SV-19313r1_rule
V-17836
Management traffic is not classified and marked
NET1007
CAT III
10
When management traffic must traverse several nodes to reach the management network, classify and mark management traffic at the nearest upstream MLS or router.
class-map match-all MANAGEMENT-TRAFFIC
match access-group name CLASSIFY-MANAGEMENT-TRAFFIC
!
policy-map DIST-LAYER-POLICY
class MANAGEMENT-TRAFFIC
set ip dscp 48
!
interface FastEthernet0/0
description link to LAN1
ip address 192.168.1.1 255.255.255.0
service-policy input DIST-LAYER-POLICY
interface FastEthernet0/1
description link to LAN2
ip address 192.168.2.1 255.255.255.0
service-policy input DIST-LAYER-POLICY
interface FastEthernet0/2
description link to core
ip address 192.168.13.1 255.255.255.0
!
ip access-list extended CLASSIFY-MANAGEMENT-TRAFFIC
permit ip any 10.2.2.0 0.0.0.255
Note: Traffic is marked using the set command in a policy map. For DSCP rewrite, if a packet encounters both input and output classification policy, the output policy has precedence. If there is no output policy, then the input policy has precedence.
V-17836
False
NET1007
class-map match-all MANAGEMENT-TRAFFIC
match access-group name CLASSIFY-MANAGEMENT-TRAFFIC
!
policy-map DIST-LAYER-POLICY
class MANAGEMENT-TRAFFIC
set ip dscp 48
!
interface FastEthernet0/0
description link to LAN1
ip address 192.168.1.1 255.255.255.0
service-policy input DIST-LAYER-POLICY
interface FastEthernet0/1
description link to LAN2
ip address 192.168.2.1 255.255.255.0
service-policy input DIST-LAYER-POLICY
interface FastEthernet0/2
description link to core
ip address 192.168.13.1 255.255.255.0
!
ip access-list extended CLASSIFY-MANAGEMENT-TRAFFIC
permit ip any 10.2.2.0 0.0.0.255
Note: Traffic is marked using the set command in a policy map. For DSCP rewrite, if a packet encounters both input and output classification policy, the output policy has precedence. If there is no output policy, then the input policy has precedence.
M
Information Assurance Officer
510