STIGQter STIGQter: STIG Summary: Cisco NX-OS Switch L2S Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 08 May 2020:

The Cisco switch must have all user-facing or untrusted ports configured as access switch ports.

DISA Rule

SV-110363r1_rule

Vulnerability Number

V-101259

Group Title

SRG-NET-000512-L2S-000011

Rule Version

CISC-L2-000250

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Disable trunking on all user-facing or untrusted switch ports.

SW1(config)# int e1/3-128
SW1(config-if)# switchport mode access
SW1(config-if)# end

Check Contents

Review the switch configurations and examine all user-facing or untrusted switchports. The example below depicts both access and trunk ports.

interface Ethernet1/1
switchport
switchport mode trunk
switchport trunk allowed vlan 1-998,1000-4094

interface Ethernet1/2
switchport
switchport mode trunk
switchport trunk allowed vlan 2-998,1000-4094

interface Ethernet1/3

interface Ethernet1/4
switchport access vlan 10

Note: switchport mode access is the default and hence will not be shown in the configuration.

If any of the user-facing switch ports are configured as a trunk, this is a finding.

Vulnerability Number

V-101259

Documentable

False

Rule Version

CISC-L2-000250

Severity Override Guidance

Review the switch configurations and examine all user-facing or untrusted switchports. The example below depicts both access and trunk ports.

interface Ethernet1/1
switchport
switchport mode trunk
switchport trunk allowed vlan 1-998,1000-4094

interface Ethernet1/2
switchport
switchport mode trunk
switchport trunk allowed vlan 2-998,1000-4094

interface Ethernet1/3

interface Ethernet1/4
switchport access vlan 10

Note: switchport mode access is the default and hence will not be shown in the configuration.

If any of the user-facing switch ports are configured as a trunk, this is a finding.

Check Content Reference

M

Target Key

3551

Comments