STIGQter STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco PE switch must be configured to ignore or drop all packets with any IP options.

DISA Rule

SV-221128r622190_rule

Vulnerability Number

V-221128

Group Title

SRG-NET-000205-RTR-000016

Rule Version

CISC-RT-000750

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the switch to drop all packets with IP option source routing.

SW1(config)# no ip source-route
SW1(config)# end

Check Contents

In Cisco NX-OS, all packets with any header option other than the “source-route” header option are dropped. By default, ipv4 source routing is enabled. Verify that source routing is disabled via the following command:

no ip source-route

If the switch is not configured to drop all packets with IP option source routing, this is a finding.

Vulnerability Number

V-221128

Documentable

False

Rule Version

CISC-RT-000750

Severity Override Guidance

In Cisco NX-OS, all packets with any header option other than the “source-route” header option are dropped. By default, ipv4 source routing is enabled. Verify that source routing is disabled via the following command:

no ip source-route

If the switch is not configured to drop all packets with IP option source routing, this is a finding.

Check Content Reference

M

Target Key

4075

Comments