STIGQter STIGQter: STIG Summary: Cisco NX-OS Switch L2S Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 08 May 2020:

The Cisco switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.

DISA Rule

SV-110345r1_rule

Vulnerability Number

V-101241

Group Title

SRG-NET-000362-L2S-000026

Rule Version

CISC-L2-000140

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the switch to have IP Source Guard enabled on all user-facing or untrusted access switch ports.

SW1(config)# int e1/1-32
SW1(config-if-range)# ip verify source dhcp-snooping-vlan

Check Contents

Review the switch configuration to verify that IP Source Guard is enabled on all user-facing or untrusted access switch ports as shown in the example below:

interface Ethernet1/1
ip verify source dhcp-snooping-vlan

interface Ethernet1/2
ip verify source dhcp-snooping-vlan



interface Ethernet1/32
ip verify source dhcp-snooping-vlan

Note: the IP Source Guard feature depends on the entries in the DHCP snooping database or static IP-MAC-VLAN configuration commands to verify IP-to-MAC address bindings.

If the switch does not have IP Source Guard enabled on all untrusted access switch ports, this is a finding.

Vulnerability Number

V-101241

Documentable

False

Rule Version

CISC-L2-000140

Severity Override Guidance

Review the switch configuration to verify that IP Source Guard is enabled on all user-facing or untrusted access switch ports as shown in the example below:

interface Ethernet1/1
ip verify source dhcp-snooping-vlan

interface Ethernet1/2
ip verify source dhcp-snooping-vlan



interface Ethernet1/32
ip verify source dhcp-snooping-vlan

Note: the IP Source Guard feature depends on the entries in the DHCP snooping database or static IP-MAC-VLAN configuration commands to verify IP-to-MAC address bindings.

If the switch does not have IP Source Guard enabled on all untrusted access switch ports, this is a finding.

Check Content Reference

M

Target Key

3551

Comments