STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco perimeter switch must be configured to have Proxy ARP disabled on all external interfaces.

DISA Rule

SV-221098r622190_rule

Vulnerability Number

V-221098

Group Title

SRG-NET-000364-RTR-000112

Rule Version

CISC-RT-000380

Severity

CAT II

CCI(s)

• CCI-002403 - The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Weight

10

Fix Recommendation

Disable Proxy ARP on all external interfaces as shown in the example below:

SW1(config)#int e2/2
SW1(config-if)# no ip proxy-arp
SW1(config-if)# end

Check Contents

Review the switch configuration to determine if IP Proxy ARP is enabled on any external interface as shown in the example below:

interface Ethernet2/2
description link to DISN
no switchport
ip address x.1.12.2/24
ip proxy-arp
no shutdown

Note: By default Proxy ARP is disabled on all interfaces.

If IP Proxy ARP is enabled on any external interface, this is a finding.

Vulnerability Number

V-221098

Documentable

False

Rule Version

CISC-RT-000380

Severity Override Guidance

Review the switch configuration to determine if IP Proxy ARP is enabled on any external interface as shown in the example below:

interface Ethernet2/2
description link to DISN
no switchport
ip address x.1.12.2/24
ip proxy-arp
no shutdown

Note: By default Proxy ARP is disabled on all interfaces.

If IP Proxy ARP is enabled on any external interface, this is a finding.

Check Content Reference

M

Target Key

4075

Comments