UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The core router within the managed network has not been configured to provide preferred treatment for management traffic that must traverse several nodes to reach the management network.


Overview

Finding ID Version Rule ID IA Controls Severity
V-17837 NET1008 SV-19315r1_rule Low
Description
When network congestion occurs, all traffic has an equal chance of being dropped. Prioritization of network management traffic must be implemented to ensure that even during periods of severe network congestion, the network can be managed and monitored. Quality of Service (QoS) provisioning categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment through congestion avoidance techniques. Implementing QoS within the network makes network performance more predictable and bandwidth utilization more effective. Most important, since the same bandwidth is being used to manage the network, it provides some assurance that there will be bandwidth available to troubleshoot outages and restore availability when needed. When management traffic must traverse several nodes to reach the management network, management traffic should be classified and marked at the nearest upstream MLS or router. In addition, all core routers within the managed network must be configured to provide preferred treatment based on the QoS markings. This will ensure that management traffic receives preferred treatment (per-hop behavior) at each forwarding device along the path to the management network. traffic.
STIG Date
Perimeter L3 Switch Security Technical Implementation Guide - Cisco 2017-03-09

Details

Check Text ( C-20264r1_chk )
When management traffic must traverse several nodes to reach the management network, ensure that all core routers within the managed network have been configured to provide preferred treatment for management traffic. This will ensure that management traffic receives guaranteed bandwidth at each forwarding device along the path to the management network.

Step 1: Verify that a service policy is bound to all core or internal router interfaces as shown in the configuration below:

interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
service-policy output QoS-Policy
interface FastEthernet0/2
ip address 192.168.1.1 255.255.255.0
service-policy output QoS-Policy

Step 2: Verify that the class-maps place management traffic in the appropriate forwarding class as shown in the example below:

class-map match-all best-effort
match ip dscp 0
class-map match-any data-AF13-AF23
match ip dscp 14
match ip dscp 22
class-map match-any video-AF33-AF43
match ip dscp 30
match ip dscp 38
class-map match-all voice-EF
match ip dscp 46
class-map match-all network-control
match ip dscp 48


Step 3: Verify that the classes are receiving the required service.

policy-map QoS-Policy
class best-effort
bandwidth percent 10
random-detect dscp-based
class data-AF13-AF23
bandwidth percent 30
random-detect dscp-based
class video-AF33
bandwidth percent 15
random-detect dscp-based
class video-AF43
bandwidth percent 20
random-detect dscp-based
class voice-EF
priority percent 20
class network-control
bandwidth percent 5
random-detect dscp-based

Note 1: The dscp-based argument enables WRED to use the DSCP value of a packet when it calculates the drop probability for the packet; whereas if the prec-based argument is specified, WRED will use the IP Precedence value to calculate drop probability. If neither is specified, the default is prec-based.

Note 2: LLQ is enabled with the priority command using either a kbps value or a bandwidth percentage using the percent keyword followed by a percentage value.

Note 3: Traffic that does not meet the match criteria specified in the forwarding classes is treated as belonging to the default forwarding class. If a default class is not configured, the default class has no QoS functionality. These packets are then placed into a FIFO queue and forwarded at a rate determined by the available underlying bandwidth. This FIFO queue is managed by tail drop—a means of avoiding congestion that treats all traffic equally and does not differentiate between classes of service. When the output queue is full and tail drop is in effect, packets are dropped until the congestion is eliminated and the queue is no longer full. The following example configures a default class called policy1.

policy-map policy1
class class-default
fair-queue 10
queue-limit 20

The default class shown above has these characteristics: 10 queues for traffic that does not meet the match criteria of other classes whose policy is defined by policy1, and a maximum of 20 packets per queue before tail drop is enacted to handle additional queued packets.


Fix Text (F-17757r1_fix)
When management traffic must traverse several nodes to reach the management network, ensure that all core routers within the managed network have been configured to provide preferred treatment for management traffic.