Skip to content

Cisco IOS Switch RTR Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-NET-000364-RTR-000111

    <GroupDescription></GroupDescription>
    Group
  • The Cisco perimeter switch must be configured to have Link Layer Discovery Protocol (LLDP) disabled on all external interfaces.

    &lt;VulnDiscussion&gt;LLDP is a neighbor discovery protocol used to advertise device capabilities, configuration information, and device identity. ...
    Rule Low Severity
  • SRG-NET-000364-RTR-000111

    <GroupDescription></GroupDescription>
    Group
  • The Cisco perimeter switch must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.

    &lt;VulnDiscussion&gt;CDP is a Cisco proprietary neighbor discovery protocol used to advertise device capabilities, configuration information, and ...
    Rule Low Severity
  • SRG-NET-000364-RTR-000112

    <GroupDescription></GroupDescription>
    Group
  • The Cisco perimeter switch must be configured to have Proxy ARP disabled on all external interfaces.

    &lt;VulnDiscussion&gt;When Proxy ARP is enabled on a switch, it allows that switch to extend the network (at Layer 2) across multiple interfaces (L...
    Rule Medium Severity
  • SRG-NET-000364-RTR-000113

    <GroupDescription></GroupDescription>
    Group
  • The Cisco perimeter switch must be configured to block all outbound management traffic.

    &lt;VulnDiscussion&gt;For in-band management, the management network must have its own subnet in order to enforce control and access boundaries pro...
    Rule Medium Severity
  • SRG-NET-000205-RTR-000012

    <GroupDescription></GroupDescription>
    Group
  • The Cisco switch must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.

    &lt;VulnDiscussion&gt;The OOBM access switch will connect to the management interface of the managed network elements. The management interface can...
    Rule Medium Severity
  • SRG-NET-000343-RTR-000001

    <GroupDescription></GroupDescription>
    Group
  • The Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.

    &lt;VulnDiscussion&gt;LDP provides the signaling required for setting up and tearing down pseudowires (virtual circuits used to transport Layer 2 f...
    Rule Medium Severity
  • SRG-NET-000205-RTR-000007

    <GroupDescription></GroupDescription>
    Group
  • The Cisco PE switch must be configured to block any traffic that is destined to the IP core infrastructure.

    &lt;VulnDiscussion&gt;IP addresses can be guessed. Core network elements must not be accessible from any external host. Protecting the core from an...
    Rule High Severity
  • SRG-NET-000205-RTR-000008

    <GroupDescription></GroupDescription>
    Group
  • The Cisco PE switch must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.

    &lt;VulnDiscussion&gt;The uRPF feature is a defense against spoofing and denial-of-service (DoS) attacks by verifying if the source address of any ...
    Rule Medium Severity
  • SRG-NET-000193-RTR-000113

    <GroupDescription></GroupDescription>
    Group
  • The Cisco PE switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.

    &lt;VulnDiscussion&gt;Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availabi...
    Rule Low Severity
  • SRG-NET-000193-RTR-000114

    <GroupDescription></GroupDescription>
    Group
  • The Cisco P switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.

    &lt;VulnDiscussion&gt;Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availabi...
    Rule Low Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules