UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Cisco IOS Switch L2S Security Technical Implementation Guide


Overview

Date Finding Count (26)
2020-05-07 CAT I (High): 1 CAT II (Med): 21 CAT III (Low): 4
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-101113 High The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection.
V-101159 Medium The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.
V-101155 Medium The Cisco switch must not use the default VLAN for management traffic.
V-101157 Medium The Cisco switch must have all user-facing or untrusted ports configured as access switch ports.
V-101151 Medium The Cisco switch must not have the default VLAN assigned to any host-facing switch ports.
V-101153 Medium The Cisco switch must have the default VLAN pruned from all trunk ports that do not require it.
V-101111 Medium The Cisco switch must be configured to disable non-essential capabilities.
V-101119 Medium The Cisco switch must be configured for authorized users to select a user session to capture.
V-101115 Medium The Cisco switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available.
V-101117 Medium The Cisco switch must manage excess bandwidth to limit the effects of packet-flooding types of denial-of-service (DoS) attacks.
V-101133 Medium The Cisco switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.
V-101131 Medium The Cisco switch must have Unknown Unicast Flood Blocking (UUFB) enabled.
V-101137 Medium The Cisco switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.
V-101135 Medium The Cisco switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.
V-101149 Medium The Cisco switch must have all disabled switch ports assigned to an unused VLAN.
V-101143 Medium The Cisco switch must implement Rapid Spanning Tree Protocol (STP) where VLANs span multiple switches with redundant links.
V-101147 Medium The Cisco switch must have all trunk links enabled statically.
V-101145 Medium The Cisco switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections.
V-101129 Medium The Cisco switch must have Spanning Tree Protocol (STP) Loop Guard enabled.
V-101121 Medium The Cisco switch must be configured for authorized users to remotely view, in real time, all content related to an established user session from a component separate from the Cisco switch.
V-101123 Medium The Cisco switch must authenticate all endpoint devices before establishing any connection.
V-101127 Medium The Cisco switch must have Bridge Protocol Data Unit (BPDU) Guard enabled on all user-facing or untrusted access switch ports.
V-101139 Low The Cisco switch must have Storm Control configured on all host-facing switchports.
V-101141 Low The Cisco switch must have IGMP or MLD Snooping configured on all VLANs.
V-101161 Low The Cisco switch must not have any switchports assigned to the native VLAN.
V-101125 Low The Cisco switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts.