STIGQter: STIG Summary: Cisco IOS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco perimeter switch must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.

DISA Rule

SV-220450r622190_rule

Vulnerability Number

V-220450

Group Title

SRG-NET-000364-RTR-000111

Rule Version

CISC-RT-000370

Severity

CAT III

CCI(s)

• CCI-002403 - The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Weight

10

Fix Recommendation

Disable CDP on all external interfaces via no cdp enable command or disable CDP globally via no cdp run command.

Check Contents

Step 1: Verify if CDP is enabled globally as shown below:

cdp run

By default, CDP is not enabled globally or on any interface. If CDP is enabled globally, proceed to Step 2.

Step 2: Verify CDP is not enabled on any external interface as shown in the example below:

interface GigabitEthernet2
ip address z.1.24.4 255.255.255.252
…
…
…
cdp enable

If CDP is enabled on any external interface, this is a finding.

Vulnerability Number

V-220450

Documentable

False

Rule Version

CISC-RT-000370

Severity Override Guidance

Step 1: Verify if CDP is enabled globally as shown below:

cdp run

By default, CDP is not enabled globally or on any interface. If CDP is enabled globally, proceed to Step 2.

Step 2: Verify CDP is not enabled on any external interface as shown in the example below:

interface GigabitEthernet2
ip address z.1.24.4 255.255.255.252
…
…
…
cdp enable

If CDP is enabled on any external interface, this is a finding.

Check Content Reference

M

Target Key

4065

Comments