DISA STIG Cisco Perimeter L3 Switch v8r32

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Cisco Perimeter L3 Switch v8r32

Updated: 9/12/2022

Authority: DISA STIG

Plugin: Cisco

Revision: 1.8

Estimated Item Count: 337

Audit Items

Description	Categories
NET-IPV6-004 - IPv6 Router Advertisements must be suppressed.	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-006 - Undetermined transport is not blocked	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-008 - IPV6 Bogons are not blocked - 'deny ipv6 3FFE::/16 any log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-008 - IPV6 Bogons are not blocked - 'deny ipv6 any 3FFE::/16 log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-008 - IPV6 Bogons are not blocked - 'Ingress IPv6 traffic-filter'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-010 - Inbound ICMPv6 messages are not blocked - 'deny icmp any any fragments log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-010 - Inbound ICMPv6 messages are not blocked - 'deny ipv6 any any log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-010 - Inbound ICMPv6 messages are not blocked - 'permit icmp any any nd-na'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-010 - Inbound ICMPv6 messages are not blocked - 'permit icmp any any nd-ns'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-010 - Inbound ICMPv6 messages are not blocked - 'permit icmp any any packet-too-big'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-010 - Inbound ICMPv6 messages are not blocked - 'permit icmp any any parameter-problem'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-010 - Inbound ICMPv6 messages are not blocked - 'permit icmp any any time-exceeded'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-010 - Inbound ICMPv6 messages are not blocked - 'permit icmp any IPV6 Upstream Link echo-reply'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-011 - Outbound ICMPv6 traffic is not blocked - 'deny icmp any any log-input'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-011 - Outbound ICMPv6 traffic is not blocked - 'deny ipv6 any any log-input'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-011 - Outbound ICMPv6 traffic is not blocked - 'permit icmp any any nd-na '	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-011 - Outbound ICMPv6 traffic is not blocked - 'permit icmp any any nd-ns'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-011 - Outbound ICMPv6 traffic is not blocked - 'permit icmp IPV6 Network 2000::/3 echo-request'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-011 - Outbound ICMPv6 traffic is not blocked - 'permit icmp IPV6 Network 2000::/3 packet-too-big'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-011 - Outbound ICMPv6 traffic is not blocked - 'permit icmp IPV6 Network 2000::/3 source-quench'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-011 - Outbound ICMPv6 traffic is not blocked - 'permit icmp IPV6 Network 2000::/3 time-exceeded'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-016 - ICMPv6 unreachable notifications and redirects must be disabled - 'no ipv6 redirects'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-016 - ICMPv6 unreachable notifications and redirects must be disabled - 'no ipv6 unreachables'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-016 - ICMPv6 unreachable notifications and redirects must be disabled - 'Null0 - no ipv6 unreachables'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-017 - IPv6 Routing Header is not blocked - 'deny routing log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-017 - IPv6 Routing Header is not blocked - 'permit type 2'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-024 - IPv6 6-to-4 addresses are not filtered - 'deny ipv6 2002::/16 any log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-024 - IPv6 6-to-4 addresses are not filtered - 'deny ipv6 any 2002::/16 log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-024 - IPv6 6-to-4 addresses are not filtered - 'Egress deny ipv6 2002::/16 any log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-024 - IPv6 6-to-4 addresses are not filtered - 'Egress deny ipv6 any 2002::/16 log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-025 - IPv6 Site Local Unicast ADDR must not be defined	CONFIGURATION MANAGEMENT
NET-IPV6-026 - IPv6 Site Local Unicast Addresses are not blocked - 'deny ipv6 any fec0::/10 log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-026 - IPv6 Site Local Unicast Addresses are not blocked - 'deny ipv6 fec0::/10 any log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-026 - IPv6 Site Local Unicast Addresses are not blocked - 'Egress deny ipv6 any fec0::/10 log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-026 - IPv6 Site Local Unicast Addresses are not blocked - 'Egress deny ipv6 fec0::/10 any log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-027 - IPv6 Loopback ADDR is not blocked by the enclave	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-028 - IPv6 Unspecified ADDR is not blocked - 'deny ipv6 ::/128 any log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-028 - IPv6 Unspecified ADDR is not blocked - 'deny ipv6 any ::/128 log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-029 - IPv6 Multicast Source ADDR are not blocked - 'deny ipv6 any ff00::/16 log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-029 - IPv6 Multicast Source ADDR are not blocked - 'deny ipv6 ff00::/16 any log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-030 - Embedded IPv4-Compatible IPv6 ADDR are not blocked - 'deny ipv6 0::/96 any log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-030 - Embedded IPv4-Compatible IPv6 ADDR are not blocked - 'deny ipv6 any 0::/96 log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-031 - Embedded IPv4-Mapped IPv6 ADDR are not blocked - 'deny ipv6 0::FFFF/96 any log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-031 - Embedded IPv4-Mapped IPv6 ADDR are not blocked - 'deny ipv6 any 0::FFFF/96 log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-032 - IPv6 Unique Local Unicast ADDR are not blocked - 'deny ipv6 any FC00::7 log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-032 - IPv6 Unique Local Unicast ADDR are not blocked - 'deny ipv6 FC00::7 any log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-033 - IPv6 routers are not configured with CEF enabled	CONFIGURATION MANAGEMENT
NET-IPV6-034 - IPv6 Egress Outbound Spoofing Filter - 'deny ipv6 any any log'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-034 - IPv6 Egress Outbound Spoofing Filter - 'ipv6 verify unicast source reachable-via rx OUTBOUND_TO_BACKBONE'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-047 - IPv4 Interfaces in NAT-PT receive IPv6

Detections

Analytics

DISA STIG Cisco Perimeter L3 Switch v8r32

Warning! Audit Deprecated

Audit Details

Audit Items