STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to have Gratuitous ARP disabled on all external interfaces.

DISA Rule

SV-221082r622190_rule

Vulnerability Number

V-221082

Group Title

SRG-NET-000362-RTR-000111

Rule Version

CISC-RT-000150

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Disable Gratuitous ARP as shown in the example below:

SW1(config)# int e2/7
SW1(config-if)# no ip arp gratuitous request
SW1(config-if)# end

Check Contents

Review the configuration to determine if gratuitous ARP is disabled on all external interfaces as shown in the example below:

interface Ethernet2/7
no switchport
ip address x.22.4.2/30
no ip arp gratuitous request

Note: Gratuitous ARP is enabled on all interfaces by default.

If gratuitous ARP is enabled on any external interface, this is a finding.

Vulnerability Number

V-221082

Documentable

False

Rule Version

CISC-RT-000150

Severity Override Guidance

Review the configuration to determine if gratuitous ARP is disabled on all external interfaces as shown in the example below:

interface Ethernet2/7
no switchport
ip address x.22.4.2/30
no ip arp gratuitous request

Note: Gratuitous ARP is enabled on all interfaces by default.

If gratuitous ARP is enabled on any external interface, this is a finding.

Check Content Reference

M

Target Key

4075

Comments