CISC-RT-000730 - The Cisco PE switch must be configured to block any traffic that is destined to the IP core infrastructure.

Information

IP addresses can be guessed. Core network elements must not be accessible from any external host. Protecting the core from any attack is vital for the integrity and privacy of customer traffic as well as the availability of transit services. A compromise of the IP core can result in an outage or, at a minimum, non-optimized forwarding of customer traffic. Protecting the core from an outside attack also prevents attackers from using the core to attack any customer. Hence, it is imperative that all switches at the edge deny traffic destined to any address belonging to the IP core infrastructure.

Solution

Configure protection for the IP core to be implemented at the edges by blocking any traffic with a destination address assigned to the IP core infrastructure.

Step 1: Configure an ingress ACL to discard and log packets destined to the IP core address space.

SW2(config)#ip access-list extended BLOCK_TO_CORE
SW2(config-ext-nacl)#deny ip any 10.1.x.0 0.0.255.255 log-input
SW2(config-ext-nacl)#exit

Step 2: Apply the ACL inbound to all external or CE-facing interfaces.

SW2(config)#int SW1(config)#int g0/2
SW2(config-if)#ip access-group BLOCK_TO_CORE in
SW2(config-if)#end

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XE_Switch_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7a., CAT|I, CCI|CCI-001097, Rule-ID|SV-221047r622190_rule, STIG-ID|CISC-RT-000730, STIG-Legacy|SV-110915, STIG-Legacy|V-101811, Vuln-ID|V-221047

Plugin: Cisco

Control ID: 47e0de00a5ef077dff5c050f6702962e8711a97924ffb2a6f4295ca458dfa034