UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The routes from the two IGP domains are redistributed to each other.


Overview

Finding ID Version Rule ID IA Controls Severity
V-17816 NET0986 SV-19069r1_rule ECSC-1 Medium
Description
If the gateway router is not a dedicated device for the OOBM network, several safeguards must be implemented for containment of management and production traffic boundaries. Since the managed network and the management network are separate routing domains, separate IGP routing instances must be configured on the router—one for the managed network and one for the OOBM network. In addition, the routes from the two domains must not be redistributed to each other.
STIG Date
Perimeter L3 Switch Security Technical Implementation Guide - Cisco 2015-04-06

Details

Check Text ( C-19233r1_chk )
Verify that the IGP instance used for the managed network does not redistribute routes into the IGP instance used for the management network and vice versa.

As an alternative, static routes can be used to forward management traffic to the OOBM interface; however, this method may not scale well.

If static routes are used to forward management traffic to the OOB backbone network, verify that the OOBM interface is not an IGP adjacency and that the correct destination prefix has been configured to forward the management traffic to the correct next-hop and interface for the static route. In the following configuration examples, 10.1.1.0/24 is the management network and 10.1.20.4 is the interface address of the OOB backbone router that the OOB gateway router connects to. The network 10.1.20.0/24 is the OOBM backbone.
Fix Text (F-17731r1_fix)
Ensure that the IGP instance used for the managed network does not redistribute routes into the IGP instance used for the management network and vice versa.