UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Cisco IOS XE Switch L2S Security Technical Implementation Guide


Overview

Date Finding Count (22)
2024-06-06 CAT I (High): 1 CAT II (Med): 17 CAT III (Low): 4
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-220649 High The Cisco switch must uniquely identify and authenticate all network-connected endpoint devices before establishing any connection.
V-220667 Medium The Cisco switch must have all disabled switch ports assigned to an unused VLAN.
V-220666 Medium The Cisco switch must have all trunk links enabled statically.
V-220665 Medium The Cisco switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections.
V-220664 Medium The Cisco switch must implement Rapid STP where VLANs span multiple switches with redundant links.
V-220661 Medium The Cisco switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.
V-220660 Medium The Cisco switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.
V-220669 Medium The Cisco switch must have the default VLAN pruned from all trunk ports that do not require it.
V-220668 Medium The Cisco switch must not have the default VLAN assigned to any host-facing switch ports.
V-220658 Medium The Cisco switch must have Unknown Unicast Flood Blocking (UUFB) enabled.
V-220659 Medium The Cisco switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.
V-220650 Medium The Cisco switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available.
V-220651 Medium The Cisco switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
V-220656 Medium The Cisco switch must have BPDU Guard enabled on all user-facing or untrusted access switch ports.
V-220657 Medium The Cisco switch must have STP Loop Guard enabled.
V-220670 Medium The Cisco switch must not use the default VLAN for management traffic.
V-220671 Medium The Cisco switch must have all user-facing or untrusted ports configured as access switch ports.
V-220672 Medium The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.
V-220663 Low The Cisco switch must have IGMP or MLD Snooping configured on all VLANs.
V-220662 Low The Cisco switch must have Storm Control configured on all host-facing switchports.
V-220655 Low The Cisco switch must have Root Guard enabled on all switch ports connecting to access layer switches.
V-220673 Low The Cisco switch must not have any switchports assigned to the native VLAN.