STIGQter STIGQter: STIG Summary: Cisco IOS XE Switch L2S Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.

DISA Rule

SV-220660r539671_rule

Vulnerability Number

V-220660

Group Title

SRG-NET-000362-L2S-000026

Rule Version

CISC-L2-000140

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the switch to have IP Source Guard enabled on all user-facing or untrusted access switch ports.

SW2(config)#int range g0/0 - 9
SW2(config-if-range)#ip verify source

Check Contents

Review the switch configuration to verify that IP Source Guard is enabled on all user-facing or untrusted access switch ports as shown in the example below:

interface GigabitEthernet0/0
ip verify source
!
interface GigabitEthernet0/1
ip verify source



interface GigabitEthernet0/9
ip verify source

Note: The IP Source Guard feature depends on the entries in the DHCP snooping database or static IP-MAC-VLAN configuration commands to verify IP-to-MAC address bindings.

If the switch does not have IP Source Guard enabled on all untrusted access switch ports, this is a finding.

Vulnerability Number

V-220660

Documentable

False

Rule Version

CISC-L2-000140

Severity Override Guidance

Review the switch configuration to verify that IP Source Guard is enabled on all user-facing or untrusted access switch ports as shown in the example below:

interface GigabitEthernet0/0
ip verify source
!
interface GigabitEthernet0/1
ip verify source



interface GigabitEthernet0/9
ip verify source

Note: The IP Source Guard feature depends on the entries in the DHCP snooping database or static IP-MAC-VLAN configuration commands to verify IP-to-MAC address bindings.

If the switch does not have IP Source Guard enabled on all untrusted access switch ports, this is a finding.

Check Content Reference

M

Target Key

4071

Comments