STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to log all packets that have been dropped at interfaces via an ACL.

DISA Rule

SV-221086r622190_rule

Vulnerability Number

V-221086

Group Title

SRG-NET-000078-RTR-000001

Rule Version

CISC-RT-000200

Severity

CAT III

CCI(s)

• CCI-000134 - The information system generates audit records containing information that establishes the outcome of the event.

Weight

10

Fix Recommendation

Configure ACLs to log packets that are dropped as shown in the example below:

SW1(config)# ip access-list EXTERNAL_ACL
SW1(config-acl)# 90 deny ip any any log
SW1(config-acl)# end

Check Contents

Review all ACLs used to filter traffic and verify that packets being dropped are logged as shown in the configuration below:

ip access-list EXTERNAL_ACL
10 permit tcp x.11.1.1/32 eq bgp x.11.1.2/32
20 permit tcp x.11.1.1/32 x.11.1.2/32 eq bgp
30 permit icmp x.11.1.1/32 x.11.1.2/32 echo
…
…
…
90 deny ip any any log

If packets being dropped at an interface are not logged, this is a finding.

Vulnerability Number

V-221086

Documentable

False

Rule Version

CISC-RT-000200

Severity Override Guidance

Review all ACLs used to filter traffic and verify that packets being dropped are logged as shown in the configuration below:

ip access-list EXTERNAL_ACL
10 permit tcp x.11.1.1/32 eq bgp x.11.1.2/32
20 permit tcp x.11.1.1/32 x.11.1.2/32 eq bgp
30 permit icmp x.11.1.1/32 x.11.1.2/32 echo
…
…
…
90 deny ip any any log

If packets being dropped at an interface are not logged, this is a finding.

Check Content Reference

M

Target Key

4075

Comments