Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
This requirement is not applicable for the DODIN Backbone. If Virtual Routing and Forwarding (VRF) is used to segment traffic and force traffic to traverse through next generation firewalls with ACLs, this requirement is not applicable. Review the router configuration to verify that Access Control Lists (ACLs) are configured to allow or deny traffic for specific source and destination addresses as well as ports and protocols. For example, the configuration below will allow only printer traffic into subnet 10.1.23.0/24 and SQL traffic into subnet 10.1.24.0/24. ICMP is allowed for troubleshooting and OSPF is the routing protocol used within the network. interface GigabitEthernet1/1 description link to core ip address 10.1.12.2 255.255.255.0 ip access-group FILTER_SERVER_TRAFFIC in … … … ip access-list extended FILTER_SERVER_TRAFFIC permit tcp any 10.1.23.0 0.0.0.255 eq lpd 631 9100 permit tcp any 10.1.24.0 0.0.0.255 eq 1433 1434 4022 permit icmp any any permit ospf any any deny ip any any If the router is not configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure ACLs to allow or deny traffic for specific source and destination addresses as well as ports and protocols between various subnets as required. The commands used below were used to create the configuration as shown in the check content. R5(config)#ip access-list extended FILTER_SERVER_TRAFFIC R5(config-ext-nacl)#permit tcp any x101.23.0 0.0.0.255 eq 515 631 9100 R5(config-ext-nacl)#permit tcp any 10.1.24.0 0.0.0.255 eq 1433 1434 4022 R5(config-ext-nacl)#permit icmp any any R5(config-ext-nacl)#permit ospf any any R5(config-ext-nacl)#deny ip any any R5(config-ext-nacl)#exit R5(config)#interface GigabitEthernet1/1 R5(config-if)#ip access-group FILTER_SERVER_TRAFFIC in
Review the router configuration using the configuration examples below for BGP and OSPF. Certain older protocols supporting only MD5 will incur a permanent finding for those protocols as MD5 is not FIPS compliant. Note: The 180-day key lifetime is Not Applicable for the DODIN Backbone. The remainder of the requirement still applies. Verify that neighbor router authentication is enabled for all routing protocols. If neighbor authentication is not enabled, this is a finding. Verify that authentication is configured to use FIPS 198-1 message authentication algorithms. If the routing protocol authentication is not configured to use FIPS 198-1 algorithms this is a finding. Verify that the protocol key lifetime is configured to not exceed 180 days. If any protocol key lifetime is configured to exceed 180 days this is a finding. BGP Example: key chain <KEY-CHAIN-NAME> tcp key <KEY-ID> send-id <ID> recv-id <ID> cryptographic-algorithm hmac-sha256 key-string <KEY> accept-lifetime 00:00:00 Jan 1 2022 duration 180 send-lifetime 00:00:00 Jan 1 2022 duration 180 ! ! router bgp <ASN> no synchronization bgp log-neighbor-changes neighbor x.x.x.x remote-as <ASN> neighbor x.x.x.x ao <KEY-CHAIN-NAME> Note: TCP-AO is used to replace MD5 in BGP authentication. OSPF Example: key chain OSPF_KEY_CHAIN key 1 key-string xxxxxxx send-lifetime 00:00:00 Jan 1 2018 23:59:59 Mar 31 2018 accept-lifetime 00:00:00 Jan 1 2018 01:05:00 Apr 1 2018 cryptographic-algorithm hmac-sha-256 key 2 key-string yyyyyyy send-lifetime 00:00:00 Apr 1 2018 23:59:59 Jun 30 2018 accept-lifetime 23:55:00 Mar 31 2018 01:05:00 Jul 1 2018 cryptographic-algorithm hmac-sha-256 … … … interface GigabitEthernet0/1 ip address x.x.x.x 255.255.255.0 ip ospf authentication key-chain OSPF_KEY_CHAIN
Configure routing protocol authentication to use a NIST-validated FIPS 198-1 message authentication code algorithm with keys not exceeding 180 days of lifetime as shown in the examples. BGP Example: Step 1: Configure a keychain using a FIPS 198-1 algorithm with a key duration not exceeding 180 days. key chain <KEY-CHAIN-NAME> tcp key <KEY-ID> send-id <ID> recv-id <ID> cryptographic-algorithm hmac-sha256 key-string <KEY> accept-lifetime 00:00:00 Jan 1 2022 duration 180 send-lifetime 00:00:00 Jan 1 2022 duration 180 ! Step 2: Configure BGP autonomous system to use the keychain for authentication. router bgp <ASN> no synchronization bgp log-neighbor-changes neighbor x.x.x.x remote-as <ASN> neighbor x.x.x.x ao <KEY-CHAIN-NAME> OSPF Example: Step 1: Configure a keychain using a FIPS 198-1 algorithm with a key duration not exceeding 180 days. key chain OSPF_KEY_CHAIN key 1 key-string xxxxxxx send-lifetime 00:00:00 Jan 1 2018 23:59:59 Mar 31 2018 accept-lifetime 00:00:00 Jan 1 2018 01:05:00 Apr 1 2018 cryptographic-algorithm hmac-sha-256 key 2 key-string yyyyyyy send-lifetime 00:00:00 Apr 1 2018 23:59:59 Jun 30 2018 accept-lifetime 23:55:00 Mar 31 2018 01:05:00 Jul 1 2018 cryptographic-algorithm hmac-sha-256 Step 2: Configure OSPF to use the keychain for authentication. interface GigabitEthernet0/1 ip address x.x.x.x 255.255.255.0 ip ospf authentication key-chain OSPF_KEY_CHAIN
Review the router configuration and verify that inactive interfaces have been disabled as shown below: interface GigabitEthernet3 shutdown ! interface GigabitEthernet4 shutdown If an interface is not being used but is configured or enabled, this is a finding.
Disable all inactive interfaces as shown below: R4(config)#interface GigabitEthernet3 R4(config-if)#shutdown R4(config)#interface GigabitEthernet4 R4(config-if)#shutdown
Review the device configuration to determine if auto-configuration or zero-touch deployment via Cisco Networking Services (CNS) is enabled. Auto-configuration example: version 15.0 service config … … … boot-start-marker boot network tftp://x.x.x.x/R5-config boot-end-marker CNS Zero-Touch Example: cns trusted-server config x.x.x.x cns trusted-server image x.x.x.x cns config initial x.x.x.x 80 cns exec 80 cns image If a configuration auto-loading feature or zero-touch deployment feature is enabled, this is a finding. Note: Auto-configuration or zero-touch deployment features can be enabled when the router is offline for the purpose of image loading or building out the configuration. In addition, this would not be applicable to the provisioning of virtual routers via a software-defined network (SDN) orchestration system.
Disable configuration auto-loading if enabled using the following commands: R8(config)#no boot network R8(config)#no service config Disable CNS zero-touch deployment if enabled as shown in the example below: R2(config)#no cns config initial R2(config)#no cns exec R2(config)#no cns image R2(config)#no cns trusted-server config x.x.x.x R2(config)#no cns trusted-server image x.x.x.x
Review the Cisco router configuration to verify it is compliant with this requirement. Step 1: Verify traffic types have been classified based on importance levels. The following is an example configuration: class-map match-all CoPP_CRITICAL match access-group name CoPP_CRITICAL class-map match-any CoPP_IMPORTANT match access-group name CoPP_IMPORTANT match protocol arp class-map match-all CoPP_NORMAL match access-group name CoPP_NORMAL class-map match-any CoPP_UNDESIRABLE match access-group name CoPP_UNDESIRABLE class-map match-all CoPP_DEFAULT match access-group name CoPP_DEFAULT Step 2: Review the Access Control Lists(ACLs) referenced by the class maps to determine if the traffic is being classified appropriately. The following is an example configuration: ip access-list extended CoPP_CRITICAL remark our control plane adjacencies are critical permit ospf host [OSPF neighbor A] any permit ospf host [OSPF neighbor B] any permit pim host [PIM neighbor A] any permit pim host [PIM neighbor B] any permit pim host [RP addr] any permit igmp any 224.0.0.0 15.255.255.255 permit tcp host [BGP neighbor] eq bgp host [local BGP addr] permit tcp host [BGP neighbor] host [local BGP addr] eq bgp deny ip any any ip access-list extended CoPP_IMPORTANT permit tcp host [TACACS server] eq tacacs any permit tcp [management subnet] 0.0.0.255 any eq 22 permit udp host [SNMP manager] any eq snmp permit udp host [NTP server] eq ntp any deny ip any any ip access-list extended CoPP_NORMAL remark we will want to rate limit ICMP traffic deny icmp any host x.x.x.x fragments permit icmp any any echo permit icmp any any echo-reply permit icmp any any time-exceeded permit icmp any any unreachable deny ip any any ip access-list extended CoPP_UNDESIRABLE remark other management plane traffic that should not be received permit udp any any eq ntp permit udp any any eq snmp permit tcp any any eq 22 permit tcp any any eq 23 remark other control plane traffic not configured on router permit eigrp any any permit udp any any eq rip deny ip any any ip access-list extended CoPP_DEFAULT permit ip any any Note: Explicitly defining undesirable traffic with ACL entries enables the network operator to collect statistics. Excessive ARP packets can potentially monopolize Route Processor resources, starving other important processes. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol command. Step 3: Review the policy-map to determine if the traffic is being policed appropriately for each classification. The following is an example configuration: policy-map CONTROL_PLANE_POLICY class CoPP_CRITICAL police 512000 8000 conform-action transmit exceed-action transmit class CoPP_IMPORTANT police 256000 4000 conform-action transmit exceed-action drop class CoPP_NORMAL police 128000 2000 conform-action transmit exceed-action drop class CoPP_UNDESIRABLE police 8000 1000 conform-action drop exceed-action drop class CoPP_DEFAULT police 64000 1000 conform-action transmit exceed-action drop Step 4: Verify that the CoPP policy is enabled. The following is an example configuration: control-plane service-policy input CONTROL_PLANE_POLICY Note: Control Plane Protection (CPPr) can be used to filter as well as police control plane traffic destined to the RP. CPPr is very similar to CoPP and has the ability to filter and police traffic using finer granularity by dividing the aggregate control plane into three separate categories: (1) host, (2) transit, and (3) CEF-exception. Hence, a separate policy-map could be configured for each traffic category. If the Cisco router is not configured to protect against known types of DoS attacks by employing organization-defined security safeguards, this is a finding.
Configure the Cisco router to protect against known types of DoS attacks on the route processor. Implementing a CoPP policy as shown in the example below is a best practice method. Step 1: Configure ACLs specific traffic types. R1(config)#ip access-list extended CoPP_CRITICAL R1(config-ext-nacl)#remark our control plane adjacencies are critical R1(config-ext-nacl)#permit ospf host x.x.x.x any R1(config-ext-nacl)#permit ospf host x.x.x.x any R1(config-ext-nacl)#permit pim host x.x.x.x any R1(config-ext-nacl)#permit pim host x.x.x.x any R1(config-ext-nacl)#permit igmp any 224.0.0.0 15.255.255.255 R1(config-ext-nacl)#permit tcp host x.x.x.x eq bgp host x.x.x.x R1(config-ext-nacl)#deny ip any any R1(config-ext-nacl)#exit R1(config)#ip access-list extended CoPP_IMPORTANT R1(config-ext-nacl)#permit tcp host x.x.x.x eq tacacs any R1(config-ext-nacl)#permit tcp x.x.x.x 0.0.0.255 any eq 22 R1(config-ext-nacl)#permit udp host x.x.x.x any eq snmp R1(config-ext-nacl)#permit udp host x.x.x.x eq ntp any R1(config-ext-nacl)#deny ip any any R1(config-ext-nacl)#exit R1(config)#ip access-list extended CoPP_NORMAL R1(config-ext-nacl)#remark we will want to rate limit ICMP traffic R1(config-ext-nacl)#deny icmp any host x.x.x.x fragments R1(config-ext-nacl)#permit icmp any any echo R1(config-ext-nacl)#permit icmp any any echo-reply R1(config-ext-nacl)#permit icmp any any time-exceeded R1(config-ext-nacl)#permit icmp any any unreachable R1(config-ext-nacl)#deny ip any any R1(config-ext-nacl)#exit R1(config)#ip access-list extended CoPP_UNDESIRABLE R1(config-ext-nacl)#remark management plane traffic that should not be received R1(config-ext-nacl)#permit udp any any eq ntp R1(config-ext-nacl)#permit udp any any eq snmp R1(config-ext-nacl)#permit tcp any any eq 22 R1(config-ext-nacl)#permit tcp any any eq 23 R1(config-ext-nacl)#remark control plane traffic not configured on router R1(config-ext-nacl)#permit eigrp any any R1(config-ext-nacl)#permit udp any any eq rip R1(config-ext-nacl)#deny ip any any R1(config-ext-nacl)#exit R1(config)#ip access-list extended CoPP_DEFAULT R1(config-ext-nacl)#permit ip any any R1(config-ext-nacl)#exit Step 2: Configure class maps referencing each of the ACLs. R1(config)#class-map match-all CoPP_CRITICAL R1(config-cmap)#match access-group name CoPP_CRITICAL R1(config-cmap)#class-map match-any CoPP_IMPORTANT R1(config-cmap)#match access-group name CoPP_IMPORTANT R1(config-cmap)#match protocol arp R1(config-cmap)#class-map match-all CoPP_NORMAL R1(config-cmap)#match access-group name CoPP_NORMAL R1(config-cmap)#class-map match-any CoPP_UNDESIRABLE R1(config-cmap)#match access-group name CoPP_UNDESIRABLE R1(config-cmap)#class-map match-all CoPP_DEFAULT R1(config-cmap)#match access-group name CoPP_DEFAULT R1(config-cmap)#exit Step 3: Configure a policy map referencing the configured class maps and apply appropriate bandwidth allowance and policing attributes. R1(config)#policy-map CONTROL_PLANE_POLICY R1(config-pmap)#class CoPP_CRITICAL R1(config-pmap-c)#police 512000 8000 conform-action transmit exceed-action transmit R1(config-pmap-c-police)#class CoPP_IMPORTANT R1(config-pmap-c)#police 256000 4000 conform-action transmit exceed-action drop R1(config-pmap-c-police)#class CoPP_NORMAL R1(config-pmap-c)#police 128000 2000 conform-action transmit exceed-action drop R1(config-pmap-c-police)#class CoPP_UNDESIRABLE R1(config-pmap-c)#police 8000 1000 conform-action drop exceed-action drop R1(config-pmap-c-police)#class CoPP_DEFAULT R1(config-pmap-c)#police 64000 1000 conform-action transmit exceed-action drop R1(config-pmap-c-police)#exit R1(config-pmap-c)#exit R1(config-pmap)#exit Step 4: Apply the policy map to the control plane. R1(config)#control-plane R1(config-cp)#service-policy input CONTROL_PLANE_POLICY R1(config-cp)#end
Review the configuration to determine if gratuitous ARP is disabled. The following command should not be found in the router configuration: ip gratuitous-arps Note: With Cisco IOS, Gratuitous ARP is enabled and disabled globally. If gratuitous ARP is enabled on any external interface, this is a finding.
Disable gratuitous ARP as shown in the example below: R5(config)#no ip gratuitous-arps
Review the router configuration to determine if it is compliant with this requirement. IP directed broadcast command must not be found on any interface as shown in the example below: interface GigabitEthernet0/1 ip address x.x.x.x 255.255.255.0 ip directed-broadcast If IP directed broadcast is not disabled on all interfaces, this is a finding.
Disable IP directed broadcast on all interfaces as shown in the example below: R4(config)#int g0/1 R4(config-if)#no ip directed-broadcast
Review the configuration to verify the no ip unreachables command has been configured on all external interfaces as shown in the configuration example below: interface GigabitEthernet0/1 ip address x.x.x.x 255.255.255.0 no ip unreachables If ICMP unreachable notifications are sent from any external or null0 interface, this is a finding. Alternative – DODIN Backbone: Verify that the PE router is configured to rate limit ICMP unreachable messages as shown in the example below: ip icmp rate-limit unreachable 60000 ip icmp rate-limit unreachable DF 1000 Note: In the example above, packet-too-big message (ICMP Type 3 Code 4) can be sent once every second, while all other destination unreachable messages can be sent once every minute. This will avoid disrupting Path MTU Discovery for traffic traversing the backbone while mitigating the risk of an ICMP unreachable DoS attack. IF the PE router is not configured to rate limit ICMP unreachable messages, this is a finding.
Step 1: Disable ip unreachables on all external interfaces. R4(config)#int g0/1 R4(config-if)#no ip unreachables Step 2: Disable ip unreachables on the Null0 interface if it is used to backhole packets. R4(config-if)#int null 0 R4(config-if)#no ip unreachables Alternative – DODIN Backbone: Configure the PE router to rate limit ICMP unreachable messages as shown in the example below: R4(config)#ip icmp rate-limit unreachable df 100 R4(config)#ip icmp rate-limit unreachable 100000 R4(config)#end Alternative – Non DODIN Backbone. An alternative for non-backbone networks (i.e. enclave, base, camp, etc.) is to filter messages generated by the router and silently drop ICMP Administratively Prohibited and Host Unreachable messages using the following configuration steps: Step 1: Configure ACL to include ICMP Type 3 Code 1 (Host Unreachable) and Code 13 (Administratively Prohibited) as shown in the example below: R2(config)#ip access-list ext ICMP_T3C1C13 R2(config-ext-nacl)#permit icmp any any host-unreachable R2(config-ext-nacl)#permit icmp any any administratively-prohibited R2(config-ext-nacl)#exit Step 2: Create a route map to forward these ICMP messages to the Null0 interface. R2(config)#route-map LOCAL_POLICY R2(config-route-map)#match ip address ICMP_T3C1C13 R2(config-route-map)#set interface Null0 R2(config-route-map)#exit Step 3: Configure no ip unreachables on the Null0 interface. R2(config)#int null 0 R2(config-if)#no ip unreachables R2(config-if)#exit Step 4: Apply the policy to filter messages generated by the router. R2(config)#ip local policy route-map LOCAL_POLICY R2(config)#end
Review the router configuration and verify that ip mask-reply command is not enabled on any external interfaces as shown in the example below: interface GigabitEthernet0/1 ip address x.x.x.x 255.255.255.0 ip mask-reply If the ip mask-reply command is configured on any external interface, this is a finding.
Disable ip mask-reply on all external interfaces as shown below: R4(config)#int g0/1 R4(config-if)#no ip mask-reply
Review the router configuration to verify that the no ip redirects command has been configured on all external interfaces as shown in the example below: interface GigabitEthernet0/1 ip address x.x.x.x 255.255.255.0 no ip redirects If ICMP Redirect messages are enabled on any external interfaces, this is a finding.
Disable ICMP redirects on all external interfaces as shown in the example below: R4(config)#int g0/1 R4(config-if)#no ip redirects
Review all ACLs used to filter traffic and verify that packets being dropped are logged as shown in the configuration below: ip access-list extended INGRESS_FILTER permit tcp any any established permit tcp host x.11.1.1 eq bgp host x.11.1.2 permit tcp host x.11.1.1 host x.11.1.2 eq bgp permit tcp any host x.11.1.5 eq www permit icmp host x.11.1.1 host x.11.1.2 echo permit icmp any any echo-reply … … … deny ip any any log If packets being dropped at interfaces are not logged, this is a finding.
Configure ACLs to log packets that are dropped as shown in the example below: R5(config)#ip access-list extended INGRESS_FILTER … … … R5(config-ext-nacl)#deny ip any any log
Review the router configuration to verify that events are logged containing information to establish where the events occurred as shown in the example below: ip access-list extended INGRESS_FILTER permit tcp any any established permit tcp host x.11.1.1 eq bgp host x.11.1.2 permit tcp host x.11.1.1 host x.11.1.2 eq bgp permit tcp any host x.11.1.5 eq www permit icmp host x.11.1.1 host x.11.1.2 echo permit icmp any any echo-reply … … … deny ip any any log-input Note: When the log-input parameter is configured on deny statements, the log record will contain the interface where ingress packet has been dropped. If the router is not configured to produce audit records containing information to establish to establish where the events occurred, this is a finding.
Configure the router to log events containing information to establish where the events occurred as shown in the example below: R5(config)#ip access-list extended INGRESS_FILTER … … … R5(config-ext-nacl)#deny ip any any log-input
Review the router configuration to verify that events are logged containing information to establish the source of the events as shown in the example below: ip access-list extended INGRESS_FILTER permit tcp any any established permit tcp host x.11.1.1 eq bgp host x.11.1.2 permit tcp host x.11.1.1 host x.11.1.2 eq bgp permit tcp any host x.11.1.5 eq www permit icmp host x.11.1.1 host x.11.1.2 echo permit icmp any any echo-reply … … … deny ip any any log-input Note: When the log-input parameter is configured on deny statements, the log record will contain the layer 2 address of the forwarding device for any packet being dropped. If the router is not configured to produce audit records containing information to establish the source of the events, this is a finding.
Configure the router to log events containing information to establish where the events occurred as shown in the example below: R5(config)#ip access-list extended INGRESS_FILTER … … … R5(config-ext-nacl)#deny ip any any log-input
Review the configuration and verify that the auxiliary port is disabled unless a secured modem providing encryption and authentication is connected to it. line aux 0 no exec Note: transport input none is the default; hence it will not be shown in the configuration. If the auxiliary port is not disabled or is not connected to a secured modem when it is enabled, this is a finding.
Disable the auxiliary port. R2(config)#line aux 0 R2(config-line)#no exec R2(config-line)#transport input none
This requirement is not applicable for the DODIN Backbone. Review the router configuration to verify that the inbound ACL applied to all external interfaces is configured to allow specific ports and protocols and deny all other traffic. Step 1: Verify that an inbound ACL is applied to all external interfaces as shown in the example below: interface GigabitEthernet0/2 ip address x.11.1.2 255.255.255.254 ip access-group EXTERNAL_ACL in Step 2: Review inbound ACL to verify that it is configured to deny all other traffic that is not explicitly allowed. ip access-list extended EXTERNAL_ACL permit tcp any any established permit tcp host x.11.1.1 eq bgp host x.11.1.2 permit tcp host x.11.1.1 host x.11.1.2 eq bgp permit icmp host x.11.1.1 host x.11.1.2 echo permit icmp host x.11.1.1 host x.11.1.2 echo-reply … … … deny ip any any log-input If the ACL is not configured to allow specific ports and protocols and deny all other traffic, this is a finding. If the ACL is not configured inbound on all external interfaces, this is a finding.
This requirement is not applicable for the DODIN Backbone. Step 1: Configure an inbound ACL to deny all other traffic by default as shown in the example below: R1(config)#ip access-list extended EXTERNAL_ACL R1(config-ext-nacl)#permit tcp any any established R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2 R1(config-ext-nacl)#permit tcp host x.11.1.1 host x.11.1.2 eq bgp R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo-reply … … … R1(config-ext-nacl)#deny ip any any log-input Step 2: Apply the ingress filter to all external interfaces. R1(config)#int g0/2 R1(config-if)#ip access-group EXTERNAL_ACL in
Review the router configuration to verify that ACLs are configured to allow or deny traffic for specific source and destination addresses as well as ports and protocols. In the example below, the router is peering BGP with DISN. ICMP echo and echo-reply packets are allowed for troubleshooting connectivity. WWW traffic is permitted inbound to the NIPRNet host-facing web server (x.12.1.22). interface GigabitEthernet0/1 description Link to DISN ip address x.12.1.10 255.255.255.0 ip access-group FILTER_PERIMETER in … … … ip access-list extended FILTER_PERIMETER permit tcp any any established permit tcp host x.12.1.9 host x.12.1.10 eq bgp permit tcp host x.12.1.9 eq bgp host x.12.1.10 permit icmp host x.12.1.9 host x.12.1.10 echo permit icmp host x.12.1.9 host x.12.1.10 echo-reply permit tcp any host x.12.1.22 eq www deny ip any any log-input If the router is not configured to enforce approved authorizations for controlling the flow of information between interconnected networks, this is a finding.
This requirement is not applicable for the DODIN Backbone. Step 1: Configure an ACL to allow or deny traffic as shown in the example below. R1(config)#ip access-list extended FILTER_PERIMETER R1(config-ext-nacl)#permit tcp any any established R1(config-ext-nacl)#permit tcp host x.12.1.9 host x.12.1.10 eq bgp R1(config-ext-nacl)#permit tcp host x.12.1.9 eq bgp host x.12.1.10 R1(config-ext-nacl)#permit icmp host x.12.1.9 host x.12.1.10 echo R1(config-ext-nacl)#permit icmp host x.12.1.9 host x.12.1.10 echo-reply R1(config-ext-nacl)#permit tcp any host x.12.1.22 eq www R1(config-ext-nacl)#deny ip any any log-input R1(config-ext-nacl)#exit Step 2: Apply the ACL inbound on all external interfaces. R2(config)#int g0/0 R1(config-if)#ip access-group FILTER_PERIMETER in
This requirement is not applicable for the DODIN Backbone. Review the router configuration to determine if the router allows only incoming communications from authorized sources to be routed to authorized destinations. The hypothetical example below allows inbound NTP from server x.1.12.9 only to host x.12.1.21. ip access-list extended FILTER_PERIMETER permit tcp any any established … … … permit udp host x.12.1.9 host x.12.1.21 eq ntp deny ip any any log-input If the router does not restrict incoming communications to allow only authorized sources and destinations, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure the router to allow only incoming communications from authorized sources to be routed to authorized destinations. R1(config)#ip access-list extended FILTER_PERIMETER R1(config-ext-nacl)#nn permit udp host x.12.1.9 host x.12.1.21 eq ntp R1(config-ext-nacl)#end
This requirement is not applicable for the DODIN Backbone. Review the router configuration to verify that an ingress ACL applied to all external interfaces is blocking packets with Bogon source addresses. Step 1: Verify an ACL has been configured containing the current Bogon prefixes as shown in the example below: ip access-list extended FILTER_PERIMETER deny ip 0.0.0.0 0.255.255.255 any log-input deny ip 10.0.0.0 0.255.255.255 any log-input deny ip 100.64.0.0 0.63.255.255 any log-input deny ip 127.0.0.0 0.255.255.255 any log-input deny ip 169.254.0.0 0.0.255.255 any log-input deny ip 172.16.0.0 0.15.255.255 any log-input deny ip 192.0.0.0 0.0.0.255 any log-input deny ip 192.0.2.0 0.0.0.255 any log-input deny ip 192.168.0.0 0.0.255.255 any log-input deny ip 198.18.0.0 0.1.255.255 any log-input deny ip 198.51.100.0 0.0.0.255 any log-input deny ip 203.0.113.0 0.0.0.255 any log-input deny ip 224.0.0.0 31.255.255.255 any log-input deny ip 240.0.0.0 15.255.255.255 any log-input permit tcp any any established permit tcp host x.12.1.9 host x.12.1.10 eq bgp permit tcp host x.12.1.9 eq bgp host x.12.1.10 permit icmp host x.12.1.9 host x.12.1.10 echo permit icmp host x.12.1.9 host x.12.1.10 echo-reply … … … deny ip any any log-input Step 2: Verify that the inbound ACL applied to all external interfaces will block all traffic from Bogon source addresses. interface GigabitEthernet0/1 description Link to DISN ip address x.12.1.10 255.255.255.254 ip access-group FILTER_PERIMETER in If the router is not configured to block inbound packets with source Bogon IP address prefixes, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure the perimeter to block inbound packets with Bogon source addresses. Step 1: Configure an ACL containing the current Bogon prefixes as shown below: R5(config)#ip access-list extended FILTER_PERIMETER R5(config-ext-nacl)#deny ip 0.0.0.0 0.255.255.255 any log-input R5(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 any log-input R5(config-ext-nacl)#deny ip 100.64.0.0 0.63.255.255 any log-input R5(config-ext-nacl)#deny ip 127.0.0.0 0.255.255.255 any log-input R5(config-ext-nacl)#deny ip 169.254.0.0 0.0.255.255 any log-input R5(config-ext-nacl)#deny ip 172.16.0.0 0.15.255.255 any log-input R5(config-ext-nacl)#deny ip 192.0.0.0 0.0.0.255 any log-input R5(config-ext-nacl)#deny ip 192.0.2.0 0.0.0.255 any log-input R5(config-ext-nacl)#deny ip 192.168.0.0 0.0.255.255 any log-input R5(config-ext-nacl)#deny ip 198.18.0.0 0.1.255.255 any log-input R5(config-ext-nacl)#deny ip 198.51.100.0 0.0.0.255 any log-input R5(config-ext-nacl)#deny ip 203.0.113.0 0.0.0.255 any log-input R5(config-ext-nacl)#deny ip 224.0.0.0 31.255.255.255 any log-input R5(config-ext-nacl)#deny ip 240.0.0.0 15.255.255.255 any log-input R5(config-ext-nacl)#permit tcp any any established R5(config-ext-nacl)#permit tcp host x.12.1.9 host x.12.1.10 eq bgp R5(config-ext-nacl)#permit tcp host x.12.1.9 eq bgp host x.12.1.10 R5(config-ext-nacl)#permit icmp host x.12.1.9 host x.12.1.10 echo R5(config-ext-nacl)#permit icmp host x.12.1.9 host x.12.1.10 echo-reply … … … R5(config-ext-nacl)#deny ip any any log-input R5(config-ext-nacl)#end Step 2: Apply the ACL inbound on all external interfaces. R2(config)#int g0/0 R1(config-if)#ip access-group FILTER_PERIMETER in R1(config-if)#end
This requirement is not applicable for the DODIN Backbone. Step 1: Verify the interface connecting to ISP has an inbound ACL as shown in the example below. interface GigabitEthernet0/2 description Link to ISP ip address x.22.1.15 255.255.255.240 ip access-group FILTER_ISP in Step 2: Verify that the ACL only allows traffic to specific destination addresses (i.e. enclave’s NIPRNet address space) as shown in the example below. ip access-list extended FILTER_ISP permit tcp any any established permit icmp host x.12.1.16 host x.12.1.17 echo permit icmp host x.12.1.16 host x.12.1.17 echo-reply permit tcp any host x.12.1.22 eq www permit tcp any host x.12.1.23 eq www permit 50 any host x.12.1.24 permit 51 any host x.12.1.24 deny ip any any log-input Note: An Approved Gateway (AG) is any external connection from a DoD NIPRNet enclave to an Internet Service Provider, or network owned by a contractor, or non-DoD federal agency that has been approved by either the DoD CIO or the DoD Component CIO. This AG requirement does not apply to commercial cloud connections when the Cloud Service Provider (CSP) network is connected via the NIPRNet Boundary Cloud Access Point (BCAP). If the ingress ACL bound to the interface connecting to an alternate gateway permits packets with addresses other than those specified, such as destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the alternate gateway network service provider, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure the ingress ACL of the perimeter router connected to an alternate gateway to only permit packets with destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the alternate gateway network service provider as shown in the example below: R5(config)#ip access-list extended FILTER_ISP R5(config-ext-nacl)#permit tcp any any established R5(config-ext-nacl)#permit icmp host x.12.1.16 host x.12.1.17 echo R5(config-ext-nacl)#permit icmp host x.12.1.16 host x.12.1.17 echo-reply R5(config-ext-nacl)#permit tcp any host x.12.1.22 eq www R5(config-ext-nacl)#permit tcp any host x.12.1.23 eq www R5(config-ext-nacl)#permit 50 any host x.12.1.24 R5(config-ext-nacl)#permit 51 any host x.12.1.24 R5(config-ext-nacl)#deny ip any any log-input R5(config-ext-nacl)#end
This requirement is not applicable for the DODIN Backbone. Review the router configuration and verify that it is not BGP peering with an alternate gateway service provider. Step 1: Determine the ip address of the ISP router. interface GigabitEthernet0/2 description Link to ISP ip address x.22.1.15 255.255.255.240 Step 2: Verify that the router is not BGP peering with this router. router bgp nn no synchronization bgp log-neighbor-changes neighbor x.11.1.7 remote-as nn neighbor x.11.1.7 password xxxxxxx no auto-summary In the example above, the router is not peering with the ISP. If the router is BGP peering with an alternate gateway service provider, this is a finding.
This requirement is not applicable for the DODIN Backbone. Remove any BGP neighbors belonging to the alternate gateway service provider and configure a static route to forward Internet bound traffic to the alternate gateway as shown in the example below: R5(config)#ip route 0.0.0.0 0.0.0.0 x.22.1.14
This requirement is not applicable for the DODIN Backbone. Step 1: Review the IGP and BGP configurations. If there are redistribute static statements configured as shown in examples below, proceed to step 2. OSPF Example: router ospf 1 log-adjacency-changes redistribute static subnets network 0.0.0.0 255.255.255.255 area 0 EIGRP example: router eigrp 1 network 10.1.15.0 0.0.0.255 redistribute static RIP example: router rip version 2 redistribute static network 10.0.0.0 BGP example: router bgp nn no synchronization bgp log-neighbor-changes redistribute static neighbor x.11.1.7 remote-as nn neighbor x.11.1.7 password xxxxxxx no auto-summary Step 2: Review the static routes that have been configured to determine if any contain the next hop address of the alternate gateway. If the static routes to the alternate gateway are being redistributed into BGP or any IGP peering to a NIPRNet gateway or any other autonomous system, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure the router so that static routes are not redistributed to an alternate gateway into either a BGP or any IGP peering with the NIPRNet or to any other autonomous systems. This can be done by excluding that route in the route-map as shown in the example below: Step 1: Configure a prefix list for any static routes with the alternate gateway as the next-hop address. R5(config)#ip prefix-list ISP_PREFIX permit x.x.x.0/24 Step 2: Configure a route map that will deny the state routes to the ISP. R5(config)#route-map FILTER_ISP_STATIC deny 10 R5(config-route-map)#match ip address prefix-list ISP_PREFIX R5(config-route-map)#exit R5(config)#route-map FILTER_ISP_STATIC permit 20 R5(config-route-map)#exit Step 3: Apply the route-map to the IGP and BGP redistribute static commands as shown in the EIGRP example. R5(config)#router eigrp 1 R5(config-router)#redistribute static route-map FILTER_ISP_STATIC
This requirement is not applicable for the DODIN Backbone. Review the router configuration to verify that the ingress ACL is in accordance with DoD 8551.1. Step 1: Verify that an inbound ACL is configured on all external interfaces. interface GigabitEthernet0/2 ip address x.11.1.2 255.255.255.254 ip access-group EXTERNAL_ACL_INBOUND in Step 2. Review the inbound ACL to verify that it is filtering traffic in accordance with DoD 8551.1. ip access-list extended EXTERNAL_ACL_INBOUND permit tcp any any established permit tcp host x.11.1.1 eq bgp host x.11.1.2 permit tcp host x.11.1.1 host x.11.1.2 eq bgp permit icmp host x.11.1.1 host x.11.1.2 echo permit icmp host x.11.1.1 host x.11.1.2 echo-reply … … < must be in accordance with DoD Instruction 8551.1> … deny ip any any log-input If the router does not filter traffic in accordance with the guidelines contained in DoD 8551.1, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure the router to use an inbound ACL on all external interfaces as shown in the example below to restrict traffic in accordance with the guidelines contained in DOD Instruction 8551.1. R1(config)#ip access-list extended EXTERNAL_ACL_INBOUND R1(config-ext-nacl)#permit tcp any any established R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2 R1(config-ext-nacl)#permit tcp host x.11.1.1 host x.11.1.2 eq bgp R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo-reply … … < must be in accordance with DoD Instruction 8551.1> … R1(config-ext-nacl)#deny ip any any log-input R1(config-ext-nacl)#exit R1(config)#int g0/2 R1(config-if)#ip access-group EXTERNAL_ACL_INBOUND in
This requirement is not applicable for the DODIN Backbone. Review the router configuration to verify that an inbound ACL is configured on all external interfaces as shown in the example below: interface GigabitEthernet0/2 ip address x.11.1.2 255.255.255.254 ip access-group EXTERNAL_ACL_INBOUND in If the router is not configured to filter traffic entering the network at all external interfaces in an inbound direction, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure the router to use an inbound ACL on all external interfaces as shown in the example below: R1(config)#int g0/2 R1(config-if)#ip access-group EXTERNAL_ACL_INBOUND in
This requirement is not applicable for the DODIN Backbone. Review the router configuration to verify that the egress ACL is bound to the internal interface in an inbound direction. interface interface GigabitEthernet0/2 description downstream link to LAN ip address 10.1.25.5 255.255.255.0 ip access-group EGRESS_FILTER in If the router is not configured to filter traffic leaving the network at the internal interface in an inbound direction, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure the router to use an inbound ACL on all internal interfaces as shown in the example below: R5(config)#int g0/2 R5(config-if)#ip access-group EGRESS_FILTER in
This requirement is not applicable for the DODIN Backbone. Step 1: Verify LLDP is not enabled globally via the command. lldp run By default LLDP is not enabled globally. If LLDP is enabled, proceed to step 2. Step 2: Verify LLDP is not enabled on any external interface as shown in the example below: interface GigabitEthernet0/1 ip address x.1.12.1 255.255.255.252 no lldp transmit Note: LLDP is enabled by default on all interfaces once it is enabled globally; hence the command "lldp transmit" will not be visible on the interface configuration. If LLDP transmit is enabled on any external interface, this is a finding.
