STIGQter: STIG Summary: Cisco IOS XE Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial of service (DoS) attacks.

DISA Rule

SV-216716r531086_rule

Vulnerability Number

V-216716

Group Title

SRG-NET-000193-RTR-000112

Rule Version

CISC-RT-000780

Severity

CAT II

CCI(s)

• CCI-001095 - The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

Weight

10

Fix Recommendation

Step 1: Configure a class map for the SCAVENGER class.

R5(config)#class-map match-all SCAVENGER
R5(config-cmap)#match ip dscp cs1

Step 2: Add the SCAVENGER class to the policy map as shown in the example below:

R5(config)#policy-map QOS_POLICY
R5(config-pmap-c)#no class class-default
R5(config-pmap)#class SCAVENGER
R5(config-pmap-c)#bandwidth percent 5
R5(config-pmap-c)#class class-default
R5(config-pmap-c)#bandwidth percent 10
R5(config-pmap-c)#end

Check Contents

Review the router configuration to determine if it is configured to enforce a QoS policy to limit the effects of packet flooding DoS attacks.

Step 1: Verify that a class map has been configured for the Scavenger class as shown in the example below.

class-map match-all SCAVENGER
match ip dscp cs1

Step 2: Verify that the policy map includes the SCAVENGER class with low priority as shown in the following example below.

policy-map QOS_POLICY
class CONTROL_PLANE
priority percent 10
class C2_VOICE
priority percent 10
class VOICE
priority percent 15
class VIDEO
bandwidth percent 25
class PREFERRED_DATA
bandwidth percent 25
class SCAVENGER
bandwidth percent 5
class class-default
bandwidth percent 10

Note: Traffic out of profile must be marked at the customer access layer or CE egress edge.

If the router is not configured to enforce a QoS policy to limit the effects of packet flooding DoS attacks, this is a finding.

Vulnerability Number

V-216716

Documentable

False

Rule Version

CISC-RT-000780

Severity Override Guidance

Review the router configuration to determine if it is configured to enforce a QoS policy to limit the effects of packet flooding DoS attacks.

Step 1: Verify that a class map has been configured for the Scavenger class as shown in the example below.

class-map match-all SCAVENGER
match ip dscp cs1

Step 2: Verify that the policy map includes the SCAVENGER class with low priority as shown in the following example below.

policy-map QOS_POLICY
class CONTROL_PLANE
priority percent 10
class C2_VOICE
priority percent 10
class VOICE
priority percent 15
class VIDEO
bandwidth percent 25
class PREFERRED_DATA
bandwidth percent 25
class SCAVENGER
bandwidth percent 5
class class-default
bandwidth percent 10

Note: Traffic out of profile must be marked at the customer access layer or CE egress edge.

If the router is not configured to enforce a QoS policy to limit the effects of packet flooding DoS attacks, this is a finding.

Check Content Reference

M

Target Key

4028

Comments