Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1802
Views
1
Helpful
10
Replies

no ip identd missing in Catalyst 9300 Switch IOS-XE 17.x

x1nwei
Level 1
Level 1

‎07-16-2024 11:51 AM

Hi,

There is a vulnerability on ip identd for Cisco IOS and IOS-XE. However, when I tried configuring "no ip identd", switch return invalid command. Latest version of CIS benchmark released in Jun 24 are still checking on this command and with the audit file, Compliance scan flagged out as non-compliant since no ip identd is missing..

Is there any documentation that state of this command being deprecated? My Compliance Team is requesting for official documentation to prove that it is indeed no longer available on switch.

Thank you.

Labels:
0 Helpful
10 Replies 10

MHM Cisco World
VIP
VIP

‎07-16-2024 12:03 PM

https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20190925-identd-dos.html

Ios xe must support this command as link above 

MHM

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-16-2024 12:56 PM - edited ‎07-16-2024 12:57 PM

Hello @x1nwei ,

the link provided by @MHM Cisco World  says the ip identd is disabled by default.

you can try to use

show run all | inc identd

this to demonstrate the service is disabled with default configuration.

Hope to help

Giuseppe

 

0 Helpful

x1nwei
Level 1
Level 1
In response to Giuseppe Larosa

‎07-17-2024 05:46 PM

Hi @MHM Cisco World and @Giuseppe Larosa,

Thanks and appreciate the replies provided.
The link provided and also CIS benchmark is the reason why I am trying to disable ip identd.

I performed show run all and looked at every line and there is no ip identd command in it..

rgds,

jason

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to x1nwei

‎07-18-2024 12:26 PM

Hello @x1nwei ,

What IOS XE version is running on the Catalyst 9300 ?

it looks like the command has been removed if you don't see it in the show run all

Hope to help

Giuseppe

 

0 Helpful

x1nwei
Level 1
Level 1
In response to Giuseppe Larosa

‎07-18-2024 03:34 PM

Hi,

The 9300 switch is running 17.9.x firmware.

Suspect that the command is removed but the link on the ip ident vuln on IOS-XE and the lack of documentation on the removal of command is making it hard to justify to my IT compliance team that the setting is no longer valid.. since they are looking at the compliance report that is based on CIS benchmark (the most recent release in jun 24 still check for it)

Wondering if Cisco internal department ever communicate with each other on these type of matters…

Rgds,
Xin wei

0 Helpful

billburns
Level 1
Level 1

‎01-19-2025 03:57 PM

My switches are running 17.12.4 and I too am going thru a CIS audit requiring proof that I have turned off a command that does not exist anymore.  I am going to open a TAC case and ask for evidence and documentation to present to my auditors. I cannot find docs other than this forum chat that state it was removed from IOS code. 

hostname_test(config)#ip ident
% Invalid input detected at '^' marker.

hostname_test(config)#no ip ident
% Invalid input detected at '^' marker.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to billburns

‎01-19-2025 05:55 PM

@billburns wrote:

My switches are running 17.12.4 and I too am going thru a CIS audit requiring proof that I have turned off a command that does not exist anymore.  I am going to open a TAC case and ask for evidence and documentation to present to my auditors. I cannot find docs other than this forum chat that state it was removed from IOS code. 

hostname_test(config)#ip ident
% Invalid input detected at '^' marker.

hostname_test(config)#no ip ident
% Invalid input detected at '^' marker.

So, you've self documented, the command is no longer recognized by the command line, and the earlier referenced bug notes the feature is disabled by default, so what you might otherwise try, is to ident or connect to the ident port on one of your switches and see if it fails.

0 Helpful

x1nwei
Level 1
Level 1

‎01-22-2025 08:43 AM - edited ‎01-22-2025 08:44 AM

Just an update to this situation, spoke to Cisco TAC, they mentioned that if the result is as what @billburns have shown then it is not supported.

Further asked if IOS-XE as a whole does not support ip identd or just specific firmware version since the last thing that everyone wanted is that after patching, the command appears available again. Reply gotten from TAC was ip ident are not supported on Cisco IOS-XE.

BUT it was later found out that ASR that is also running IOS-XE still have this ip identd command. Just want to say that even though Cisco TAC may say that it is removed, it is still advisable to perform your own check with different Cisco product line that runs IOS-XE.

billburns
Level 1
Level 1
In response to x1nwei

‎01-22-2025 02:01 PM

Yes, it is definitely platform dependent for this command. It wasn't on my Cat9300 but on my SDWAN routers I have the command on IOS-XE running 17.12.3a.

hostname-4331#sho run | inc ip identd
hostname-4331#sho run all | inc ip identd
no ip identd
hostname-4331#

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to x1nwei

‎01-22-2025 02:24 PM

"Trust but verify".

I.e. the only way to know for sure, is test.

0 Helpful
Customers Also Viewed These Support Documents