STIGQter: STIG Summary: Cisco IOS-XE Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Cisco IOS-XE Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-221009r622190_rule
V-221009
SRG-NET-000364-RTR-000109
CISC-RT-000260
CAT II
10
Configure the switch to allow only incoming communications from authorized sources to be routed to authorized destinations.
SW1(config)#ip access-list extended FILTER_PERIMETER
SW1(config-ext-nacl)#permit tcp any any established
…
…
…
SW1(config-ext-nacl)#permit udp host x.12.1.9 host x.12.1.21 eq ntp
SW1(config-ext-nacl)#deny ip any any log-input
SW1(config-ext-nacl)#end
Review the switch configuration to determine if the switch allows only incoming communications from authorized sources to be routed to authorized destinations. The hypothetical example below allows inbound NTP from server x.1.12.9 only to host x.12.1.21.
ip access-list extended FILTER_PERIMETER
permit tcp any any established
…
…
…
permit udp host x.12.1.9 host x.12.1.21 eq ntp
deny ip any any log-input
If the switch does not restrict incoming communications to allow only authorized sources and destinations, this is a finding.
V-221009
False
CISC-RT-000260
Review the switch configuration to determine if the switch allows only incoming communications from authorized sources to be routed to authorized destinations. The hypothetical example below allows inbound NTP from server x.1.12.9 only to host x.12.1.21.
ip access-list extended FILTER_PERIMETER
permit tcp any any established
…
…
…
permit udp host x.12.1.9 host x.12.1.21 eq ntp
deny ip any any log-input
If the switch does not restrict incoming communications to allow only authorized sources and destinations, this is a finding.
M
4074