STIGQter: STIG Summary: Infrastructure Router Security Technical Implementation Guide Cisco Version: 8 Release: 29 Benchmark Date: 25 Jan 2019: Management traffic is not classified and marked at the nearest upstream MLS or router when management traffic must traverse several nodes to reach the management network.

DISA Rule

SV-19313r1_rule

Vulnerability Number

V-17836

Group Title

Management traffic is not classified and marked

Rule Version

NET1007

Severity

CAT III

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

When management traffic must traverse several nodes to reach the management network, classify and mark management traffic at the nearest upstream MLS or router.

Check Contents

class-map match-all MANAGEMENT-TRAFFIC
match access-group name CLASSIFY-MANAGEMENT-TRAFFIC
!
policy-map DIST-LAYER-POLICY
class MANAGEMENT-TRAFFIC
set ip dscp 48
!
interface FastEthernet0/0
description link to LAN1
ip address 192.168.1.1 255.255.255.0
service-policy input DIST-LAYER-POLICY
interface FastEthernet0/1
description link to LAN2
ip address 192.168.2.1 255.255.255.0
service-policy input DIST-LAYER-POLICY
interface FastEthernet0/2
description link to core
ip address 192.168.13.1 255.255.255.0
!
ip access-list extended CLASSIFY-MANAGEMENT-TRAFFIC
permit ip any 10.2.2.0 0.0.0.255

Note: Traffic is marked using the set command in a policy map. For DSCP rewrite, if a packet encounters both input and output classification policy, the output policy has precedence. If there is no output policy, then the input policy has precedence.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Responsibility

Target Key

Comments