Check: CISC-RT-000235
Cisco IOS Switch RTR STIG:
CISC-RT-000235
(in versions v2 r5 through v2 r1)
Title
The Cisco switch must be configured to have Cisco Express Forwarding enabled. (Cat II impact)
Discussion
The Cisco Express Forwarding (CEF) switching mode replaces the traditional Cisco routing cache with a data structure that mirrors the entire system routing table. Because there is no need to build cache entries when traffic starts arriving for new destinations, CEF behaves more predictably when presented with large volumes of traffic addressed to many destinations such as a SYN flood attacks that. Because many SYN flood attacks use randomized source addresses to which the hosts under attack will reply to, there can be a substantial amount of traffic for a large number of destinations that the switch will have to handle. Consequently, switches configured for CEF will perform better under SYN floods directed at hosts inside the network than switches using the traditional cache.
Check Content
Review the switch to verify that CEF is enabled. IPv4 Example: ip cef IPv6 Example: ipv6 cef If the switch is not configured to have CEF enabled, this is a finding.
Fix Text
Enable CEF IPv4 Example: ip cef IPv6 Example: ipv6 cef
Additional Identifiers
Rule ID: SV-237749r648775_rule
Vulnerability ID: V-237749
Group Title: SRG-NET-000512-RTR-000100
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |