STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to advertise a hop limit of at least 32 in Switch Advertisement messages for IPv6 stateless auto-configuration deployments.

DISA Rule

SV-237754r648783_rule

Vulnerability Number

V-237754

Group Title

SRG-NET-000512-RTR-000012

Rule Version

CISC-RT-000236

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the switch to advertise a hop limit of at least 32 in Router Advertisement messages as shown in the example.

SW1(config)# interface e2/1 – 2
SW1(config-if-range)# ipv6 nd hop-limit 32
SW1(config-if-range)# end

Check Contents

Review the switch configuration to determine if the hop limit has been configured for Router Advertisement messages for all internal interfaces as shown in the example.

interface Ethernet2/1
no switchport
ipv6 address 2001::1:0:1/64
ipv6 nd hop-limit 32
no shutdown

interface Ethernet2/2
no switchport
ipv6 address 2001::1:1:1/64
ipv6 nd hop-limit 32
no shutdown

If hop-limit has been configured and has not been set to at least 32, it is a finding.

Vulnerability Number

V-237754

Documentable

False

Rule Version

CISC-RT-000236

Severity Override Guidance

Review the switch configuration to determine if the hop limit has been configured for Router Advertisement messages for all internal interfaces as shown in the example.

interface Ethernet2/1
no switchport
ipv6 address 2001::1:0:1/64
ipv6 nd hop-limit 32
no shutdown

interface Ethernet2/2
no switchport
ipv6 address 2001::1:1:1/64
ipv6 nd hop-limit 32
no shutdown

If hop-limit has been configured and has not been set to at least 32, it is a finding.

Check Content Reference

M

Target Key

4075

Comments