Skip to content
Log In

Cisco IOS Switch L2S Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-NET-000148-L2S-000015

    Group
    Show

  • SRG-NET-000168-L2S-000019

    Group
    Show

  • SRG-NET-000193-L2S-000020

    Group
    Show

  • The Cisco switch must manage excess bandwidth to limit the effects of packet-flooding types of denial-of-service (DoS) attacks.

    Denial of service is a condition when a resource is not available for legitimate users. Packet-flooding distributed DoS (DDoS) attacks are referred to as volumetric attacks and have the objective o...
    Rule Medium Severity
    Show

  • SRG-NET-000362-L2S-000021

    Group
    Show

  • SRG-NET-000362-L2S-000022

    Group
    Show

  • SRG-NET-000362-L2S-000023

    Group
    Show

  • The Cisco switch must have Spanning Tree Protocol (STP) Loop Guard enabled.

    The STP loop guard feature provides additional protection against STP loops. An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state...
    Rule Medium Severity
    Show

  • SRG-NET-000362-L2S-000024

    Group
    Show

  • The Cisco switch must have Unknown Unicast Flood Blocking (UUFB) enabled.

    Access layer switches use the Content Addressable Memory (CAM) table to direct traffic to specific ports based on the VLAN number and the destination MAC address of the frame. When a router has an ...
    Rule Medium Severity
    Show

  • SRG-NET-000362-L2S-000025

    Group
    Show

  • SRG-NET-000362-L2S-000026

    Group
    Show

  • The Cisco switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.

    IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. The feature use...
    Rule Medium Severity
    Show

  • SRG-NET-000362-L2S-000027

    Group
    Show

  • The Cisco switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.

    DAI intercepts ARP requests and verifies that each of these packets has a valid IP-to-MAC address binding before updating the local ARP cache and before forwarding the packet to the appropriate des...
    Rule Medium Severity
    Show

  • SRG-NET-000512-L2S-000001

    Group
    Show

  • The Cisco switch must have Storm Control configured on all host-facing switchports.

    A traffic storm occurs when packets flood a LAN, creating excessive traffic and degrading network performance. Traffic storm control prevents network disruption by suppressing ingress traffic when ...
    Rule Low Severity
    Show

  • SRG-NET-000512-L2S-000002

    Group
    Show

  • SRG-NET-000512-L2S-000003

    Group
    Show

  • SRG-NET-000512-L2S-000004

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules