UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Cisco IOS XE Switch L2S Security Technical Implementation Guide


Overview

Date Finding Count (26)
2020-05-20 CAT I (High): 1 CAT II (Med): 21 CAT III (Low): 4
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-101165 High The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection.
V-101205 Medium The Cisco switch must have all disabled switch ports assigned to an unused VLAN.
V-101207 Medium The Cisco switch must not have the default VLAN assigned to any host-facing switch ports.
V-101201 Medium The Cisco switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections.
V-101203 Medium The Cisco switch must have all trunk links enabled statically.
V-101187 Medium The Cisco switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.
V-101209 Medium The Cisco switch must have the default VLAN pruned from all trunk ports that do not require it.
V-101175 Medium The Cisco switch must authenticate all endpoint devices before establishing any connection.
V-101185 Medium The Cisco switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.
V-101173 Medium The Cisco switch must be configured to provide the capability for authorized users to remotely view, in real time, all content related to an established user session from a component separate from the Cisco switch.
V-101171 Medium The Cisco switch must be configured for authorized users to select a user session to capture.
V-101179 Medium The Cisco switch must have BPDU Guard enabled on all user-facing or untrusted access switch ports.
V-101183 Medium The Cisco switch must have Unknown Unicast Flood Blocking (UUFB) enabled.
V-101181 Medium The Cisco switch must have STP Loop Guard enabled.
V-101213 Medium The Cisco switch must have all user-facing or untrusted ports configured as access switch ports.
V-101211 Medium The Cisco switch must not use the default VLAN for management traffic.
V-101215 Medium The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.
V-101189 Medium The Cisco switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.
V-101167 Medium The Cisco switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available.
V-101163 Medium The Cisco switch must be configured to disable non-essential capabilities.
V-101169 Medium The Cisco switch must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.
V-101199 Medium The Cisco switch must implement Rapid STP where VLANs span multiple switches with redundant links.
V-101177 Low The Cisco switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts.
V-101217 Low The Cisco switch must not have any switchports assigned to the native VLAN.
V-101191 Low The Cisco switch must have Storm Control configured on all host-facing switchports.
V-101193 Low The Cisco switch must have IGMP or MLD Snooping configured on all VLANs.