CISC-L2-000010 - The Cisco switch must be configured to disable non-essential capabilities.

CAT|II

CCI|CCI-000381

Rule-ID|SV-220674r539671_rule

STIG-ID|CISC-L2-000010

STIG-Legacy|SV-110323

STIG-Legacy|V-101219

Vuln-ID|V-220674

CISC-L2-000020 - The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection.

CAT|I

CCI|CCI-000778

Rule-ID|SV-220675r539671_rule

STIG-ID|CISC-L2-000020

STIG-Legacy|SV-110325

STIG-Legacy|V-101221

Vuln-ID|V-220675

CISC-L2-000030 - The Cisco switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available.

CCI|CCI-000803

Rule-ID|SV-220676r539671_rule

STIG-ID|CISC-L2-000030

STIG-Legacy|SV-110327

STIG-Legacy|V-101223

Vuln-ID|V-220676

CISC-L2-000060 - The Cisco switch must be configured for authorized users to select a user session to capture.

CCI|CCI-001919

Rule-ID|SV-220677r856486_rule

STIG-ID|CISC-L2-000060

STIG-Legacy|SV-110329

STIG-Legacy|V-101225

Vuln-ID|V-220677

CISC-L2-000070 - The Cisco switch must be configured for authorized users to remotely view, in real time, all content related to an established user session from a component separate from The Cisco switch.

CCI|CCI-001920

Rule-ID|SV-220678r856487_rule

STIG-ID|CISC-L2-000070

STIG-Legacy|SV-110331

STIG-Legacy|V-101227

Vuln-ID|V-220678

CISC-L2-000080 - The Cisco switch must authenticate all endpoint devices before establishing any connection.

CCI|CCI-001958

Rule-ID|SV-220679r856488_rule

STIG-ID|CISC-L2-000080

STIG-Legacy|SV-110333

STIG-Legacy|V-101229

Vuln-ID|V-220679

CISC-L2-000090 - The Cisco switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts.

CAT|III

CCI|CCI-002385

Rule-ID|SV-220680r856489_rule

STIG-ID|CISC-L2-000090

STIG-Legacy|SV-110335

STIG-Legacy|V-101231

Vuln-ID|V-220680

CISC-L2-000100 - The Cisco switch must have BPDU Guard enabled on all user-facing or untrusted access switch ports.

Rule-ID|SV-220681r856490_rule

STIG-ID|CISC-L2-000100

STIG-Legacy|SV-110337

STIG-Legacy|V-101233

Vuln-ID|V-220681

CISC-L2-000110 - The Cisco switch must have STP Loop Guard enabled.

Rule-ID|SV-220682r856491_rule

STIG-ID|CISC-L2-000110

STIG-Legacy|SV-110339

STIG-Legacy|V-101235

Vuln-ID|V-220682

CISC-L2-000120 - The Cisco switch must have Unknown Unicast Flood Blocking (UUFB) enabled.

Rule-ID|SV-220683r856492_rule

STIG-ID|CISC-L2-000120

STIG-Legacy|SV-110341

STIG-Legacy|V-101237

Vuln-ID|V-220683

CISC-L2-000130 - The Cisco switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.

Rule-ID|SV-220684r856493_rule

STIG-ID|CISC-L2-000130

STIG-Legacy|SV-110343

STIG-Legacy|V-101239

Vuln-ID|V-220684

CISC-L2-000140 - The Cisco switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.

Rule-ID|SV-220685r856494_rule

STIG-ID|CISC-L2-000140

STIG-Legacy|SV-110345

STIG-Legacy|V-101241

Vuln-ID|V-220685

CISC-L2-000150 - The Cisco switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.

Rule-ID|SV-220686r856495_rule

STIG-ID|CISC-L2-000150

STIG-Legacy|SV-110347

STIG-Legacy|V-101243

Vuln-ID|V-220686

CISC-L2-000160 - The Cisco switch must have Storm Control configured on all host-facing switchports.

CCI|CCI-000366

Rule-ID|SV-220687r539671_rule

STIG-ID|CISC-L2-000160

STIG-Legacy|SV-110349

STIG-Legacy|V-101245

Vuln-ID|V-220687

CISC-L2-000170 - The Cisco switch must have IGMP or MLD Snooping configured on all VLANs.

Rule-ID|SV-220688r539671_rule

STIG-ID|CISC-L2-000170

STIG-Legacy|SV-110351

STIG-Legacy|V-101247

Vuln-ID|V-220688

CISC-L2-000190 - The Cisco switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections.

Rule-ID|SV-220689r917685_rule

STIG-ID|CISC-L2-000190

STIG-Legacy|SV-110353

STIG-Legacy|V-101249

Vuln-ID|V-220689

CISC-L2-000210 - The Cisco switch must have all disabled switch ports assigned to an unused VLAN.

Rule-ID|SV-220690r539671_rule

STIG-ID|CISC-L2-000210

STIG-Legacy|SV-110355

STIG-Legacy|V-101251

Vuln-ID|V-220690

CISC-L2-000220 - The Cisco switch must not have the default VLAN assigned to any host-facing switch ports.

Rule-ID|SV-220691r539671_rule

STIG-ID|CISC-L2-000220

STIG-Legacy|SV-110357

STIG-Legacy|V-101253

Vuln-ID|V-220691

CISC-L2-000230 - The Cisco switch must have the default VLAN pruned from all trunk ports that do not require it.

Rule-ID|SV-220692r539671_rule

STIG-ID|CISC-L2-000230

STIG-Legacy|SV-110359

STIG-Legacy|V-101255

Vuln-ID|V-220692

CISC-L2-000240 - The Cisco switch must not use the default VLAN for management traffic.

Rule-ID|SV-220693r539671_rule

STIG-ID|CISC-L2-000240

STIG-Legacy|SV-110361

STIG-Legacy|V-101257

Vuln-ID|V-220693

CISC-L2-000250 - The Cisco switch must have all user-facing or untrusted ports configured as access switch ports.

Rule-ID|SV-220694r539671_rule

STIG-ID|CISC-L2-000250

STIG-Legacy|SV-110363

STIG-Legacy|V-101259

Vuln-ID|V-220694

CISC-L2-000260 - The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.

Rule-ID|SV-220695r539671_rule

STIG-ID|CISC-L2-000260

STIG-Legacy|SV-110365

STIG-Legacy|V-101261

Vuln-ID|V-220695

CISC-L2-000270 - The Cisco switch must not have any switchports assigned to the native VLAN.

Detections

Analytics

DISA STIG Cisco NX-OS Switch L2S v2r2

Warning! Audit Deprecated

Audit Details

Audit Changelog

Revision 1.4

Miscellaneous

Revision 1.3

Functional Update

Revision 1.2

Miscellaneous

Revision 1.1

Miscellaneous

Added

Removed