STIGQter: STIG Summary: Cisco IOS XE Switch L2S Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.

DISA Rule

SV-220661r539671_rule

Vulnerability Number

V-220661

Group Title

SRG-NET-000362-L2S-000027

Rule Version

CISC-L2-000150

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Configure the switch to have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs as shown in the example below:

SW2(config)#ip arp inspection vlan 2,4-8,11

Check Contents

Review the switch configuration to verify that Dynamic Address Resolution Protocol (ARP) Inspection (DAI) feature is enabled on all user VLANs.

hostname SW2
…
…
…
ip arp inspection vlan 2,4-8,11

Note: DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses.

If DAI is not enabled on all user VLANs, this is a finding.

Vulnerability Number

V-220661

Documentable

False

Rule Version

CISC-L2-000150

Severity Override Guidance

Review the switch configuration to verify that Dynamic Address Resolution Protocol (ARP) Inspection (DAI) feature is enabled on all user VLANs.

hostname SW2
…
…
…
ip arp inspection vlan 2,4-8,11

Note: DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses.

If DAI is not enabled on all user VLANs, this is a finding.

Check Content Reference

M

Target Key

4071

Comments