An error occurred:

Cisco IOS Switch RTR STIG Version Comparison

Cisco IOS Switch RTR Security Technical Implementation Guide

Comparison

There are 5 differences between versions v2 r5 (Oct. 25, 2023) (the "left" version) and v3 r2 (Oct. 1, 2025) (the "right" version).

Check CISC-RT-000394 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Text Differences

Title

The Cisco perimeter switch must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values.

Check Content

This requirement is not applicable for the DODIN Backbone. Review the switch configuration to determine if it is compliant with this requirement. Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface. interface gigabitethernet1/0 ipv6 address 2001::1:0:22/64 ipv6 traffic-filter FILTER_IPV6 in Step in Step 2: Verify that the ACL drops IPv6 packets containing a Hop-by-Hop header with option type values of 0x04 (Tunnel Encapsulation Limit), 0xC9 (Home Address Destination), or 0xC3 (NSAP Address) as shown in the example below. ipv6 access-list FILTER_IPV6 deny hbh any any dest-option-type dest-option 4 log deny hbh any any dest-option-type 195 log deny hbh any any dest-option-type home-address log permit ipv6 deny ipv6 any any log If log Note: Cisco has deprecated the dest-option-type command used to filter by option type within Hop-by-Hop header. Therefore, all packets with the Hop-by-Hop header option types must be dropped. If the switch is not configured to drop IPv6 packets containing a Hop-by-Hop header with invalid destination option options, type values, this is a finding.

Discussion

These options are intended to be for the Destination Options header only. The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not always drop packets with headers that it cannot recognize and hence could cause a Denial-of-Service on the target device. In addition, the type, length, value (TLV) formatting provides the ability for headers to be very large.

Fix

Configure the switch to drop Drop IPv6 packets containing a Hop-by-Hop header with invalid option type values as shown in the example below. SW1(config)#ipv6 access-list FILTER_IPV6 SW1(config-ipv6-acl)#deny hbh any any dest-option-type dest-option 4 log SW1(config-ipv6-acl)#deny hbh any any dest-option-type 195 log SW1(config-ipv6-acl)#deny hbh any any dest-option-type home-address log SW1(config-ipv6-acl)# permit ipv6 … … … … SW1(config-ipv6-acl)#deny ipv6 any any log SW1(config-ipv6-acl)#exit SW1(config)#int g1/0 SW1(config-if)#ipv6 traffic-filter FILTER_IPV6 SW1(config-if)#end