Management traffic is not classified and marked at the nearest upstream MLS or router when management traffic must traverse several nodes to reach the management network.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17836	NET1007	SV-19313r1_rule		Low

Description
When network congestion occurs, all traffic has an equal chance of being dropped. Prioritization of network management traffic must be implemented to ensure that even during periods of severe network congestion, the network can be managed and monitored. Quality of Service (QoS) provisioning categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment through congestion avoidance techniques. Implementing QoS within the network makes network performance more predictable and bandwidth utilization more effective. Most important, since the same bandwidth is being used to manage the network, it provides some assurance that there will be bandwidth available to troubleshoot outages and restore availability when needed. When management traffic must traverse several nodes to reach the management network, management traffic should be classified and marked at the nearest upstream MLS or router. In addition, all core routers within the managed network must be configured to provide preferred treatment based on the QoS markings. This will ensure that management traffic receives preferred treatment (per-hop behavior) at each forwarding device along the path to the management network. traffic.

Description

When network congestion occurs, all traffic has an equal chance of being dropped. Prioritization of network management traffic must be implemented to ensure that even during periods of severe network congestion, the network can be managed and monitored. Quality of Service (QoS) provisioning categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment through congestion avoidance techniques. Implementing QoS within the network makes network performance more predictable and bandwidth utilization more effective. Most important, since the same bandwidth is being used to manage the network, it provides some assurance that there will be bandwidth available to troubleshoot outages and restore availability when needed. When management traffic must traverse several nodes to reach the management network, management traffic should be classified and marked at the nearest upstream MLS or router. In addition, all core routers within the managed network must be configured to provide preferred treatment based on the QoS markings. This will ensure that management traffic receives preferred treatment (per-hop behavior) at each forwarding device along the path to the management network. traffic.

STIG	Date
Perimeter Router Security Technical Implementation Guide Cisco	2018-11-28

Details

Check Text ( C-20262r1_chk )
class-map match-all MANAGEMENT-TRAFFIC match access-group name CLASSIFY-MANAGEMENT-TRAFFIC ! policy-map DIST-LAYER-POLICY class MANAGEMENT-TRAFFIC set ip dscp 48 ! interface FastEthernet0/0 description link to LAN1 ip address 192.168.1.1 255.255.255.0 service-policy input DIST-LAYER-POLICY interface FastEthernet0/1 description link to LAN2 ip address 192.168.2.1 255.255.255.0 service-policy input DIST-LAYER-POLICY interface FastEthernet0/2 description link to core ip address 192.168.13.1 255.255.255.0 ! ip access-list extended CLASSIFY-MANAGEMENT-TRAFFIC permit ip any 10.2.2.0 0.0.0.255 Note: Traffic is marked using the set command in a policy map. For DSCP rewrite, if a packet encounters both input and output classification policy, the output policy has precedence. If there is no output policy, then the input policy has precedence.

Check Text ( C-20262r1_chk )

class-map match-all MANAGEMENT-TRAFFIC
match access-group name CLASSIFY-MANAGEMENT-TRAFFIC
!
policy-map DIST-LAYER-POLICY
class MANAGEMENT-TRAFFIC
set ip dscp 48
!
interface FastEthernet0/0
description link to LAN1
ip address 192.168.1.1 255.255.255.0
service-policy input DIST-LAYER-POLICY
interface FastEthernet0/1
description link to LAN2
ip address 192.168.2.1 255.255.255.0
service-policy input DIST-LAYER-POLICY
interface FastEthernet0/2
description link to core
ip address 192.168.13.1 255.255.255.0
!
ip access-list extended CLASSIFY-MANAGEMENT-TRAFFIC
permit ip any 10.2.2.0 0.0.0.255

Note: Traffic is marked using the set command in a policy map. For DSCP rewrite, if a packet encounters both input and output classification policy, the output policy has precedence. If there is no output policy, then the input policy has precedence.

Fix Text (F-17756r1_fix)
When management traffic must traverse several nodes to reach the management network, classify and mark management traffic at the nearest upstream MLS or router.