STIGQter: STIG Summary: Network Infrastructure Policy Security Technical Implementation Guide Version: 9 Release: 10 Benchmark Date: 24 Jan 2020:

First-hop redundancy services must be configured to delay any preempt to provide enough time for the Internet Gateway Protocol (IGP) to stabilize.

DISA Rule

SV-80887r2_rule

Vulnerability Number

V-66397

Group Title

NET2017

Rule Version

NET2017

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure each router and multilayer switch providing first-hop redundancy services to be configured to delay the preempt to provide enough time for the IGP to stabilize.

Note: The amount of delay will be based on the number of IGP routes.

Check Contents

All routers or multilayer switches providing first-hop redundancy services must be configured to delay preemption to provide enough time for the IGP to stabilize. Review the router or multilayer switch providing first-hop redundancy services and verify that the preemption delay is configured.

If preemption delay is not configured, this is a finding.

Following is an HSRP configuration example that delays the preemption by 30 seconds.

interface GigabitEthernet 0/0/0
ip address 10.11.0.2 255.255.255.0
standby 1 priority 110
standby 1 ip 10.21.0.1
standby 1 preempt
standby 1 preempt delay minimum 30

Following is a VRRP configuration example that delays the preemption by 30 seconds.

interface GigabitEthernet 0/0/0
ip address 10.11.0.2 255.255.255.0
vrrp 1 priority 110
vrrp 1 ip 10.21.0.1
vrrp 1 preempt delay minimum 30

For VRRP implementations, a preemptive scheme is enabled by default. If preemption is disabled using the no vrrp preempt command, the virtual router backup that is elected to become virtual router master remains the master until the original virtual router master recovers and becomes master again.

Vulnerability Number

V-66397

Documentable

False

Rule Version

NET2017

Severity Override Guidance

All routers or multilayer switches providing first-hop redundancy services must be configured to delay preemption to provide enough time for the IGP to stabilize. Review the router or multilayer switch providing first-hop redundancy services and verify that the preemption delay is configured.

If preemption delay is not configured, this is a finding.

Following is an HSRP configuration example that delays the preemption by 30 seconds.

interface GigabitEthernet 0/0/0
ip address 10.11.0.2 255.255.255.0
standby 1 priority 110
standby 1 ip 10.21.0.1
standby 1 preempt
standby 1 preempt delay minimum 30

Following is a VRRP configuration example that delays the preemption by 30 seconds.

interface GigabitEthernet 0/0/0
ip address 10.11.0.2 255.255.255.0
vrrp 1 priority 110
vrrp 1 ip 10.21.0.1
vrrp 1 preempt delay minimum 30

For VRRP implementations, a preemptive scheme is enabled by default. If preemption is disabled using the no vrrp preempt command, the virtual router backup that is elected to become virtual router master remains the master until the original virtual router master recovers and becomes master again.

Check Content Reference

M

Target Key

838

Comments