STIGQter STIGQter: STIG Summary: Cisco IOS Switch L2S Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections.

DISA Rule

SV-220639r539671_rule

Vulnerability Number

V-220639

Group Title

SRG-NET-000512-L2S-000004

Rule Version

CISC-L2-000190

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the switch to enable UDLD to protect against one-way connections:

SW2(config)#udld enable

or

SW2(config)#int g0/1
SW2(config-if)#udld port

Check Contents

If any of the switch ports have fiber optic interconnections with neighbors, review the switch configuration to verify that UDLD is enabled globally or on a per-interface basis as shown in the examples below:

hostname SW2



udld enable

or

interface GigabitEthernet0/1
udld port

Note: An alternative implementation when UDLD is not supported by connected device is to deploy a single member Link Aggregation Group (LAG) via IEEE 802.3ad Link Aggregation Control Protocol (LACP).

If the switch has fiber optic interconnections with neighbors and UDLD is not enabled, this is a finding.

Vulnerability Number

V-220639

Documentable

False

Rule Version

CISC-L2-000190

Severity Override Guidance

If any of the switch ports have fiber optic interconnections with neighbors, review the switch configuration to verify that UDLD is enabled globally or on a per-interface basis as shown in the examples below:

hostname SW2



udld enable

or

interface GigabitEthernet0/1
udld port

Note: An alternative implementation when UDLD is not supported by connected device is to deploy a single member Link Aggregation Group (LAG) via IEEE 802.3ad Link Aggregation Control Protocol (LACP).

If the switch has fiber optic interconnections with neighbors and UDLD is not enabled, this is a finding.

Check Content Reference

M

Target Key

4070

Comments