STIGQter STIGQter: STIG Summary: Cisco IOS XE Switch L2S Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must have Unknown Unicast Flood Blocking (UUFB) enabled.

DISA Rule

SV-220658r539671_rule

Vulnerability Number

V-220658

Group Title

SRG-NET-000362-L2S-000024

Rule Version

CISC-L2-000120

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the switch to have Unknown Unicast Flood Blocking (UUFB) enabled as shown in the configuration example below:

SW1(config)#int range g0/0 - 9
SW1(config-if-range)#switchport block unicast

Check Contents

Review the switch configuration to verify that UUFB is enabled on all access switch ports as shown in the configuration example below:

interface GigabitEthernet0/0
switchport block unicast
!
interface GigabitEthernet0/1
switchport block unicast



interface GigabitEthernet0/9
switchport block unicast

If any access switch ports do not have UUFB enabled, this is a finding.

Vulnerability Number

V-220658

Documentable

False

Rule Version

CISC-L2-000120

Severity Override Guidance

Review the switch configuration to verify that UUFB is enabled on all access switch ports as shown in the configuration example below:

interface GigabitEthernet0/0
switchport block unicast
!
interface GigabitEthernet0/1
switchport block unicast



interface GigabitEthernet0/9
switchport block unicast

If any access switch ports do not have UUFB enabled, this is a finding.

Check Content Reference

M

Target Key

4071

Comments