STIGQter: STIG Summary: Cisco IOS Switch L2S Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must have all user-facing or untrusted ports configured as access switch ports.

DISA Rule

SV-220645r539671_rule

Vulnerability Number

V-220645

Group Title

SRG-NET-000512-L2S-000011

Rule Version

CISC-L2-000250

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Disable trunking on all user-facing or untrusted switch ports:

SW1(config)#int g0/6
SW1(config-if)#switchport mode access
SW1(config-if)#end

Check Contents

Review the switch configurations and examine all user-facing or untrusted switchports. The example below depicts both access and trunk ports:

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
!
interface GigabitEthernet0/2
switchport access vlan 11
negotiation auto
!
interface GigabitEthernet0/3
switchport access vlan 12
negotiation auto

If any of the user-facing switch ports are configured as a trunk, this is a finding.

Vulnerability Number

V-220645

Documentable

False

Rule Version

CISC-L2-000250

Severity Override Guidance

Review the switch configurations and examine all user-facing or untrusted switchports. The example below depicts both access and trunk ports:

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
!
interface GigabitEthernet0/2
switchport access vlan 11
negotiation auto
!
interface GigabitEthernet0/3
switchport access vlan 12
negotiation auto

If any of the user-facing switch ports are configured as a trunk, this is a finding.

Check Content Reference

M

Target Key

4070

Comments