STIGQter: STIG Summary: Cisco NX-OS Switch NDM Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Cisco NX-OS Switch NDM Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:SV-220484r604141_rule
V-220484
SRG-APP-000097-NDM-000227
CISC-ND-000290
CAT II
10
Enable OAL as shown in the example below:
SW1(config)# logging ip access-list cache entries nnnn
Set the ‘log’ parameter after any ‘deny’ entries in the ACL as referenced in the check text above.
Step 1: Review the deny statements in all interface ACLs to determine if the log parameter has been configured as shown in the example below:
ip access-list extended BLOCK_INBOUND
deny icmp any any log
Step 2: Verify that the Optimized Access-list Logging (OAL) has been configured.
logging ip access-list cache entries nnnn
Note: Once OAL has been enabled, the logged ACL hits can be viewed via the show log ip access-list cache command.
If the switch is not configured with the log-input parameter after any deny statements to note where packets have been dropped via an ACL, this is a finding.
V-220484
False
CISC-ND-000290
Step 1: Review the deny statements in all interface ACLs to determine if the log parameter has been configured as shown in the example below:
ip access-list extended BLOCK_INBOUND
deny icmp any any log
Step 2: Verify that the Optimized Access-list Logging (OAL) has been configured.
logging ip access-list cache entries nnnn
Note: Once OAL has been enabled, the logged ACL hits can be viewed via the show log ip access-list cache command.
If the switch is not configured with the log-input parameter after any deny statements to note where packets have been dropped via an ACL, this is a finding.
M
4066