NET1005 - No inbound ACL for mgmt network sub-interface - 'Sub-Interface Ingress ACL'

Information

An inbound ACL is not configured for the management network sub-interface of the trunk link to block non-management traffic.

If the management systems reside within the same layer 2 switching domain as the managed network elements, then separate VLANs will be deployed to provide separation at that level. In this case, the management network still has its own subnet while at the same time it is defined as a unique VLAN. Inter-VLAN routing or the routing of traffic between nodes residing in different subnets requires a router or multi-layer switch (MLS). Access control lists must be used to enforce the boundaries between the management network and the network being managed. All physical and virtual (i.e. MLS SVI) routed interfaces must be configured with ACLs to prevent the leaking of unauthorized traffic from one network to the other.

NOTE: Change 'NIPRNET_LINK_INTERFACE' to the router's interface that connects to the NIPRNET Provider.
NOTE: Change 'MGMT_INGRESS_ACL' to the ingress access control list for blocking your organization's non-management traffic on the management sub-interface.

Solution

If a router is used to provide inter-VLAN routing, configure an inbound ACL for the management network sub-interface for the trunk link to block non-management traffic.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Infrastructure_Router_L3_Switch_V8R29_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(15), CAT|II, Rule-ID|SV-19308r1_rule, STIG-ID|NET1005, Vuln-ID|V-17834

Plugin: Cisco

Control ID: 4cbe3896c1d35517401e53a523ec348c414334e2ef0546599fbc9b585832e66a