Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
311
Views
0
Helpful
5
Replies

no ip identd missing in Catalyst 9300 Switch IOS-XE 17.x

x1nwei
Level 1
Level 1

‎07-16-2024 11:51 AM

Hi,

There is a vulnerability on ip identd for Cisco IOS and IOS-XE. However, when I tried configuring "no ip identd", switch return invalid command. Latest version of CIS benchmark released in Jun 24 are still checking on this command and with the audit file, Compliance scan flagged out as non-compliant since no ip identd is missing..

Is there any documentation that state of this command being deprecated? My Compliance Team is requesting for official documentation to prove that it is indeed no longer available on switch.

Thank you.

Labels:
0 Helpful
5 Replies 5

MHM Cisco World
VIP
VIP

‎07-16-2024 12:03 PM

https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20190925-identd-dos.html

Ios xe must support this command as link above 

MHM

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-16-2024 12:56 PM - edited ‎07-16-2024 12:57 PM

Hello @x1nwei ,

the link provided by @MHM Cisco World  says the ip identd is disabled by default.

you can try to use

show run all | inc identd

this to demonstrate the service is disabled with default configuration.

Hope to help

Giuseppe

 

0 Helpful

x1nwei
Level 1
Level 1
In response to Giuseppe Larosa

‎07-17-2024 05:46 PM

Hi @MHM Cisco World and @Giuseppe Larosa,

Thanks and appreciate the replies provided.
The link provided and also CIS benchmark is the reason why I am trying to disable ip identd.

I performed show run all and looked at every line and there is no ip identd command in it..

rgds,

jason

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to x1nwei

‎07-18-2024 12:26 PM

Hello @x1nwei ,

What IOS XE version is running on the Catalyst 9300 ?

it looks like the command has been removed if you don't see it in the show run all

Hope to help

Giuseppe

 

0 Helpful

x1nwei
Level 1
Level 1
In response to Giuseppe Larosa

‎07-18-2024 03:34 PM

Hi,

The 9300 switch is running 17.9.x firmware.

Suspect that the command is removed but the link on the ip ident vuln on IOS-XE and the lack of documentation on the removal of command is making it hard to justify to my IT compliance team that the setting is no longer valid.. since they are looking at the compliance report that is based on CIS benchmark (the most recent release in jun 24 still check for it)

Wondering if Cisco internal department ever communicate with each other on these type of matters…

Rgds,
Xin wei

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card