STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

VMware NSX-T Tier-0 Gateway RTR Security Technical Implementation Guide

Version

V1R2

Benchmark ID

VMW_NSX-T_T-0_RTR_STIG

Total Checks

16

Tags

vmware

CAT I: 2CAT II: 9CAT III: 5

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (16)

V-251744MEDIUMThe NSX-T Tier-0 Gateway must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).V-251745MEDIUMThe NSX-T Tier-0 Gateway must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.V-251746LOWThe NSX-T Tier-0 Gateway must be configured to have all inactive interfaces removed.V-251747LOWThe NSX-T Tier-0 Gateway must be configured to have the DHCP service disabled if not in use.V-251748MEDIUMThe NSX-T Tier-0 Gateway must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.V-251749HIGHThe NSX-T Tier-0 Gateway must be configured to restrict traffic destined to itself.V-251750HIGHUnicast Reverse Path Forwarding (uRPF) must be enabled on the NSX-T Tier-0 Gateway.V-251751MEDIUMThe NSX-T Tier-0 Gateway must be configured to implement message authentication for all control plane protocols.V-251752MEDIUMThe NSX-T Tier-0 Gateway must be configured to use a unique key for each autonomous system (AS) with which it peers.V-251753MEDIUMThe NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.V-251754MEDIUMThe NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.V-251755MEDIUMThe NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.V-251756MEDIUMThe NSX-T Tier-0 Gateway must be configured to use the BGP maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.V-251757LOWThe NSX-T Tier-0 Gateway must be configured to use its loopback address as the source address for iBGP peering sessions.V-251758LOWThe NSX-T Tier-0 Gateway must be configured to have routing protocols disabled if not in use.V-251759LOWThe NSX-T Tier-0 Gateway must be configured to have multicast disabled if not in use.