STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco perimeter switch must be configured to block all packets with any IP options.

DISA Rule

SV-221095r622190_rule

Vulnerability Number

V-221095

Group Title

SRG-NET-000205-RTR-000015

Rule Version

CISC-RT-000350

Severity

CAT II

CCI(s)

• CCI-002403 - The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Weight

10

Fix Recommendation

Configure the switch to drop all packets with IP option source routing.

SW1(config)# no ip source-route
SW1(config)# end

Check Contents

In Cisco NX-OS, all packets with any header option other than the “source-route” header option are dropped. By default, ipv4 source routing is enabled. Verify that source routing is disabled via the following command:

no ip source-route

If the switch is not configured to drop all packets with IP option source routing, this is a finding.

Vulnerability Number

V-221095

Documentable

False

Rule Version

CISC-RT-000350

Severity Override Guidance

In Cisco NX-OS, all packets with any header option other than the “source-route” header option are dropped. By default, ipv4 source routing is enabled. Verify that source routing is disabled via the following command:

no ip source-route

If the switch is not configured to drop all packets with IP option source routing, this is a finding.

Check Content Reference

M

Target Key

4075

Comments