STIGQter: STIG Summary: Cisco IOS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to have IP directed broadcast disabled on all interfaces.

DISA Rule

SV-220432r622190_rule

Vulnerability Number

V-220432

Group Title

SRG-NET-000362-RTR-000112

Rule Version

CISC-RT-000160

Severity

CAT III

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Disable IP directed broadcast on all interfaces as shown in the example below:

SW1(config)#int g0/1
SW1(config-if)#no ip directed-broadcast
SW1(config)#int vlan11
SW1(config-if)#no ip directed-broadcast

Check Contents

Review the switch configuration to determine if IP directed broadcast is disabled. The IP directed broadcast command must not be found on any interface as shown in the example below:

interface GigabitEthernet0/1
no switchport
ip address x.x.x.x 255.255.255.0
ip directed-broadcast
…
…
…
Interface Vlan11
no switchport
ip address x.x.x.x 255.255.255.0
ip directed-broadcast

If IP directed broadcast is not disabled on all interfaces, this is a finding.

Vulnerability Number

V-220432

Documentable

False

Rule Version

CISC-RT-000160

Severity Override Guidance

Review the switch configuration to determine if IP directed broadcast is disabled. The IP directed broadcast command must not be found on any interface as shown in the example below:

interface GigabitEthernet0/1
no switchport
ip address x.x.x.x 255.255.255.0
ip directed-broadcast
…
…
…
Interface Vlan11
no switchport
ip address x.x.x.x 255.255.255.0
ip directed-broadcast

If IP directed broadcast is not disabled on all interfaces, this is a finding.

Check Content Reference

M

Target Key

4065

Comments