Check: CISC-RT-000235
Cisco IOS XE Router RTR STIG:
CISC-RT-000235
(in versions v2 r6 through v2 r1)
Title
The Cisco router must be configured to have Cisco Express Forwarding enabled. (Cat II impact)
Discussion
The Cisco Express Forwarding (CEF) switching mode replaces the traditional Cisco routing cache with a data structure that mirrors the entire system routing table. Because there is no need to build cache entries when traffic starts arriving for new destinations, CEF behaves more predictably when presented with large volumes of traffic addressed to many destinations—such as SYN flood attacks. Because many SYN flood attacks use randomized source addresses to which the hosts under attack will reply to, there can be a substantial amount of traffic for a large number of destinations that the router will have to handle. Consequently, routers configured for CEF will perform better under SYN floods directed at hosts inside the network than routers using the traditional cache.
Check Content
Review the router to verify that CEF is enabled. IPv4 Example: ip cef IPv6 Example: ipv6 cef
Fix Text
Enable CEF IPv4 Example: ip cef IPv6 Example: ipv6 cef
Additional Identifiers
Rule ID: SV-229031r802615_rule
Vulnerability ID: V-229031
Group Title: SRG-NET-000512-RTR-000100
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |