Detections
Analytics
CISC-RT-000760 - The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.
Information
Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a QoS framework to differentiate traffic and provide a method to manage network congestion. The Differentiated Services Model (DiffServ) is based on per-hop behavior by categorizing traffic into different classes and enabling each node to enforce a forwarding treatment to each packet as dictated by a policy.Packet markings such as IP Precedence and its successor, Differentiated Services Code Points (DSCP), were defined along with specific per-hop behaviors for key traffic types to enable a scalable QoS solution. DiffServ QoS categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment based on the classification. It is imperative that end-to-end QoS is implemented within the IP core network to provide preferred treatment for mission-critical applications.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Configure to enforce a QoS policy to provide preferred treatment for mission-critical applications.Step 1: Configure class-maps to match on DSCP values as shown in the configuration example below.
RP/0/0/CPU0:R2(config-cmap)#class-map match-all C2_VOICE
RP/0/0/CPU0:R2(config-cmap)#match dscp 47
RP/0/0/CPU0:R2(config-cmap)#class-map match-all VOICE
RP/0/0/CPU0:R2(config-cmap)#match dscp ef
RP/0/0/CPU0:R2(config-cmap)#class-map match-all VIDEO
RP/0/0/CPU0:R2(config-cmap)#match dscp af41
RP/0/0/CPU0:R2(config-cmap)#class-map match-all CONTROL_PLANE
RP/0/0/CPU0:R2(config-cmap)#match dscp cs6
RP/0/0/CPU0:R2(config-cmap)#class-map match-all PREFERRED_DATA
RP/0/0/CPU0:R2(config-cmap)#match dscp af33
RP/0/0/CPU0:R2(config-cmap)#exit
Step 2: Configure a policy map to be applied to the core-layer-facing interface that reserves the bandwidth for each traffic type as shown in the example below.
RP/0/0/CPU0:R2(config-pmap)#policy-map QOS_POLICY
RP/0/0/CPU0:R2(config-pmap)#class C2_VOICE
RP/0/0/CPU0:R2(config-pmap-c)#bandwidth percent 10
RP/0/0/CPU0:R2(config-pmap-c)#class VOICE
RP/0/0/CPU0:R2(config-pmap-c)#bandwidth percent 15
RP/0/0/CPU0:R2(config-pmap-c)#class VIDEO
RP/0/0/CPU0:R2(config-pmap-c)#bandwidth percent 25
RP/0/0/CPU0:R2(config-pmap-c)#class CONTROL_PLANE
RP/0/0/CPU0:R2(config-pmap-c)#bandwidth percent 10
RP/0/0/CPU0:R2(config-pmap-c)#class PREFERRED_DATA
RP/0/0/CPU0:R2(config-pmap-c)#bandwidth percent 25
RP/0/0/CPU0:R2(config-pmap-c)#class class-default
RP/0/0/CPU0:R2(config-pmap-c)#bandwidth percent 15
RP/0/0/CPU0:R2(config-pmap-c)#exit
Step 3: Apply the output service policy to the core-layer-facing interface as shown in the configuration example below.
RP/0/0/CPU0:R2(config)#int g0/0/0/1
RP/0/0/CPU0:R2(config-if)#service-policy output QOS_POLICY
RP/0/0/CPU0:R2(config-if)#exit
RP/0/0/CPU0:R2(config)#int g0/0/0/2
RP/0/0/CPU0:R2(config-if)#service-policy output QOS_POLICY
RP/0/0/CPU0:R2(config-if)#end
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_NX-OS_Switch_Y24M10_STIG.zip
Item Details
Audit Name: DISA STIG Cisco IOS-XR Router RTR v3r2
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-5(2), CAT|III, CCI|CCI-001095, Rule-ID|SV-216804r917439_rule, STIG-ID|CISC-RT-000760, STIG-Legacy|SV-105953, STIG-Legacy|V-96815, Vuln-ID|V-216804
Plugin: Cisco
Control ID: f41b8bf3e3168f5bb6d0c3e118eb9afda7ba677c0f98238eb989af8b543f975a