STIGQter STIGQter: STIG Summary: Cisco IOS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.

DISA Rule

SV-220460r622190_rule

Vulnerability Number

V-220460

Group Title

SRG-NET-000193-RTR-000112

Rule Version

CISC-RT-000780

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Step 1: Configure a class-map for the SCAVENGER class.

SW1(config)#class-map match-all SCAVENGER
SW1(config-cmap)#match ip dscp cs1

Step 2: Add the SCAVENGER class to the policy-map as shown in the example below:

SW1(config)#policy-map QOS_POLICY
SW1(config-pmap-c)#no class class-default
SW1(config-pmap)#class SCAVENGER
SW1(config-pmap-c)#bandwidth percent 5
SW1(config-pmap-c)#class class-default
SW1(config-pmap-c)#bandwidth percent 10
SW1(config-pmap-c)#end

Check Contents

Review the switch configuration to determine if it is configured to enforce a QoS policy to limit the effects of packet flooding DoS attacks.

Step 1: Verify that a class-map has been configured for the Scavenger class as shown in the example below:

class-map match-all SCAVENGER
match ip dscp cs1

Step 2: Verify that the policy-map includes the SCAVENGER class with low priority as shown in the example below:

policy-map QOS_POLICY
class CONTROL_PLANE
priority percent 10
class C2_VOICE
priority percent 10
class VOICE
priority percent 15
class VIDEO
bandwidth percent 25
class PREFERRED_DATA
bandwidth percent 25
class SCAVENGER
bandwidth percent 5
class class-default
bandwidth percent 10

Note: Traffic out of profile must be marked at the customer access layer or CE egress edge.

If the switch is not configured to enforce a QoS policy to limit the effects of packet flooding DoS attacks, this is a finding.

Vulnerability Number

V-220460

Documentable

False

Rule Version

CISC-RT-000780

Severity Override Guidance

Review the switch configuration to determine if it is configured to enforce a QoS policy to limit the effects of packet flooding DoS attacks.

Step 1: Verify that a class-map has been configured for the Scavenger class as shown in the example below:

class-map match-all SCAVENGER
match ip dscp cs1

Step 2: Verify that the policy-map includes the SCAVENGER class with low priority as shown in the example below:

policy-map QOS_POLICY
class CONTROL_PLANE
priority percent 10
class C2_VOICE
priority percent 10
class VOICE
priority percent 15
class VIDEO
bandwidth percent 25
class PREFERRED_DATA
bandwidth percent 25
class SCAVENGER
bandwidth percent 5
class class-default
bandwidth percent 10

Note: Traffic out of profile must be marked at the customer access layer or CE egress edge.

If the switch is not configured to enforce a QoS policy to limit the effects of packet flooding DoS attacks, this is a finding.

Check Content Reference

M

Target Key

4065

Comments