STIGQter: STIG Summary: Cisco NX-OS Switch L2S Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 08 May 2020:

The Cisco switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections.

DISA Rule

SV-110353r1_rule

Vulnerability Number

V-101249

Group Title

SRG-NET-000512-L2S-000004

Rule Version

CISC-L2-000190

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Configure the switch to enable Unidirectional Link Detection (UDLD) to protect against one-way connections.

SW1(config)# feature udld

Check Contents

If any of the switch ports have fiber optic interconnections with neighbors, review the switch configuration to verify that UDLD is enabled globally or on a per interface basis as shown in the examples below.

Step 1: Verify that the UDLD feature has been enabled as shown in the example below:

hostname SW1
…
…
…
feature udld

Step 2: Verify that UDLD has not been disabled on any fiber optic interfaces as shown in the example below:

interface GigabitEthernet0/3
udld disabled

Note: By default, UDLD is enabled on all interfaces with fiber optic connections. An alternative implementation when UDLD is not supported by connected device is to deploy a single member Link Aggregation Group (LAG) via IEEE 802.3ad Link Aggregation Control Protocol (LACP).

If the switch has fiber optic interconnections with neighbors and UDLD is not enabled, this is a finding.

The Cisco switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments