| 0.0.0.0 | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| 100.64.0.0 | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| 192.88.99.0 | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| 198.18.0.0 | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| 203.0.113.0 | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| 240.0.0.0 | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| Check for BGP | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| Check for mpls | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| Check for snmp-server | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | |
| CISC-L2-000020 - The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection. | DISA STIG Cisco NX-OS Switch L2S v3r2 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CISC-L2-000090 - The Cisco switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts. | DISA STIG Cisco NX-OS Switch L2S v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000130 - The Cisco switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources. | DISA STIG Cisco NX-OS Switch L2S v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000220 - The Cisco switch must not have the default VLAN assigned to any host-facing switch ports. | DISA STIG Cisco NX-OS Switch L2S v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000260 - The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links. | DISA STIG Cisco NX-OS Switch L2S v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-ND-000120 - The Cisco switch must be configured to automatically audit account removal actions. | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | ACCESS CONTROL |
| CISC-ND-000290 - The Cisco switch must produce audit records containing information to establish where the events occurred. | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-ND-001210 - The Cisco switch must be configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions. | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | MAINTENANCE |
| CISC-ND-001250 - The Cisco switch must be configured to generate log records when administrator privileges are deleted. | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-ND-001370 - The Cisco switch must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access. | DISA STIG Cisco NX-OS Switch NDM v3r2 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000190 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000200 - The Cisco switch must be configured to log all packets that have been dropped at interfaces via an ACL. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000310 - The Cisco perimeter switch must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF). | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000520 - The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS). | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | ACCESS CONTROL |
| CISC-RT-000530 - The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes belonging to the IP core. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000540 - The Cisco BGP switch must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | ACCESS CONTROL |
| CISC-RT-000630 - The Cisco PE switch must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000660 - The Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CISC-RT-000710 - The Cisco PE switch must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000820 - The Cisco multicast Rendezvous Point (RP) switch must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000830 - The Cisco multicast Rendezvous Point (RP) switch must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated switch (DR) for any undesirable multicast groups and sources. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | ACCESS CONTROL |
| CISC-RT-000860 - The Cisco multicast Designated switch (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000880 - The Cisco multicast Designated switch (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000910 - The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to authenticate all received MSDP packets. | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| deny 100.64.0.0 | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| deny 169.254.0.0 | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| deny 192.0.2.0 | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| deny 224.0.1.39/32 | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| deny 224.0.1.40/32 | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| dot1x port-control auto | DISA STIG Cisco NX-OS Switch L2S v3r2 | Cisco | |
| external | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| interface | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| interface pseudowire | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| ip access-list | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| ip dhcp snooping | DISA STIG Cisco NX-OS Switch L2S v3r2 | Cisco | |
| ip igmp snooping vlan | DISA STIG Cisco NX-OS Switch L2S v3r2 | Cisco | |
| ip msdp sa-policy | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| ip prefix list | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
| l2vpn vfi | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| neighbor | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | |
| route-map | DISA STIG Cisco NX-OS Switch RTR v3r2 | Cisco | |
