UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

An inbound ACL is not configured for the management network sub-interface of the trunk link to block non-management traffic.


Overview

Finding ID Version Rule ID IA Controls Severity
V-17834 NET1005 SV-19309r1_rule Medium
Description
If the management systems reside within the same layer 2 switching domain as the managed network elements, then separate VLANs will be deployed to provide separation at that level. In this case, the management network still has its own subnet while at the same time it is defined as a unique VLAN. Inter-VLAN routing or the routing of traffic between nodes residing in different subnets requires a router or multi-layer switch (MLS). Access control lists must be used to enforce the boundaries between the management network and the network being managed. All physical and virtual (i.e. MLS SVI) routed interfaces must be configured with ACLs to prevent the leaking of unauthorized traffic from one network to the other.
STIG Date
Perimeter Router Security Technical Implementation Guide Juniper 2016-12-23

Details

Check Text ( C-20258r1_chk )
Review the router configuration and verify that an inbound ACL has been configured for the management network sub-interface as illustrated in the following example configuration:

interfaces fe-1/1/1 {
vlan-tagging;
unit 10 {
family inet {
filter {
input ingress-mgmt-vlan-filter;
}
address 10.1.1.1/24;
}
}
}
firewall {
filter ingress-mgmt-vlan-filter {
term …

Fix Text (F-17751r1_fix)
If a router is used to provide inter-VLAN routing, configure an inbound ACL for the management network sub-interface for the trunk link to block non-management traffic.