UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Cisco NX OS Switch L2S Security Technical Implementation Guide


Overview

Date Finding Count (23)
2023-06-01 CAT I (High): 1 CAT II (Med): 18 CAT III (Low): 4
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-220675 High The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection.
V-220694 Medium The Cisco switch must have all user-facing or untrusted ports configured as access switch ports.
V-220695 Medium The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.
V-220692 Medium The Cisco switch must have the default VLAN pruned from all trunk ports that do not require it.
V-220693 Medium The Cisco switch must not use the default VLAN for management traffic.
V-220690 Medium The Cisco switch must have all disabled switch ports assigned to an unused VLAN.
V-220691 Medium The Cisco switch must not have the default VLAN assigned to any host-facing switch ports.
V-220674 Medium The Cisco switch must be configured to disable non-essential capabilities.
V-220676 Medium The Cisco switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available.
V-220677 Medium The Cisco switch must be configured for authorized users to select a user session to capture.
V-220678 Medium The Cisco switch must be configured for authorized users to remotely view, in real time, all content related to an established user session from a component separate from The Cisco switch.
V-220679 Medium The Cisco switch must authenticate all endpoint devices before establishing any connection.
V-220689 Medium The Cisco switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections.
V-220681 Medium The Cisco switch must have BPDU Guard enabled on all user-facing or untrusted access switch ports.
V-220683 Medium The Cisco switch must have Unknown Unicast Flood Blocking (UUFB) enabled.
V-220682 Medium The Cisco switch must have STP Loop Guard enabled.
V-220685 Medium The Cisco switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.
V-220684 Medium The Cisco switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.
V-220686 Medium The Cisco switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.
V-220696 Low The Cisco switch must not have any switchports assigned to the native VLAN.
V-220688 Low The Cisco switch must have IGMP or MLD Snooping configured on all VLANs.
V-220680 Low The Cisco switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts.
V-220687 Low The Cisco switch must have Storm Control configured on all host-facing switchports.