STIGQter STIGQter: STIG Summary: Infrastructure Router Security Technical Implementation Guide Cisco Version: 8 Release: 29 Benchmark Date: 25 Jan 2019: The routes from the two IGP domains are redistributed to each other.

DISA Rule

SV-19299r1_rule

Vulnerability Number

V-17816

Group Title

Routes from the two IGP domains are redistributed

Rule Version

NET0986

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Ensure that the IGP instance used for the managed network does not redistribute routes into the IGP instance used for the management network and vice versa.

Check Contents

Verify that the IGP instance used for the managed network does not redistribute routes into the IGP instance used for the management network and vice versa.


Route advertisements between two the two routing domains such as OSPF and EIGRP can only be shared via redistribution. Verify that there are no redistribute commands configured under IGP domain for the management network that would enable distributing routes from the IGP domain of the managed network, or vice-versa. The following would be an example of redistributing routes from EIGRP into OSPF.

router ospf 1
network 172.20.0.0
redistribute eigrp 12


IOS supports multiple instances of OSPF and EIGRP that are configured using a different process ID. Each EIGRP or OSPF process will run only on the interfaces of the networks specified. Each EIGRP process maintains a separate topology database; likewise, each OSPF process maintains a separate link-state database. Route advertisements between two processes can only be shared via redistribution. Verify that there are no redistribution commands that would distribute routes from the IGP routing domain for the management network into the IGP routing domain of the managed network, or vice-versa. The following would be an example of redistributing routes from one EIGRP into another EIGRP.
!
router eigrp 15
network 172.20.0.0
!
router eigrp 10
network 10.0.0.0
redistribute eigrp 15

As an alternative, static routes can be used to forward management traffic to the OOBM interface; however, this method may not scale well.

If static routes are used to forward management traffic to the OOB backbone network, verify that the OOBM interface is not an IGP adjacency and that the correct destination prefix has been configured to forward the management traffic to the correct next-hop and interface for the static route. In the following configuration examples, 10.1.1.0/24 is the management network and 10.1.20.4 is the interface address of the OOB backbone router that the OOB gateway router connects to. The network 10.1.20.0/24 is the OOBM backbone.

interface Serial0/0
description to_OOBM_Backbone
ip address 10.1.20.3 255.255.255.0
interface Fastethernet 0/0
description to_our_PrivateNet
ip address 172.20.4.2 255.255.255.0
interface Fastethernet 0/1
description to_our_ServiceNet
ip address 172.20.5.2 255.255.255.0
!
router ospf 1
network 172.20.0.0
!
ip route 10.1.1.0 255.255.255.0 10.1.20.4 Serial0/0

Vulnerability Number

V-17816

Documentable

False

Rule Version

NET0986

Severity Override Guidance

Verify that the IGP instance used for the managed network does not redistribute routes into the IGP instance used for the management network and vice versa.


Route advertisements between two the two routing domains such as OSPF and EIGRP can only be shared via redistribution. Verify that there are no redistribute commands configured under IGP domain for the management network that would enable distributing routes from the IGP domain of the managed network, or vice-versa. The following would be an example of redistributing routes from EIGRP into OSPF.

router ospf 1
network 172.20.0.0
redistribute eigrp 12


IOS supports multiple instances of OSPF and EIGRP that are configured using a different process ID. Each EIGRP or OSPF process will run only on the interfaces of the networks specified. Each EIGRP process maintains a separate topology database; likewise, each OSPF process maintains a separate link-state database. Route advertisements between two processes can only be shared via redistribution. Verify that there are no redistribution commands that would distribute routes from the IGP routing domain for the management network into the IGP routing domain of the managed network, or vice-versa. The following would be an example of redistributing routes from one EIGRP into another EIGRP.
!
router eigrp 15
network 172.20.0.0
!
router eigrp 10
network 10.0.0.0
redistribute eigrp 15

As an alternative, static routes can be used to forward management traffic to the OOBM interface; however, this method may not scale well.

If static routes are used to forward management traffic to the OOB backbone network, verify that the OOBM interface is not an IGP adjacency and that the correct destination prefix has been configured to forward the management traffic to the correct next-hop and interface for the static route. In the following configuration examples, 10.1.1.0/24 is the management network and 10.1.20.4 is the interface address of the OOB backbone router that the OOB gateway router connects to. The network 10.1.20.0/24 is the OOBM backbone.

interface Serial0/0
description to_OOBM_Backbone
ip address 10.1.20.3 255.255.255.0
interface Fastethernet 0/0
description to_our_PrivateNet
ip address 172.20.4.2 255.255.255.0
interface Fastethernet 0/1
description to_our_ServiceNet
ip address 172.20.5.2 255.255.255.0
!
router ospf 1
network 172.20.0.0
!
ip route 10.1.1.0 255.255.255.0 10.1.20.4 Serial0/0

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

510

Comments