STIGQter: STIG Summary: Cisco IOS Switch L2S Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available.

DISA Rule

SV-220624r539671_rule

Vulnerability Number

V-220624

Group Title

SRG-NET-000168-L2S-000019

Rule Version

CISC-L2-000030

Severity

CAT II

CCI(s)

• CCI-000803 - The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

Weight

10

Fix Recommendation

Configure the switch to authenticate all VTP messages with a hash function using a configured password as shown in the example below:

SW1(config)#vtp password xxxxxxxxx

Check Contents

Review the switch configuration to verify that VTP is enabled using the show vtp status command as shown in the example below:

Switch#show vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5e00.0000.8000

Feature VLAN:
--------------
VTP Operating Mode : Off
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
Configuration Revision : 0
MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
0x56 0x9D 0x4A 0x3E 0xA5 0x69 0x35 0xBC
Switch#

If mode is set to anything other than off, verify that a password has been configured using the show vtp password command.

Note: VTP authenticates all messages using an MD5 hash that consists of the VTP version plus the VTP Password plus VTP Domain plus VTP Configuration Revision.

If VTP is enabled on the switch and is not authenticating VTP messages with a hash function using a configured password, this is a finding.

Vulnerability Number

V-220624

Documentable

False

Rule Version

CISC-L2-000030

Severity Override Guidance

Review the switch configuration to verify that VTP is enabled using the show vtp status command as shown in the example below:

Switch#show vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5e00.0000.8000

Feature VLAN:
--------------
VTP Operating Mode : Off
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
Configuration Revision : 0
MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
0x56 0x9D 0x4A 0x3E 0xA5 0x69 0x35 0xBC
Switch#

If mode is set to anything other than off, verify that a password has been configured using the show vtp password command.

Note: VTP authenticates all messages using an MD5 hash that consists of the VTP version plus the VTP Password plus VTP Domain plus VTP Configuration Revision.

If VTP is enabled on the switch and is not authenticating VTP messages with a hash function using a configured password, this is a finding.

Check Content Reference

M

Target Key

4070

Comments