STIGQter STIGQter: STIG Summary: Infrastructure Router Security Technical Implementation Guide Cisco Version: 8 Release: 29 Benchmark Date: 25 Jan 2019: Management traffic is not classified and marked at the nearest upstream MLS or router when management traffic must traverse several nodes to reach the management network.

DISA Rule

SV-19313r1_rule

Vulnerability Number

V-17836

Group Title

Management traffic is not classified and marked

Rule Version

NET1007

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

When management traffic must traverse several nodes to reach the management network, classify and mark management traffic at the nearest upstream MLS or router.

Check Contents

class-map match-all MANAGEMENT-TRAFFIC
match access-group name CLASSIFY-MANAGEMENT-TRAFFIC
!
policy-map DIST-LAYER-POLICY
class MANAGEMENT-TRAFFIC
set ip dscp 48
!
interface FastEthernet0/0
description link to LAN1
ip address 192.168.1.1 255.255.255.0
service-policy input DIST-LAYER-POLICY
interface FastEthernet0/1
description link to LAN2
ip address 192.168.2.1 255.255.255.0
service-policy input DIST-LAYER-POLICY
interface FastEthernet0/2
description link to core
ip address 192.168.13.1 255.255.255.0
!
ip access-list extended CLASSIFY-MANAGEMENT-TRAFFIC
permit ip any 10.2.2.0 0.0.0.255

Note: Traffic is marked using the set command in a policy map. For DSCP rewrite, if a packet encounters both input and output classification policy, the output policy has precedence. If there is no output policy, then the input policy has precedence.

Vulnerability Number

V-17836

Documentable

False

Rule Version

NET1007

Severity Override Guidance

class-map match-all MANAGEMENT-TRAFFIC
match access-group name CLASSIFY-MANAGEMENT-TRAFFIC
!
policy-map DIST-LAYER-POLICY
class MANAGEMENT-TRAFFIC
set ip dscp 48
!
interface FastEthernet0/0
description link to LAN1
ip address 192.168.1.1 255.255.255.0
service-policy input DIST-LAYER-POLICY
interface FastEthernet0/1
description link to LAN2
ip address 192.168.2.1 255.255.255.0
service-policy input DIST-LAYER-POLICY
interface FastEthernet0/2
description link to core
ip address 192.168.13.1 255.255.255.0
!
ip access-list extended CLASSIFY-MANAGEMENT-TRAFFIC
permit ip any 10.2.2.0 0.0.0.255

Note: Traffic is marked using the set command in a policy map. For DSCP rewrite, if a packet encounters both input and output classification policy, the output policy has precedence. If there is no output policy, then the input policy has precedence.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

510

Comments