STIGQter STIGQter: STIG Summary: Cisco NX-OS Switch L2S Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 08 May 2020:

The Cisco switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.

DISA Rule

SV-110347r1_rule

Vulnerability Number

V-101243

Group Title

SRG-NET-000362-L2S-000027

Rule Version

CISC-L2-000150

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the switch to have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs as shown in the example below:

SW1(config)# ip arp inspection vlan 2,4-8,11

Check Contents

Review the switch configuration to verify that Dynamic Address Resolution Protocol (ARP) Inspection (DAI) feature is enabled on all user VLANs.

hostname SW2



ip arp inspection vlan 2,4-8,11

Note: DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses.

If DAI is not enabled on all user VLANs, this is a finding.

Vulnerability Number

V-101243

Documentable

False

Rule Version

CISC-L2-000150

Severity Override Guidance

Review the switch configuration to verify that Dynamic Address Resolution Protocol (ARP) Inspection (DAI) feature is enabled on all user VLANs.

hostname SW2



ip arp inspection vlan 2,4-8,11

Note: DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses.

If DAI is not enabled on all user VLANs, this is a finding.

Check Content Reference

M

Target Key

3551

Comments