STIGQter STIGQter: STIG Summary: Cisco IOS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco PE switch must be configured to block any traffic that is destined to the IP core infrastructure.

DISA Rule

SV-220455r622190_rule

Vulnerability Number

V-220455

Group Title

SRG-NET-000205-RTR-000007

Rule Version

CISC-RT-000730

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure protection for the IP core to be implemented at the edges by blocking any traffic with a destination address assigned to the IP core infrastructure.

Step 1: Configure an ingress ACL to discard and log packets destined to the IP core address space.

SW2(config)#ip access-list extended BLOCK_TO_CORE
SW2(config-ext-nacl)#deny ip any 10.1.x.0 0.0.255.255 log-input
SW2(config-ext-nacl)#exit

Step 2: Apply the ACL inbound to all external or CE-facing interfaces.

SW2(config)#int SW1(config)#int g0/2
SW2(config-if)#ip access-group BLOCK_TO_CORE in
SW2(config-if)#end

Check Contents

Step 1: Review the switch configuration to verify that an ingress ACL is applied to all external or CE-facing interfaces.

interface GigabitEthernet0/2
no switchport
ip address x.1.12.2 255.255.255.252
ip access-group BLOCK_TO_CORE in

Step 2: Verify that the ingress ACL discards and logs packets destined to the IP core address space.

ip access-list extended BLOCK_TO_CORE
deny ip any 10.1.x.0 0.0.255.255 log-input
permit ip any any
!

If the PE switch is not configured to block any traffic with a destination address assigned to the IP core infrastructure, this is a finding.

Note: Internet Control Message Protocol (ICMP) echo requests and traceroutes will be allowed to the edge from external adjacent neighbors.

Vulnerability Number

V-220455

Documentable

False

Rule Version

CISC-RT-000730

Severity Override Guidance

Step 1: Review the switch configuration to verify that an ingress ACL is applied to all external or CE-facing interfaces.

interface GigabitEthernet0/2
no switchport
ip address x.1.12.2 255.255.255.252
ip access-group BLOCK_TO_CORE in

Step 2: Verify that the ingress ACL discards and logs packets destined to the IP core address space.

ip access-list extended BLOCK_TO_CORE
deny ip any 10.1.x.0 0.0.255.255 log-input
permit ip any any
!

If the PE switch is not configured to block any traffic with a destination address assigned to the IP core infrastructure, this is a finding.

Note: Internet Control Message Protocol (ICMP) echo requests and traceroutes will be allowed to the edge from external adjacent neighbors.

Check Content Reference

M

Target Key

4065

Comments