DISA STIG Cisco NX-OS Switch RTR v2r1

CISC-RT-000010 - The Cisco switch must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - bgp
CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - eigrp
CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - is-is
CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - ospf
CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - rip
CISC-RT-000030 - The Cisco switch must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.
CISC-RT-000040 - The Cisco switch must be configured to use encryption for routing protocol authentication - bgp
CISC-RT-000040 - The Cisco switch must be configured to use encryption for routing protocol authentication - eigrp
CISC-RT-000040 - The Cisco switch must be configured to use encryption for routing protocol authentication - is-is
CISC-RT-000040 - The Cisco switch must be configured to use encryption for routing protocol authentication - ospf
CISC-RT-000040 - The Cisco switch must be configured to use encryption for routing protocol authentication - rip
CISC-RT-000050 - The Cisco switch must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.
CISC-RT-000060 - The Cisco switch must be configured to have all inactive layer 3 interfaces disabled.
CISC-RT-000070 - The Cisco switch must be configured to have all non-essential capabilities disabled.
CISC-RT-000080 - The Cisco switch must not be configured to have any feature enabled that calls home to the vendor.
CISC-RT-000120 - The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
CISC-RT-000130 - The Cisco switch must be configured to restrict traffic destined to itself.
CISC-RT-000140 - The Cisco switch must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself - external
CISC-RT-000140 - The Cisco switch must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself - internal
CISC-RT-000150 - The Cisco switch must be configured to have Gratuitous ARP disabled on all external interfaces.
CISC-RT-000160 - The Cisco switch must be configured to have IP directed broadcast disabled on all interfaces.
CISC-RT-000170 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces - DODIN Backbone
CISC-RT-000170 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces - ip unreachables
CISC-RT-000190 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces.
CISC-RT-000200 - The Cisco switch must be configured to log all packets that have been dropped at interfaces via an ACL.
CISC-RT-000236 - The Cisco switch must be configured to advertise a hop limit of at least 32 in Switch Advertisement messages for IPv6 stateless auto-configuration deployments.
CISC-RT-000237 - The Cisco switch must not be configured to use IPv6 Site Local Unicast addresses.
CISC-RT-000240 - The Cisco perimeter switch must be configured to deny network traffic by default and allow network traffic by exception - access-group in
CISC-RT-000240 - The Cisco perimeter switch must be configured to deny network traffic by default and allow network traffic by exception - deny rule