STIGQter: STIG Summary: Cisco IOS Switch L2S Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must have all trunk links enabled statically.

DISA Rule

SV-220640r539671_rule

Vulnerability Number

V-220640

Group Title

SRG-NET-000512-L2S-000005

Rule Version

CISC-L2-000200

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the switch to enable trunk links statically as shown in the configuration below:

SW2(config-if)#switchport trunk encapsulation dot1q
SW2(config-if)#switchport mode trunk
SW2(config-if)#switchport nonegotiate

Check Contents

By default, DTP is enabled on all Cisco switches. Review the switch configuration to verify that trunk links will not form a trunk via negotiation as shown in the example below:

SW2#show interfaces switchport
Name: Gi0/0
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On

If trunk negotiation is enabled on any interface, this is a finding.

Vulnerability Number

V-220640

Documentable

False

Rule Version

CISC-L2-000200

Severity Override Guidance

By default, DTP is enabled on all Cisco switches. Review the switch configuration to verify that trunk links will not form a trunk via negotiation as shown in the example below:

SW2#show interfaces switchport
Name: Gi0/0
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On

If trunk negotiation is enabled on any interface, this is a finding.

Check Content Reference

M

Target Key

4070

Comments