STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile.

DISA Rule

SV-217079r639663_rule

Vulnerability Number

V-217079

Group Title

SRG-NET-000193-RTR-000113

Rule Version

JUNI-RT-000740

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure all interfaces to use a configured or the default BA classifier as shown in the example below:

[edit class-of-service interfaces]
set ge-0/0/1 unit 0 classifiers dscp default
set ge-0/1/0 unit 0 classifiers dscp default
set ge-1/0/1 unit 0 classifiers dscp default
set ge-1/1/0 unit 0 classifiers dscp default

Note: The GTP QOS document (GTP-0009) can be downloaded via the following link:
https://intellipedia.intelink.gov/wiki/Portal:GIG_Technical_Guidance/GTG_GTPs/GTP_Development_List

Check Contents

Review the router configuration and verify that it has been configured to enforce a QoS policy in accordance with the QoS GIG Technical Profile (GTP-0009). The router must be configured to use either configured or default Behavior Aggregate (BA) classifier on all interfaces as shown in the example below:

class-of-service {



}
interfaces {
ge-0/0/1 {
unit 0 {
classifiers {
dscp default;
}
}
}
ge-0/1/0 {
unit 0 {
classifiers {
dscp default;
}
}
}
ge-1/0/1 {
unit 0 {
classifiers {
dscp default;
}
}
}
ge-1/1/0 {
unit 0 {
classifiers {
dscp default;
}
}
}

Note: The GTP QOS document (GTP-0009) can be downloaded via the following link:
https://intellipedia.intelink.gov/wiki/Portal:GIG_Technical_Guidance/GTG_GTPs/GTP_Development_List

If the router is not configured to enforce a QoS policy in accordance with the QoS DODIN Technical Profile, this is a finding.

Vulnerability Number

V-217079

Documentable

False

Rule Version

JUNI-RT-000740

Severity Override Guidance

Review the router configuration and verify that it has been configured to enforce a QoS policy in accordance with the QoS GIG Technical Profile (GTP-0009). The router must be configured to use either configured or default Behavior Aggregate (BA) classifier on all interfaces as shown in the example below:

class-of-service {



}
interfaces {
ge-0/0/1 {
unit 0 {
classifiers {
dscp default;
}
}
}
ge-0/1/0 {
unit 0 {
classifiers {
dscp default;
}
}
}
ge-1/0/1 {
unit 0 {
classifiers {
dscp default;
}
}
}
ge-1/1/0 {
unit 0 {
classifiers {
dscp default;
}
}
}

Note: The GTP QOS document (GTP-0009) can be downloaded via the following link:
https://intellipedia.intelink.gov/wiki/Portal:GIG_Technical_Guidance/GTG_GTPs/GTP_Development_List

If the router is not configured to enforce a QoS policy in accordance with the QoS DODIN Technical Profile, this is a finding.

Check Content Reference

M

Target Key

4032

Comments