Solved: L3 STIG requirement help

TCookInvariant · ‎02-11-2021

I posted a previous discussion in another community regarding a few requirements to make my Cisco C921-4P router/switch. Someone explained to me that some commands may not work with this platform. specifically the ones below.

Disable Gratuitous ARP
Disable switchport upon security violation

Both of these requirements have commands that can be entered. However I am assuming since this is a router switch combo either they have some work around or they cannot be configured on this platform. If anyone has any input and can help with these it would be greatly appreciated.

Reza Sharifi · ‎02-11-2021

I think the 900 series routers are part of ISR family that run IOS-XE. So, for STIG requirements, there should be a command to disable Gratuitous ARP (no IP arp gratuitous) if it is not available or issuing this command can cause operational issues, then that is what needs to be stated in the compliance document as the workaround. Regarding the second command, the ISRs mainly have routed ports so, not sure if you can add switch port-security parameters to the interfaces.

HTH

View solution in original post

Reza Sharifi · ‎02-11-2021

I think the 900 series routers are part of ISR family that run IOS-XE. So, for STIG requirements, there should be a command to disable Gratuitous ARP (no IP arp gratuitous) if it is not available or issuing this command can cause operational issues, then that is what needs to be stated in the compliance document as the workaround. Regarding the second command, the ISRs mainly have routed ports so, not sure if you can add switch port-security parameters to the interfaces.

HTH