Disable LLDP transmit on all external interfaces as shown in the example below: R5(config)#int g0/1 R5(config-if)#no lldp transmit
This requirement is not applicable for the DODIN Backbone. Step 1: Verify if CDP is enabled globally as shown below: cdp run By default, CDP is not enabled globally or on any interface. If CDP is enabled globally, proceed to step 2. Step 2: Verify CDP is not enabled on any external interface as shown in the example below: interface GigabitEthernet2 ip address z.1.24.4 255.255.255.252 … … … cdp enable If CDP is enabled on any external interface, this is a finding.
This requirement is not applicable for the DODIN Backbone. Disable CDP on all external interfaces via no cdp enable command or disable CDP globally via no cdp run command.
This requirement is not applicable for the DODIN Backbone. Review the router configuration to determine if IP Proxy ARP is disabled on all external interfaces as shown in the example below: interface GigabitEthernet0/1 description link to DISN ip address x.1.12.2 255.255.255.252 no ip proxy-arp Note: By default Proxy ARP is enabled on all interfaces; hence, if enabled, it will not be shown in the configuration. If IP Proxy ARP is enabled on any external interface, this is a finding.
This requirement is not applicable for the DODIN Backbone. Disable Proxy ARP on all external interfaces as shown in the example below: R2(config)#int g0/1 R2(config-if)#no ip proxy-arp
This requirement is not applicable for the DODIN Backbone. The perimeter router of the managed network must be configured with an outbound ACL on the egress interface to block all management traffic as shown in the example below: Step 1: Verify that all external interfaces has been configured with an outbound ACL as shown in the example below: interface GigabitEthernet0/2 description link to DISN ip address x.11.1.2 255.255.255.254 ip access-group EXTERNAL_ACL_OUTBOUND out Step 2: Verify that the outbound ACL discards management traffic as shown in the example below: ip access-list extended EXTERNAL_ACL_OUTBOUND deny tcp any any eq tacacs log-input deny tcp any any eq 22 log-input deny udp any any eq snmp log-input deny udp any any eq snmptrap log-input deny udp any any eq syslog log-input permit tcp any any eq www log-input deny ip any any log-input If management traffic is not blocked at the perimeter, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure the perimeter router of the managed network with an outbound ACL on the egress interface to block all management traffic. Step 1: Configure an ACL to block egress management traffic. R5(config)#ip access-list extended EXTERNAL_ACL_OUTBOUND R5(config-ext-nacl)#deny tcp any any eq tacacs log-input R5(config-ext-nacl)#deny tcp any any eq 22 log-input R5(config-ext-nacl)#deny udp any any eq snmp log-input R5(config-ext-nacl)#deny udp any any eq snmptrap log-input R5(config-ext-nacl)#deny udp any any eq syslog log-input R5(config-ext-nacl)#permit tcp any any eq www R5(config-ext-nacl)#deny ip any any log-input R5(config-ext-nacl)#exit Note: Permit commands would be configured to allow applicable outbound traffic. The example above is allowing web traffic. Step 2: Configure the external interfaces with the outbound ACL. R1(config)#int g0/2 R1(config-if)#ip access-group EXTERNAL_ACL_OUTBOUND out
This requirement is not applicable for the DODIN Backbone. Review the network topology diagram to determine connectivity between the managed network and the NOC. Review the OOBM gateway router configuration to validate the path and interface that the management traffic traverses. If an IPsec tunnel is used to transport the management traffic between the NOC and the managed network, review the configuration following the steps below. Step 1: Note the crypto map applied to the external interface. interface interface GigabitEthernet0/2 description link to DISN ip address x.1.24.4 255.255.255.0 crypto map IPSEC_MGMT_MAP Step 2: Review the ISAKMP policy for Phase 1 negotiations and Phase 2 policy for data encryption. crypto isakmp policy 10 authentication pre-share hash sha256 crypto isakmp key xxxxxx address x.1.12.1 ! ! crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes Step 3: Review the crypto map that was bound to the external interface and note the ACL defined that identifies the interesting traffic for the IPsec tunnel. crypto map IPSEC_MGMT_MAP 10 ipsec-isakmp set peer x.1.12.1 set transform-set TRANS_SET match address MGMT_TRAFFIC_ACL Step 4: Review the ACL defined in the crypto map and verify that the destination is the management network. ip access-list extended MGMT_TRAFFIC_ACL permit ip 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 Note: The management network is this example is 10.22.2.0/24 If management traffic is not transported between the managed network and the NOC via dedicated circuit, MPLS/VPN service, or IPsec tunnel, this is a finding.
This requirement is not applicable for the DODIN Backbone. Ensure that a dedicated circuit, MPLS/VPN service, or IPsec tunnel is deployed to transport management traffic between the managed network and the NOC. If an IPsec tunnel is to be used, the steps below can be used as a guideline. Step 1: Configure the ACL for the management network as the destination. This ACL will be defined in the crypto as the interesting traffic to be forwarded into the IPsec tunnel. R4(config)#ip access-list extended MGMT_TRAFFIC_ACL R4(config-ext-nacl)#permit ip 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 R4(config-ext-nacl)#exit Step 2: Create an ISAKMP policy for Phase 1 negotiations. R4(config)#crypto isakmp policy 10 R4(config-isakmp)#hash sha256 R4(config-isakmp)#authentication pre-share R4(config-isakmp)#exit Step 3: Specify the pre-shared key and the remote peer address. R4(config)#crypto isakmp key 0 xxxxxx address x.1.12.1 Note: Digital certificates can be utilized as an alternative. Step 4: Create the IPSec transform set for the data encryption. R4(config)#crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes R4(cfg-crypto-trans)#mode tunnel R4(cfg-crypto-trans)#exit Step 5: Create the crypto map. R4(config)#crypto map IPSEC_MGMT_MAP 10 ipsec-isakmp R4(config-crypto-map)#set peer x.1.12.1 R4(config-crypto-map)#match address MGMT_TRAFFIC_ACL R4(config-crypto-map)#set transform-set TRANS_SET R4(config-crypto-map)#end Step 6: Apply the crypto map to the external interface. R4(config)#int g0/2 R4(config-if)#crypto map IPSEC_MGMT_MAP
This requirement is not applicable for the DODIN Backbone. Review the network topology diagram to determine connectivity between the managed network and the NOC. Review the OOBM gateway router configuration to validate the path that the management traffic traverses. Verify that only management traffic is forwarded through the OOBM interface or IPsec tunnel. If an OOBM link is used, verify that the only authorized management traffic is transported to the NOC by reviewing the outbound ACL applied to the OOBM interface as shown in the example below: Step 1: Note the outbound ACL applied to the OOBM interface. interface GigabitEthernet0/2 description OOB link to NOC ip address 10.11.1.8 255.255.255.0 ip access-group MGMT_TRAFFIC_ACL out Step 2: Review the outbound ACL and verify only management traffic is forwarded to the NOC. ip access-list extended MGMT_TRAFFIC_ACL permit tcp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq tacacs permit tcp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq 22 permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp-trap permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq syslog permit icmp 10.1.34.0 0.0.0.255 10.22.22.0 0.0.0.255 deny ip any any log-input If an IPSec tunnel is used, verify that the only authorized management traffic is transported to the NOC. Step 1: Note the crypto map applied to the external interface. interface interface GigabitEthernet0/2 description link to DISN ip address x.1.24.4 255.255.255.0 crypto map IPSEC_MGMT_MAP Step 2: Review the crypto map that was bound to the external interface and note the ACL defined that identifies the interesting traffic for the IPsec tunnel. crypto map IPSEC_MGMT_MAP 10 ipsec-isakmp set peer x.1.12.1 set transform-set TRANS_SET match address MGMT_TRAFFIC_ACL Step 3: Review the ACL defined in the crypto map and verify only management traffic is forwarded to the NOC. ip access-list extended MGMT_TRAFFIC_ACL permit tcp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq tacacs permit tcp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq 22 permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp-trap permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq syslog permit icmp 10.1.34.0 0.0.0.255 10.22.22.0 0.0.0.255 Note: ICMP is permitted for troubleshooting purposes. The IPSec SA can only identify interesting traffic via address, protocol, and port; hence, the ICMP traffic cannot be qualified via type attribute. If traffic other than authorized management traffic is permitted through the OOBM interface or IPsec tunnel, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure ACLs to permit only authorized management traffic into IPsec tunnels or the OOBM interface used for forwarding management data as shown in the examples below: OOBM Link: R4(config)#ip access-list extended MGMT_TRAFFIC_ACL R4(config-ext-nacl)#permit tcp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq tacacs R4(config-ext-nacl)#permit tcp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq 22 R4(config-ext-nacl)#permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp R4(config-ext-nacl)#permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp-trap R4(config-ext-nacl)#permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq syslog R4(config-ext-nacl)#permit icmp 10.1.34.0 0.0.0.255 10.22.22.0 0.0.0.255 echo R4(config-ext-nacl)#permit icmp 10.1.34.0 0.0.0.255 10.22.22.0 0.0.0.255 echo-reply R4(config-ext-nacl)#deny ip any any log-input R4(config-ext-nacl)#exit IPsec Tunnel: R4(config)#ip access-list extended MGMT_TRAFFIC_ACL R4(config-ext-nacl)#permit tcp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq tacacs R4(config-ext-nacl)#permit tcp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq 22 R4(config-ext-nacl)#permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp R4(config-ext-nacl)#permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp-trap R4(config-ext-nacl)#permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq syslog R4(config-ext-nacl)#permit icmp 10.1.34.0 0.0.0.255 22.22.22.0 0.0.0.255 R4(config-ext-nacl)#exit
This requirement is not applicable for the DODIN Backbone. Verify that the OOBM interface is an adjacency in the IGP domain for the management network via separate VRF as shown in the example below: router ospf 1 vrf MGMT log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! router ospf 2 vrf PROD log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 If the router is not configured to have separate IGP instances for the managed network and management network, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure the router to have a separate IGP instance for the management network as shown in the example below: R3(config)#router ospf 1 vrf MGMT R3(config-router)#network 0.0.0.0 0.0.0.0 area 0 R3(config-router)#exit R3(config)#router ospf 2 vrf PROD R3(config-router)#network 0.0.0.0 0.0.0.0 area 0 R3(config-router)#end
This requirement is not applicable for the DODIN Backbone. Verify the IGP instance used for the managed network does not redistribute routes into the IGP instance used for the management network, and vice versa. The example below imports OSPF routes from the production route table (VRF PROD) into the management route table (VRF MGMT) using BGP. ip vrf MGMT rd 4:4 route-target export 4:4 route-target import 4:4 route-target import 8:8 ! ip vrf PROD rd 8:8 route-target import 8:8 route-target export 8:8 … … … router ospf 1 vrf MGMT log-adjacency-changes redistribute bgp 64512 subnets network 0.0.0.0 255.255.255.255 area 0 ! router ospf 2 vrf PROD log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! router bgp 64512 no synchronization bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf MGMT no synchronization redistribute ospf 1 vrf MGMT exit-address-family ! address-family ipv4 vrf PROD no synchronization redistribute ospf 2 vrf PROD exit-address-family If the IGP instance used for the managed network redistributes routes into the IGP instance used for the management network, or vice versa, this is a finding.
