STIGQter STIGQter: STIG Summary: Cisco IOS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco perimeter switch must be configured to filter ingress traffic at the external interface on an inbound direction.

DISA Rule

SV-220446r622190_rule

Vulnerability Number

V-220446

Group Title

SRG-NET-000205-RTR-000004

Rule Version

CISC-RT-000330

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the switch to use an inbound ACL on all external interfaces as shown in the example below:

SW1(config)#int g0/2
SW1(config-if)#ip access-group EXTERNAL_ACL_INBOUND in

Check Contents

Review the switch configuration to verify that an inbound ACL is configured on all external interfaces as shown in the example below:

interface GigabitEthernet0/2
ip address x.11.1.2 255.255.255.254
ip access-group EXTERNAL_ACL_INBOUND in

If the switch is not configured to filter traffic entering the network at all external interfaces in an inbound direction, this is a finding.

Vulnerability Number

V-220446

Documentable

False

Rule Version

CISC-RT-000330

Severity Override Guidance

Review the switch configuration to verify that an inbound ACL is configured on all external interfaces as shown in the example below:

interface GigabitEthernet0/2
ip address x.11.1.2 255.255.255.254
ip access-group EXTERNAL_ACL_INBOUND in

If the switch is not configured to filter traffic entering the network at all external interfaces in an inbound direction, this is a finding.

Check Content Reference

M

Target Key

4065

Comments