_PIM_NEIGHBORS_ACL'
NET-MCAST-002 - PIM neighbor filter is not configured - 'ipv6 pim neighbor-filter list IPV6_PIM_NEIGHBORS_ACL'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-MCAST-010 - No Admin-local or Site-local boundary - 'ip multicast boundary'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-MCAST-010 - No Admin-local or Site-local boundary - 'ipv6 multicast boundary scope 5'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-MCAST-010 - No Admin-local or Site-local boundary - ip access-list standard - 'deny 239'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-MCAST-010 - No Admin-local or Site-local boundary - ip access-list standard - 'permit 224'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-NAC-009 - The switch must be configured to use 802.1x authentication on host facing access switch ports. '802.1x authentication'	IDENTIFICATION AND AUTHENTICATION
NET-NAC-009 - The switch must be configured to use 802.1x authentication on host facing access switch ports. 'aaa authentication'	IDENTIFICATION AND AUTHENTICATION
NET-NAC-009 - The switch must be configured to use 802.1x authentication on host facing access switch ports. 'aaa new-model'	ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION
NET-NAC-009 - The switch must be configured to use 802.1x authentication on host facing access switch ports. 'radius-server host'	IDENTIFICATION AND AUTHENTICATION
NET-NAC-009 - The switch must be configured to use 802.1x authentication on host facing access switch ports. 'system-auth-control'	IDENTIFICATION AND AUTHENTICATION
NET-NAC-031
NET-NAC-032 - Switchport does not shutdown on a violation	SYSTEM AND INFORMATION INTEGRITY
NET-SRVFRM-003 - ACLs must restrict access to server VLANs
NET-SRVFRM-004 - ACLs do not protect against compromised servers
NET-TUNL-012 - Tunnel Default Router Configured
NET-TUNL-017 - ISATAP tunnels must terminate at interior router
NET-TUNL-034 - L2TPv3 sessions are not authenticated - authentication check	CONFIGURATION MANAGEMENT
NET-TUNL-034 - L2TPv3 sessions are not authenticated - encapsulation check	SYSTEM AND COMMUNICATIONS PROTECTION
NET-VLAN-002 - Disabled ports are not kept in an unused VLAN.
NET-VLAN-004 - VLAN 1 is being used as a user VLAN - 'no ip address'.	SYSTEM AND COMMUNICATIONS PROTECTION
NET-VLAN-004 - VLAN 1 is being used as a user VLAN - 'shutdown'.	ACCESS CONTROL
NET-VLAN-005 - VLAN 1 traffic traverses across unnecessary trunk
NET-VLAN-006 - The VLAN1 is being used for management traffic.
NET-VLAN-007 - Ensure trunking is disabled on all access ports.
NET-VLAN-008 - A dedicated VLAN is required for all trunk ports.
NET-VLAN-009 - Access switchports are assigned to the native VLAN
NET-VLAN-023 - Restricted VLAN not assigned to non-802.1x device.
NET-VLAN-024 - Restricted VLAN not assigned to non-802.1x device.
NET0230 - Network element is not password protected	IDENTIFICATION AND AUTHENTICATION
NET0240 - Devices exist with standard default passwords
NET0340 - Network devices must display the DoD-approved logon banner warning.	ACCESS CONTROL
NET0400 - Interior routing protocols are not authenticated - 'EIGRP (Interface Check - authentication key-chain)'	SYSTEM AND COMMUNICATIONS PROTECTION
NET0400 - Interior routing protocols are not authenticated - 'EIGRP (Interface Check - authentication mode)'	SYSTEM AND COMMUNICATIONS PROTECTION
NET0400 - Interior routing protocols are not authenticated - 'EIGRP (Key-Chain Check)'	IDENTIFICATION AND AUTHENTICATION

Detections

Analytics

DISA STIG Cisco Infrastructure L3 Switch v8r29

Warning! Audit Deprecated

Audit Details

Audit Items