Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-17837 | NET1008 | SV-19316r1_rule | Low |
Description |
---|
When network congestion occurs, all traffic has an equal chance of being dropped. Prioritization of network management traffic must be implemented to ensure that even during periods of severe network congestion, the network can be managed and monitored. Quality of Service (QoS) provisioning categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment through congestion avoidance techniques. Implementing QoS within the network makes network performance more predictable and bandwidth utilization more effective. Most important, since the same bandwidth is being used to manage the network, it provides some assurance that there will be bandwidth available to troubleshoot outages and restore availability when needed. When management traffic must traverse several nodes to reach the management network, management traffic should be classified and marked at the nearest upstream MLS or router. In addition, all core routers within the managed network must be configured to provide preferred treatment based on the QoS markings. This will ensure that management traffic receives preferred treatment (per-hop behavior) at each forwarding device along the path to the management network. traffic. |
STIG | Date |
---|---|
Infrastructure Router - Juniper Security Technical Implementation Guide | 2017-09-28 |
Check Text ( C-20265r1_chk ) |
---|
When management traffic must traverse several nodes to reach the management network, ensure that all core routers within the managed network have been configured to provide preferred treatment for management traffic. This will ensure that management traffic receives guaranteed bandwidth at each forwarding device along the path to the management network. Step 1: Verify that all internal or core router interfaces are bound to a DSCP classifier and that both CE-facing and core-facing interfaces have a forwarding-class policy defined (i.e. scheduler-map) as shown in the configuration below: class-of-service { interfaces { fe-* { scheduler-map MAP-FC-Policy; unit 0 { classifiers { dscp access-classifier; } rewrite-rules { dscp basic-rewrite-rules; } } } ge-* { scheduler-map MAP-FC-Policy; unit 0 { classifiers { dscp core-classifier; } } } } } Step 2: Verify that the classifier places traffic in the appropriate forwarding class according to the approved DSCPs as shown in the example below: class-of-service { classifiers { dscp access-classifier { forwarding-class best-effort { loss-priority high code-points 000000; } forwarding-class data-AF13-AF23 { loss-priority high code-points 001110; loss-priority low code-points 010110; } forwarding-class video-AF33-AF43 { loss-priority high code-points 011110; loss-priority low code-points 100110; } forwarding-class voice-EF { loss-priority low code-points 101110; } forwarding-class network-control { loss-priority low code-points 110000; } } } } Step 3: Verify that the forwarding classes are associated with the correct queues and polices (i.e., schedulers) as shown in the example below: class-of-service { forwarding-classes { queue 0 best-effort; queue 1 data-AF13-AF23; queue 2 video-AF33-AF43; queue 3 voice-EF; queue 4 network-control; } scheduler-maps { MAP-FC-Policy { forwarding-class best-effort scheduler Q0-best-effort; forwarding-class data-AF13-AF23 scheduler Q1-data; forwarding-class video-AF33-AF43 scheduler Q2-video; forwarding-class voice-EF scheduler Q3-voice; forwarding-class network-control scheduler Q4-network-control; } schedulers { Q0-best-effort { transmit-rate percent 20; buffer-size percent 20; drop-profile-map loss-priority low protocol any drop-profile be-low-drop-profile; drop-profile-map loss-priority high protocol any drop-profile be-high-drop-profile; priority low; } Q1-data { transmit-rate percent 35; buffer-size percent 30; drop-profile-map loss-priority low protocol any drop-profile data-low-drop-profile; drop-profile-map loss-priority high protocol any drop-profile data-high-drop-profile; priority low; } Q2-video { transmit-rate percent 40; buffer-size percent 35; drop-profile-map loss-priority low protocol any drop-profile video-low-drop-profile; drop-profile-map loss-priority high protocol any drop-profile video-high-drop-profile; priority low; } Q3-voice { buffer-size percent 10; priority strict-high; } Q4-network-control { transmit-rate percent 5; buffer-size percent 5; priority high; } } drop-profiles { video -high-drop-profile { fill-level 30 drop-probability 30; fill-level 50 drop-probability 50; fill-level 70 drop-probability 60; fill-level 90 drop-probability 100; } video -low-drop-profile { fill-level 40 drop-probability 30; fill-level 60 drop-probability 50; fill-level 80 drop-probability 60; fill-level 100 drop-probability 100; } data-high-drop-profile { fill-level 25 drop-probability 30; fill-level 45 drop-probability 50; fill-level 65 drop-probability 60; fill-level 85 drop-probability 100; } data-low-drop-profile { fill-level 30 drop-probability 30; fill-level 50 drop-probability 50; fill-level 70 drop-probability 60; fill-level 90 drop-probability 100; } be-high-drop-profile { fill-level 20 drop-probability 30; fill-level 40 drop-probability 50; fill-level 60 drop-probability 60; fill-level 80 drop-probability 100; } be-low-drop-profile { fill-level 25 drop-probability 30; fill-level 45 drop-probability 50; fill-level 65 drop-probability 60; fill-level 85 drop-probability 100; } } } Note: Scheduling policy maps configure the forwarding classes that represent packet queues for the physical interfaces that they are bound to. On M-series and T-series platforms, you can configure one queue per interface to have strict-high priority, which works the same as high priority, but provides unlimited transmission bandwidth. Hence, there is no need to define a transmit-rate for a strict-high priority queue. As long as the queue with strict-high priority has traffic to send, it receives precedence over all other queues, except queues with high priority. Queues with strict-high and high priority take turns transmitting packets until the strict-high queue is empty, the high priority queues are empty, or the high priority queues run out of bandwidth credit. Only then can lower priority queues send traffic. If only 4 queues are supported by the interface, map two classes into one queue as shown in the following example: class-of-service { restricted-queues { forwarding-class best-effort queue 0; forwarding-class data-AF13-AF23 queue 0; forwarding-class video-AF33-AF4 queue 1; forwarding-class voice-EF 2; forwarding-class network-control queue 3; } } |
Fix Text (F-17757r1_fix) |
---|
When management traffic must traverse several nodes to reach the management network, ensure that all core routers within the managed network have been configured to provide preferred treatment for management traffic. |