| 169.254.0.0 | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| 172.16.0.0 | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| 192.168.0.0 | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| 224.0.0.0 | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| Check for IS-IS | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| Check for OSPF | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| Check if CDP is diabled | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| CISC-ND-001280 - The Cisco switch must generate audit records showing starting and ending time for administrator access to the system. | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-ND-001440 - The Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider. | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000060 - The Cisco switch must be configured to have all inactive layer 3 interfaces disabled. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | ACCESS CONTROL |
| CISC-RT-000120 - The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000130 - The Cisco switch must be configured to restrict traffic destined to itself. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000140 - The Cisco switch must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000236 - The Cisco switch must be configured to advertise a hop limit of at least 32 in Switch Advertisement messages for IPv6 stateless auto-configuration deployments. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000250 - The Cisco perimeter switch must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | ACCESS CONTROL |
| CISC-RT-000450 - The Cisco switch must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000500 - The Cisco BGP switch must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS). | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | ACCESS CONTROL |
| CISC-RT-000500 - The Cisco BGP switch must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS). | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | ACCESS CONTROL |
| CISC-RT-000560 - The Cisco BGP switch must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000610 - The MPLS switch with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core switches. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000610 - The MPLS switch with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core switches. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000620 - The Cisco MPLS switch must be configured to have TTL Propagation disabled. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000630 - The Cisco PE switch must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000640 - The Cisco PE switch must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT). | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000670 - The Cisco PE switch providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000680 - The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000730 - The Cisco PE switch must be configured to block any traffic that is destined to the IP core infrastructure. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000750 - The Cisco PE switch must be configured to ignore or drop all packets with any IP options. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000810 - The Cisco multicast edge switch must be configured to establish boundaries for administratively scoped multicast traffic. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | ACCESS CONTROL |
| CISC-RT-000890 - The Cisco multicast Designated switch (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000900 - The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to only accept MSDP packets from known MSDP peers. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000920 - The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | ACCESS CONTROL |
| CISC-RT-000930 - The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | ACCESS CONTROL |
| CISC-RT-000940 - The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to limit the amount of source-active messages it accepts on a per-peer basis. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | ACCESS CONTROL |
| crypto pki trustpoint | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | |
| deny | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| deny 0.0.0.0 | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| deny 10.0.0.0 | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| deny 127.0.0.0 | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| deny rule | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| Ensure hmac-sha2-512 is configured | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | |
| ip prefix-list | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| ip unreachables | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| line vty access-class | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | |
| logging logfile | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | |
| management access-list | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | |
| ntp authentication-key | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | |
| servers | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | |
| show ip prefix-list | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| snmp-server host priv | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | |
