NET1007 - Management traffic is not classified and marked - 'policy-map DIST_LAYER_POLICY'

Information

Management traffic is not classified and marked at the nearest upstream MLS or router when management traffic must traverse several nodes to reach the management network.

When network congestion occurs, all traffic has an equal chance of being dropped. Prioritization of network management traffic must be implemented to ensure that even during periods of severe network congestion, the network can be managed and monitored. Quality of Service (QoS) provisioning categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment through congestion avoidance techniques. Implementing QoS within the network makes network performance more predictable and bandwidth utilization more effective. Most important, since the same bandwidth is being used to manage the network, it provides some assurance that there will be bandwidth available to troubleshoot outages and restore availability when needed.

When management traffic must traverse several nodes to reach the management network, management traffic should be classified and marked at the nearest upstream MLS or router. In addition, all core routers within the managed network must be configured to provide preferred treatment based on the QoS markings. This will ensure that management traffic receives preferred treatment (per-hop behavior) at each forwarding device along the path to the management network. traffic.

NOTE: Change 'DIST_LAYER_POLICY' to the name for your organization's policy-map name for the management traffic.
NOTE: Change 'MANAGEMENT_TRAFFIC' to the name for your organization's class-map name for management traffic.

Solution

When management traffic must traverse several nodes to reach the management network, classify and mark management traffic at the nearest upstream MLS or router.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(15), CAT|III, Rule-ID|SV-19097r1_rule, STIG-ID|NET1007, Vuln-ID|V-17836

Plugin: Cisco

Control ID: d736a47638deb42dafbda09d635c5fe8b8f03ef5ad6a0d5c8a25397c976d4f82