NET1007 - Management traffic is not classified and marked - 'ip access-list extended MGMT_TRAFFIC_CLASSIFICATION_ACL permit'

Information

Management traffic is not classified and marked at the nearest upstream MLS or router when management traffic must traverse several nodes to reach the management network.

When network congestion occurs, all traffic has an equal chance of being dropped. Prioritization of network management traffic must be implemented to ensure that even during periods of severe network congestion, the network can be managed and monitored. Quality of Service (QoS) provisioning categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment through congestion avoidance techniques. Implementing QoS within the network makes network performance more predictable and bandwidth utilization more effective. Most important, since the same bandwidth is being used to manage the network, it provides some assurance that there will be bandwidth available to troubleshoot outages and restore availability when needed.

When management traffic must traverse several nodes to reach the management network, management traffic should be classified and marked at the nearest upstream MLS or router. In addition, all core routers within the managed network must be configured to provide preferred treatment based on the QoS markings. This will ensure that management traffic receives preferred treatment (per-hop behavior) at each forwarding device along the path to the management network. traffic.

NOTE: Change 'MGMT_TRAFFIC_CLASSIFICATION_ACL' to the extended access control list name classifying your organization's management traffic.
NOTE: Change 'LOCAL_MANAGEMENT_NETWORK' to the management network for your organization.

Solution

When management traffic must traverse several nodes to reach the management network, classify and mark management traffic at the nearest upstream MLS or router.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Infrastructure_Router_L3_Switch_V8R29_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(15), CAT|III, Rule-ID|SV-19313r1_rule, STIG-ID|NET1007, Vuln-ID|V-17836

Plugin: Cisco

Control ID: bb51e58b9b73b7843034336c62c8c2750b82fdcca4e8d6eee938ca962ede29c5