STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco perimeter switch must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.

DISA Rule

SV-221097r622190_rule

Vulnerability Number

V-221097

Group Title

SRG-NET-000364-RTR-000111

Rule Version

CISC-RT-000370

Severity

CAT III

CCI(s)

• CCI-002403 - The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Weight

10

Fix Recommendation

Disable CDP on all external interfaces via no cdp enable interface command or disable CDP globally via no cdp enable command.

Check Contents

Step 1: Verify CDP is not enabled globally via the command no cdp enable

By default CDP is enabled globally; hence, the command cdp enable will not be shown in the configuration. If CDP is enabled, proceed to Step 2.

Step 2: Verify CDP is not enabled on any external interface as shown in the example below:

interface Ethernet2/2
description link to DISN
no switchport
no cdp enable

Note: By default CDP is enabled on all interfaces if CDP is enabled globally.

If CDP is enabled on any external interface, this is a finding.

Vulnerability Number

V-221097

Documentable

False

Rule Version

CISC-RT-000370

Severity Override Guidance

Step 1: Verify CDP is not enabled globally via the command no cdp enable

By default CDP is enabled globally; hence, the command cdp enable will not be shown in the configuration. If CDP is enabled, proceed to Step 2.

Step 2: Verify CDP is not enabled on any external interface as shown in the example below:

interface Ethernet2/2
description link to DISN
no switchport
no cdp enable

Note: By default CDP is enabled on all interfaces if CDP is enabled globally.

If CDP is enabled on any external interface, this is a finding.

Check Content Reference

M

Target Key

4075

Comments