This requirement is not applicable for the DODIN Backbone. Remove the configuration that imports routes from the managed network into the management network or vice versa as shown in the example below: R1(config)#ip vrf MGMT R1(config-vrf)#no route-target import 8:8
This requirement is not applicable for the DODIN Backbone. It is only applicable if the OOBM gateway router is not a dedicated device to the OOBM backbone. Verify that traffic destined to itself is only sourced by the OOBM or the NOC. In the example below, the OOBM backbone network is 10.11.1.0/24, the NOC address spaces is 10.12.1.0/24, and the OOBM LAN address space at remote site connecting to the managed network is 10.13.1.0/24. Step 1: Note the inbound ACL applied to the OOBM interfaces. interface GigabitEthernet0/2 description OOB link to NOC ip address 10.11.1.8 255.255.255.0 ip access-group TRAFFIC_FROM_NOC in ! interface GigabitEthernet0/3 description link to OOBM LAN access switch ip address 10.13.1.1 255.255.255.0 ip access-group TRAFFIC_TO_NOC in If the ACL is not configured to only allow traffic to the route processor from the OOBM backbone and the NOC, this is a finding. Step 2: Review the inbound ACL bound to any OOB interface connecting to the OOBM backbone and verify traffic destined to itself is only from the OOBM or NOC address space. ip access-list extended TRAFFIC_FROM_NOC permit ip 10.11.1.0 0.255.255.255 host 10.11.1.8 permit ip 10.12.1.0 0.255.255.255 host 10.11.1.8 permit ip 10.11.1.0 0.255.255.255 host 10.13.1.1 permit ip 10.12.1.0 0.255.255.255 host 10.13.1.1 deny ip any host 10.11.1.8 log-input deny ip any host 10.13.1.1 log-input permit ip 10.11.1.0 0.0.0.255 10.13.1.0 0.0.0.255 permit ip 10.12.1.0 0.0.0.255 10.13.1.0 0.0.0.255 deny ip any any log-input Step 3: Review the inbound ACL bound to any OOBM LAN interfaces and verify traffic destined to itself is from the OOBM LAN address space. ip access-list extended TRAFFIC_TO_NOC permit ip 10.13.1.0 0.255.255.255 host 10.13.1.1 permit ip 10.13.1.0 0.255.255.255 host 10.11.1.8 deny ip any host 10.13.1.1 log-input deny ip any host 10.11.1.8 log-input permit ip 10.13.1.0 0.255.255.255 10.11.1.0 0.0.0.255 permit ip 10.13.1.0 0.255.255.255 10.12.1.0 0.0.0.255 deny ip any any log-input If the ACL is not configured to only allow traffic to the route processor from the OOBM LAN, this is a finding.
This requirement is not applicable for the DODIN Backbone. It is only applicable if the OOBM gateway router is not a dedicated device to the OOBM backbone. Step 1: Configure the ACL to only allow traffic to the route processor from the OOBM backbone and the NOC. R4(config)#ip access-list extended TRAFFIC_FROM_NOC R4(config-ext-nacl)#permit ip 10.11.1.0 0.255.255.255 host 10.11.1.8 R4(config-ext-nacl)#permit ip 10.12.1.0 0.255.255.255 host 10.11.1.8 R4(config-ext-nacl)#permit ip 10.11.1.0 0.255.255.255 host 10.13.1.1 R4(config-ext-nacl)#permit ip 10.12.1.0 0.255.255.255 host 10.13.1.1 R4(config-ext-nacl)#deny ip any host 10.11.1.8 log-input R4(config-ext-nacl)#deny ip any host 10.13.1.1 log-input R4(config-ext-nacl)#permit ip 10.11.1.0 0.0.0.255 10.13.1.0 0.0.0.255 R4(config-ext-nacl)#permit ip 10.12.1.0 0.0.0.255 10.13.1.0 0.0.0.255 R4(config-ext-nacl)#deny ip any any log-input Step 2: Configure the ACL to only allow traffic to the route processor from the OOBM LAN. R4(config)#ip access-list extended TRAFFIC_TO_NOC R4(config-ext-nacl)#permit ip 10.13.1.0 0.255.255.255 host 10.13.1.1 R4(config-ext-nacl)#permit ip 10.13.1.0 0.255.255.255 host 10.11.1.8 R4(config-ext-nacl)#deny ip any host 10.13.1.1 log-input R4(config-ext-nacl)#deny ip any host 10.11.1.8 log-input R4(config-ext-nacl)#permit ip 10.13.1.0 0.255.255.255 10.11.1.0 0.0.0.255 R4(config-ext-nacl)#permit ip 10.13.1.0 0.255.255.255 10.12.1.0 0.0.0.255 R4(config-ext-nacl)#deny ip any any log-input R4(config-ext-nacl)#exit Step 3: Apply the ACLs configured above to the appropriate OOBM interfaces as shown in the example below: R4(config)#int g0/2 R4(config-if)#ip access-group TRAFFIC_FROM_NOC in R4(config)#int g0/3 R4(config-if)#ip access-group TRAFFIC_TO_NOC in R4(config-if)#end
This requirement is only applicable where management access to the router is via an OOBM interface which is not a true OOBM interface. Step 1: Verify that the managed interface has an inbound and outbound ACL configured. interface GigabitEthernet0/7 description link to OOBM access switch ip address 10.11.1.22 255.255.255.0 ip access-group INGRESS_MANAGEMENT_ACL in ip access-group EGRESS_MANAGEMENT_ACL out Step 2: Verify that the ingress ACL only allows management and ICMP traffic. ip access-list extended INGRESS_MANAGEMENT_ACL permit tcp any host 10.11.1.22 eq tacacs permit tcp any host 10.11.1.22 eq 22 permit udp any host 10.11.1.22 eq snmp permit udp any host 10.11.1.22 eq snmptrap permit udp any host 10.11.1.22 eq ntp permit icmp any host 10.11.1.22 deny ip any any log-input Step 3: Verify that the egress ACL blocks any transit traffic. ip access-list extended EGRESS_MANAGEMENT_ACL deny ip any any log-input Note: On Cisco routers, local generated packets are not inspected by outgoing interface access-lists. Hence, the above configuration would simply drop any packets not generated by the router; hence, blocking any transit traffic. If the router does not restrict traffic that ingresses and egresses the management interface, this is a finding.
