Check: CISC-L2-000150
Cisco IOS XE Switch L2S STIG:
CISC-L2-000150
(in versions v2 r5 through v1 r0.1)
Title
The Cisco switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs. (Cat II impact)
Discussion
DAI intercepts Address Resolution Protocol (ARP) requests and verifies that each of these packets has a valid IP-to-MAC address binding before updating the local ARP cache and before forwarding the packet to the appropriate destination. Invalid ARP packets are dropped and logged. DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in the DHCP snooping binding database. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.
Check Content
Review the switch configuration to verify that Dynamic Address Resolution Protocol (ARP) Inspection (DAI) feature is enabled on all user VLANs. hostname SW2 … … … ip arp inspection vlan 2,4-8,11 Note: DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. If DAI is not enabled on all user VLANs, this is a finding.
Fix Text
Configure the switch to have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs as shown in the example below: SW2(config)#ip arp inspection vlan 2,4-8,11
Additional Identifiers
Rule ID: SV-220661r929003_rule
Vulnerability ID: V-220661
Group Title: SRG-NET-000362-L2S-000027
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |
Controls
Number | Title |
---|---|
SC-5 |
Denial Of Service Protection |