STIGQter: STIG Summary: Cisco NX-OS Switch L2S Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 08 May 2020:

The Cisco switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available.

DISA Rule

SV-110327r1_rule

Vulnerability Number

V-101223

Group Title

SRG-NET-000168-L2S-000019

Rule Version

CISC-L2-000030

Severity

CAT II

CCI(s)

• CCI-000803 - The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

Weight

10

Fix Recommendation

Configure the switch to authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using a configured password as shown in the example below:

SW1(config)# vtp password xxxxxxxxx

Check Contents

Review the switch configuration to verify if VTP is enabled.

Step 1: Enter the show feature command to determine if vtp is enabled.

Step 2: Enter the show vtp status command to determine operating mode.

SW1# show vtp status
VTP Status Information
----------------------
VTP Version : 2 (capable)
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Transparent
VTP Domain Name : XXXXX
VTP Pruning Mode : Disabled (Operationally Disabled)
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 Digest : 0x0C 0x5E 0xC3 0x74 0x3F 0xB0 0x2F 0x49

If mode is set to anything other than off or transparent, verify that a password has been configured using the show vtp password command.

Note: VTP authenticates all messages using an MD5 hash that consists of the VTP version + The VTP Password + VTP Domain + VTP Configuration Revision.

If VTP is enabled on the switch and is not authenticating VTP messages with a hash function using a configured password, this is a finding.

Vulnerability Number

V-101223

Documentable

False

Rule Version

CISC-L2-000030

Severity Override Guidance

Review the switch configuration to verify if VTP is enabled.

Step 1: Enter the show feature command to determine if vtp is enabled.

Step 2: Enter the show vtp status command to determine operating mode.

SW1# show vtp status
VTP Status Information
----------------------
VTP Version : 2 (capable)
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Transparent
VTP Domain Name : XXXXX
VTP Pruning Mode : Disabled (Operationally Disabled)
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 Digest : 0x0C 0x5E 0xC3 0x74 0x3F 0xB0 0x2F 0x49

If mode is set to anything other than off or transparent, verify that a password has been configured using the show vtp password command.

Note: VTP authenticates all messages using an MD5 hash that consists of the VTP version + The VTP Password + VTP Domain + VTP Configuration Revision.

If VTP is enabled on the switch and is not authenticating VTP messages with a hash function using a configured password, this is a finding.

Check Content Reference

M

Target Key

3551

Comments