If the management interface is not a dedicated OOBM interface, it must be configured with both an ingress and egress ACL. Step 1: Configure an ingress ACL a shown in the example below: R5(config)#ip access-list extended INGRESS_MANAGEMENT_ACL R5(config-ext-nacl)#permit tcp any host 10.11.1.22 eq tacacs R5(config-ext-nacl)#permit tcp any host 10.11.1.22 eq 22 R5(config-ext-nacl)#permit udp any host 10.11.1.22 eq snmp R5(config-ext-nacl)#permit udp any host 10.11.1.22 eq snmptrap R5(config-ext-nacl)#permit udp any host 10.11.1.22 eq ntp R5(config-ext-nacl)#permit icmp any host 10.11.1.22 R5(config-ext-nacl)#deny ip any any log-input R5(config-ext-nacl)#exit Step 2: Configure an egress ACL a shown in the example below: R5(config)#ip access-list extended EGRESS_MANAGEMENT_ACL R5(config-ext-nacl)#deny ip any any log-input R5(config-ext-nacl)#exit Step 3: Apply the ACLs to the OOBM interfaces. R4(config)#int g0/7 R4(config-if)#ip access-group INGRESS_MANAGEMENT_ACL in R4(config-if)#ip access-group EGRESS_MANAGEMENT_ACL out
This requirement is not applicable for the DODIN Backbone. Verify that all traffic from the managed network to the management network or NOC and vice-versa is secured via IPsec tunnel. Step 1: Note the crypto map applied to the external interface. interface GigabitEthernet0/2 description link to DISN ip address x.1.24.4 255.255.255.0 crypto map IPSEC_MGMT_MAP Step 2: Review the ISAKMP policy for Phase 1 negotiations and Phase 2 policy for data encryption. crypto isakmp policy 10 authentication pre-share hash sha256 crypto isakmp key xxxxxx address x.1.12.1 ! ! crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes Step 3: Review the crypto map that was bound to the external interface and note the ACL defined that identifies the interesting traffic for the IPsec tunnel. crypto map IPSEC_MGMT_MAP 10 ipsec-isakmp set peer x.1.12.1 set transform-set TRANS_SET match address MGMT_TRAFFIC_ACL Step 4: Review the ACL defined in the crypto map and verify that the destination is the management network. ip access-list extended MGMT_TRAFFIC_ACL permit ip 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 Note: The management network is this example is 10.22.2.0/24 If the management traffic is not secured via IPsec tunnel, this is a finding.
This requirement is not applicable for the DODIN Backbone. Ensure that all traffic from the managed network to the management network is secured via IPsec tunnel as shown in the configuration examples below. Step 1: Configure the ACL for the management network as the destination. This ACL will be defined in the crypto as the interesting traffic to be forwarded into the IPsec tunnel. R4(config)#ip access-list extended MGMT_TRAFFIC_ACL R4(config-ext-nacl)#permit ip 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 R4(config-ext-nacl)#exit Step 2: Create an ISAKMP policy for Phase 1 negotiations. R4(config)#crypto isakmp policy 10 R4(config-isakmp)#hash sha256 R4(config-isakmp)#authentication pre-share R4(config-isakmp)#exit Step 3: Specify the pre-shared key and the remote peer address. R4(config)#crypto isakmp key 0 xxxxxx address 10.1.12.1 Note: Digital certificates can be utilized as an alternative. Step 4: Create the Phase 2 policy for the data encryption. R4(config)#crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes R4(cfg-crypto-trans)#mode tunnel R4(cfg-crypto-trans)#exit Step 5: Create the crypto map. R4(config)#crypto map IPSEC_MGMT_MAP 10 ipsec-isakmp R4(config-crypto-map)#set peer 10.1.12.1 R4(config-crypto-map)#match address MGMT_TRAFFIC_ACL R4(config-crypto-map)#set transform-set TRANS_SET R4(config-crypto-map)#end Step 6: Apply the crypto map to the external interface. R4(config)#int g0/2 R4(config-if)#crypto map IPSEC_MGMT_MAP
This check is Not Applicable for JRSS internal EBGP use. Review the router configuration to verify that it will reject BGP routes for any Bogon prefixes. Step 1: Verify a prefix list has been configured containing the current Bogon prefixes as shown in the example below: ip prefix-list PREFIX_FILTER seq 5 deny 0.0.0.0/8 le 32 ip prefix-list PREFIX_FILTER seq 10 deny 10.0.0.0/8 le 32 ip prefix-list PREFIX_FILTER seq 15 deny 100.64.0.0/10 le 32 ip prefix-list PREFIX_FILTER seq 20 deny 127.0.0.0/8 le 32 ip prefix-list PREFIX_FILTER seq 25 deny 169.254.0.0/16 le 32 ip prefix-list PREFIX_FILTER seq 30 deny 172.16.0.0/12 le 32 ip prefix-list PREFIX_FILTER seq 35 deny 192.0.2.0/24 le 32 ip prefix-list PREFIX_FILTER seq 40 deny 192.88.99.0/24 le 32 ip prefix-list PREFIX_FILTER seq 45 deny 192.168.0.0/16 le 32 ip prefix-list PREFIX_FILTER seq 50 deny 198.18.0.0/15 le 32 ip prefix-list PREFIX_FILTER seq 55 deny 198.51.100.0/24 le 32 ip prefix-list PREFIX_FILTER seq 60 deny 203.0.113.0/24 le 32 ip prefix-list PREFIX_FILTER seq 65 deny 224.0.0.0/4 le 32 ip prefix-list PREFIX_FILTER seq 70 deny 240.0.0.0/4 le 32 ip prefix-list PREFIX_FILTER seq 75 permit 0.0.0.0/0 ge 8 Step 2: Verify that the prefix list has been applied to all external BGP peers as shown in the example below: router bgp xx no synchronization bgp log-neighbor-changes neighbor x.1.1.9 remote-as yy neighbor x.1.1.9 prefix-list PREFIX_FILTER in neighbor x.2.1.7 remote-as zz neighbor x.2.1.7 prefix-list PREFIX_FILTER in Route Map Alternative: Verify that the route map applied to the external neighbors references the configured Bogon prefix list shown above. router bgp xx no synchronization bgp log-neighbor-changes neighbor x.1.1.9 remote-as yy neighbor x.1.1.9 route-map FILTER_PREFIX_MAP neighbor x.2.1.7 remote-as zz neighbor x.2.1.7 route-map FILTER_PREFIX_MAP … route-map FILTER_PREFIX_MAP permit 10 match ip address prefix-list PREFIX_FILTER If the router is not configured to reject inbound route advertisements for any Bogon prefixes, this is a finding.
Configure the router to reject inbound route advertisements for any Bogon prefixes. Step 1: Configure a prefix list containing the current Bogon prefixes as shown below: R1(config)#ip prefix-list PREFIX_FILTER deny 0.0.0.0/8 le 32 R1(config)#ip prefix-list PREFIX_FILTER deny 10.0.0.0/8 le 32 R1(config)#ip prefix-list PREFIX_FILTER deny 100.64.0.0/10 le 32 R1(config)#ip prefix-list PREFIX_FILTER deny 127.0.0.0/8 le 32 R1(config)#ip prefix-list PREFIX_FILTER deny 169.254.0.0/16 le 32 R1(config)#ip prefix-list PREFIX_FILTER deny 172.16.0.0/12 le 32 R1(config)#ip prefix-list PREFIX_FILTER deny 192.0.2.0/24 le 32 R1(config)#ip prefix-list PREFIX_FILTER deny 192.88.99.0/24 le 32 R1(config)#ip prefix-list PREFIX_FILTER deny 192.168.0.0/16 le 32 R1(config)#ip prefix-list PREFIX_FILTER deny 198.18.0.0/15 le 32 R1(config)#ip prefix-list PREFIX_FILTER deny 198.51.100.0/24 le 32 R1(config)#ip prefix-list PREFIX_FILTER deny 203.0.113.0/24 le 32 R1(config)#ip prefix-list PREFIX_FILTER deny 224.0.0.0/4 le 32 R1(config)#ip prefix-list PREFIX_FILTER deny 240.0.0.0/4 le 32 R1(config)#ip prefix-list PREFIX_FILTER deny 240.0.0.0/4 le 32 R1(config)#ip prefix-list PREFIX_FILTER permit 0.0.0.0/0 ge 8 Step 2: Apply the prefix list filter inbound to each external BGP neighbor as shown in the example: R1(config)#router bgp xx R1(config-router)#neighbor x.1.1.9 prefix-list PREFIX_FILTER in R1(config-router)#neighbor x.2.1.7 prefix-list PREFIX_FILTER in Route Map Alternative: Step 1: Configure the route map referencing the configured prefix list above. R1(config)#route-map FILTER_PREFIX_MAP 10 R1(config-route-map)#match ip address prefix-list PREFIX_FILTER R1(config-route-map)#exit Step 2: Apply the route-map inbound to each external BGP neighbor as shown in the example: R1(config)#router bgp xx R1(config-router)#neighbor x.1.1.9 route-map FILTER_PREFIX_MAP in R1(config-router)#neighbor x.2.1.7 route-map FILTER_PREFIX_MAP in R1(config-router)#end
Review the router configuration to verify that it will reject routes belonging to the local AS. Step 1: Verify a prefix list has been configured containing prefixes belonging to the local AS. In the example below, x.13.1.0/24 is the global address space allocated to the local AS. ip prefix-list PREFIX_FILTER seq 5 deny 0.0.0.0/8 le 32 … … … ip prefix-list PREFIX_FILTER seq 74 deny x.13.1.0/24 le 32 ip prefix-list PREFIX_FILTER seq 75 permit 0.0.0.0/0 ge 8 Step 2: Verify that the prefix list has been applied to all external BGP peers as shown in the example below: router bgp xx no synchronization bgp log-neighbor-changes neighbor x.1.1.9 remote-as yy neighbor x.1.1.9 prefix-list PREFIX_FILTER in neighbor x.2.1.7 remote-as zz neighbor x.2.1.7 prefix-list PREFIX_FILTER in If the router is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.
