| 10.0.0.0 | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| 192.0.2.0 | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| aaa group server radius | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | |
| Check for IS-IS | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| CISC-ND-000100 - The Cisco switch must be configured to automatically audit account modification. | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | ACCESS CONTROL |
| CISC-ND-000330 - The Cisco switch must be configured to generate audit records containing the full-text recording of privileged commands. | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-ND-000880 - The Cisco switch must be configured to automatically audit account enabling actions. | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | ACCESS CONTROL |
| CISC-ND-001220 - The Cisco switch must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards. | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-ND-001450 - The Cisco switch must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO). | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000010 - The Cisco switch must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | ACCESS CONTROL |
| CISC-RT-000030 - The Cisco switch must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| CISC-RT-000150 - The Cisco switch must be configured to have Gratuitous ARP disabled on all external interfaces. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000150 - The Cisco switch must be configured to have Gratuitous ARP disabled on all external interfaces. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000170 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000170 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000236 - The Cisco switch must be configured to advertise a hop limit of at least 32 in Switch Advertisement messages for IPv6 stateless auto-configuration deployments. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000237 - The Cisco switch must not be configured to use IPv6 Site Local Unicast addresses. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000250 - The Cisco perimeter switch must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | ACCESS CONTROL |
| CISC-RT-000480 - The Cisco BGP switch must be configured to use a unique key for each autonomous system (AS) that it peers with. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| CISC-RT-000490 - The Cisco BGP switch must be configured to reject inbound route advertisements for any Bogon prefixes. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | ACCESS CONTROL |
| CISC-RT-000510 - The Cisco BGP switch must be configured to reject inbound route advertisements from a customer edge (CE) switch for prefixes that are not allocated to that customer. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | ACCESS CONTROL |
| CISC-RT-000550 - The Cisco BGP switch must be configured to reject route advertisements from CE switches with an originating AS in the AS_PATH attribute that does not belong to that customer. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | ACCESS CONTROL |
| CISC-RT-000560 - The Cisco BGP switch must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000570 - The Cisco BGP switch must be configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000580 - The Cisco BGP switch must be configured to use its loopback address as the source address for iBGP peering sessions. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000580 - The Cisco BGP switch must be configured to use its loopback address as the source address for iBGP peering sessions. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000620 - The Cisco MPLS switch must be configured to have TTL Propagation disabled. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000670 - The Cisco PE switch providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000690 - The Cisco PE switch must be configured to enforce the split-horizon rule for all pseudowires within a Virtual Private LAN Services (VPLS) bridge domain. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000740 - The Cisco PE switch must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000750 - The Cisco PE switch must be configured to ignore or drop all packets with any IP options. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000760 - The Cisco PE switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000780 - The Cisco switch must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000790 - The Cisco multicast switch must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | ACCESS CONTROL |
| CISC-RT-000800 - The Cisco multicast switch must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | ACCESS CONTROL |
| CISC-RT-000810 - The Cisco multicast edge switch must be configured to establish boundaries for administratively scoped multicast traffic. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | ACCESS CONTROL |
| CISC-RT-000910 - The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to authenticate all received MSDP packets. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CISC-RT-000940 - The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to limit the amount of source-active messages it accepts on a per-peer basis. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | ACCESS CONTROL |
| CISC-RT-000950 - The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to use a loopback address as the source address when originating MSDP traffic. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | CONTINGENCY PLANNING |
| control-plane review | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | |
| deny 192.0.0.0 | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| deny 192.168.0.0 | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| deny 224.0.0.0 | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| deny 240.0.0.0 | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| deny ip any | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| DODIN Backbone | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| DODIN Backbone | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| ip | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| ipv6 | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| snmp-server user aes-128 | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | |
