STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.

DISA Rule

SV-221084r622190_rule

Vulnerability Number

V-221084

Group Title

SRG-NET-000362-RTR-000113

Rule Version

CISC-RT-000170

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Disable ip unreachables on all external interfaces as shown below:

SW1(config)# int e2/7
SW1(config-if)# no ip unreachables
SW1(config-if)# end

Check Contents

Review the switch configuration to determine if it is compliant with this requirement. The ip unreachables command must not be found on any interface as shown in the example below:

interface Ethernet2/7
no switchport
ip address x.22.4.2/30
ip unreachables

If ICMP unreachable notifications are sent from any external interfaces, this is a finding.

Vulnerability Number

V-221084

Documentable

False

Rule Version

CISC-RT-000170

Severity Override Guidance

Review the switch configuration to determine if it is compliant with this requirement. The ip unreachables command must not be found on any interface as shown in the example below:

interface Ethernet2/7
no switchport
ip address x.22.4.2/30
ip unreachables

If ICMP unreachable notifications are sent from any external interfaces, this is a finding.

Check Content Reference

M

Target Key

4075

Comments