Configure the router to reject inbound route advertisements for any prefixes belonging to the local AS. Step 1: Add to the prefix filter list those prefixes belonging to the local autonomous system. R1(config)#ip prefix-list PREFIX_FILTER seq 74 deny x.13.1.0/24 le 32 Step 2: If not already completed to be compliant with previous requirement, apply the prefix list filter inbound to each external BGP neighbor as shown in the example. R1(config)#router bgp xx R1(config-router)#neighbor x.1.1.9 prefix-list PREFIX_FILTER in R1(config-router)#neighbor x.2.1.7 prefix-list PREFIX_FILTER in
Review the router configuration to verify that there are ACLs defined to only accept routes for prefixes that belong to specific customers. Step 1: Verify prefix list has been configured for each customer containing prefixes belonging to each customer as shown in the example below: ip prefix-list PREFIX_FILTER_CUST1 seq 5 permit x.13.1.0/24 le 32 ip prefix-list PREFIX_FILTER_CUST1 seq 10 deny 0.0.0.0/0 ge 8 ip prefix-list PREFIX_FILTER_CUST2 seq 5 permit x.13.2.0/24 le 32 ip prefix-list PREFIX_FILTER_CUST2 seq 10 deny 0.0.0.0/0 ge 8 Step 2: Verify that the prefix lists has been applied to all to the applicable CE peers as shown in the example below: router bgp xx no synchronization bgp log-neighbor-changes neighbor x.12.4.14 remote-as 64514 neighbor x.12.4.14 prefix-list FILTER_PREFIXES_CUST1 in neighbor x.12.4.16 remote-as 64516 neighbor x.12.4.16 prefix-list FILTER_PREFIXES_CUST2 in Note: Routes to PE-CE links within a VPN are needed for troubleshooting end-to-end connectivity across the MPLS/IP backbone. Hence, these prefixes are an exception to this requirement. Note: This check is NA for JRSS systems. If the router is not configured to reject inbound route advertisements from each CE router for prefixes that are not allocated to that customer, this is a finding.
Configure the router to reject inbound route advertisements from each CE router for prefixes that are not allocated to that customer. Step 1: Configure a prefix list for each customer containing prefixes belonging to each. R1(config)#ip prefix-list PREFIX_FILTER_CUST1 permit x.13.1.0/24 le 32 R1(config)#ip prefix-list PREFIX_FILTER_CUST1 deny 0.0.0.0/0 ge 8 R1(config)#ip prefix-list PREFIX_FILTER_CUST2 permit x.13.2.0/24 le 32 R1(config)#ip prefix-list PREFIX_FILTER_CUST2 deny 0.0.0.0/0 ge 8 Step 2: Apply the prefix list filter inbound to each CE neighbor as shown in the example. R1(config)#router bgp xx R1(config-router)#neighbor x.12.4.14 prefix-list FILTER_PREFIXES_CUST1 in R1(config-router)#neighbor x.12.4.16 prefix-list FILTER_PREFIXES_CUST2 in
This requirement is not applicable for the DODIN Backbone. Step 1: Verify that a prefix list has been configured containing prefixes belonging to customers as well as the local AS as shown in the example below. ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 5 permit x.13.1.0/24 le 32 ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 10 permit x.13.2.0/24 le 32 ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 15 permit x.13.3.0/24 le 32 ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 20 permit x.13.4.0/24 le 32 … … … ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 80 deny 0.0.0.0/0 ge 8 Step 2: Verify that the prefix lists has been applied to all CE peers as shown in the example below. router bgp 64512 no synchronization bgp log-neighbor-changes neighbor x.12.4.14 remote-as 64514 neighbor x.12.4.14 prefix-list CE_PREFIX_ADVERTISEMENTS out neighbor x.12.4.16 remote-as 64516 neighbor x.12.4.16 prefix-list CE_PREFIX_ADVERTISEMENTS out Note: This check is NA for JRSS systems. If the router is not configured to reject outbound route advertisements that do not belong to any customers or the local AS, this is a finding.
Step 1: Configure a prefix list for containing all customer and local AS prefixes as shown in the example below: R1(config)#ip prefix-list CE_PREFIX_ADVERTISEMENTS permit x.13.1.0/24 le 32 R1(config)#ip prefix-list CE_PREFIX_ADVERTISEMENTS permit x.13.2.0/24 le 32 R1(config)#ip prefix-list CE_PREFIX_ADVERTISEMENTS permit x.13.3.0/24 le 32 R1(config)#ip prefix-list CE_PREFIX_ADVERTISEMENTS permit x.13.4.0/24 le 32 … … … R1(config)#ip prefix-list CE_PREFIX_ADVERTISEMENTS deny 0.0.0.0/0 ge 8 Step 2: Apply the prefix list filter outbound to each CE neighbor as shown in the example. R1(config)#router bgp 64512 R1(config-router)#neighbor x.12.4.14 prefix-list CE_PREFIX_ADVERTISEMENTS out R1(config-router)#neighbor x.12.4.16 prefix-list CE_PREFIX_ADVERTISEMENTS out
Step 1: Verify that a prefix list has been configured containing prefixes belonging to the IP core. ip prefix-list FILTER_CORE_PREFIXES seq 5 deny x.1.1.0/24 le 32 ip prefix-list FILTER _CORE_PREFIXES seq 10 deny x.1.2.0/24 le 32 ip prefix-list FILTER _CORE_PREFIXES seq 15 permit 0.0.0.0/0 ge 8 Step 2: Verify that the prefix lists has been applied to all external BGP peers as shown in the example below: router bgp xx no synchronization bgp log-neighbor-changes neighbor x.1.4.12 remote-as yy address-family ipv4 neighbor x.1.4.12 prefix-list FILTER _CORE_PREFIXES out If the router is not configured to reject outbound route advertisements for prefixes belonging to the IP core, this is a finding.
Step 1: Configure a prefix list for containing all customer and local AS prefixes as shown in the example below: R1(config)#ip prefix-list FILTER_CORE_PREFIXES deny x.1.1.0/24 le 32 R1(config)#ip prefix-list FILTER _CORE_PREFIXES deny x.1.2.0/24 le 32 R1(config)#ip prefix-list FILTER _CORE_PREFIXES permit 0.0.0.0/0 ge 8 Step 2: Apply the prefix list filter outbound to each CE neighbor as shown in the example. router bgp xx address-family ipv4 neighbor x.1.4.12 prefix-list FILTER _CORE_PREFIXES out
Review the router configuration to verify the router is configured to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute. By default, Cisco IOS enforces the first AS in the AS_PATH attribute for all route advertisements. Review the router configuration to verify that the command no bgp enforce-first-as is not configured. router bgp xx no synchronization no bgp enforce-first-as If the router is not configured to reject updates from peers that do not list their AS number as the first AS in the AS_PATH attribute, this is a finding.
Configure the router to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute. R1(config)#router bgp xx R1(config-router)#bgp enforce-first-as
This requirement is not applicable for the DODIN Backbone. Review the router configuration to verify the router is configured to deny updates received from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer. Step 1: Review router configuration and verify that there is an as-path access-list statement defined to only accept routes from a CE router whose AS did not originate the route. The configuration should look similar to the following: ip as-path access-list 10 permit ^yy$ ip as-path access-list 10 deny .* Note: the characters “^” and “$” representing the beginning and the end of the expression respectively are optional and are implicitly defined if omitted. Step 2: Verify that the as-path access-list is referenced by the filter-list inbound for the appropriate BGP neighbors as shown in the example below: router bgp xx neighbor x.1.4.12 remote-as yy neighbor x.1.4.12 filter-list 10 in If the router is not configured to reject updates from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure the router to reject updates from CE routers with an originating AS in the AS_PATH attribute that do not belong to that customer. Step 1: Configure the as-path ACL as shown in the example below: R1(config)#ip as-path access-list 10 permit ^yy$ R1(config)#ip as-path access-list 10 deny .* Step 2: Apply the as-path filter inbound as shown in the example below: R1(config)#router bgp xx R1(config-router)#neighbor x.1.4.12 filter-list 10 in
Review the router configuration to verify that the number of received prefixes from each eBGP neighbor is controlled. router bgp xx neighbor x.1.1.9 remote-as yy neighbor x.1.1.9 maximum-prefix nnnnnnn neighbor x.2.1.7 remote-as zz neighbor x.2.1.7 maximum-prefix nnnnnnn If the router is not configured to control the number of prefixes received from each peer to protect against route table flooding and prefix de-aggregation attacks, this is a finding.
Configure the router to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks as shown in the example below: R1(config)#router bgp xx R1(config-router)#neighbor x.1.1.9 maximum-prefix nnnnnnn R1(config-router)#neighbor x.2.1.7 maximum-prefix nnnnnnn
This requirement is not applicable for the DODIN Backbone. Review the router configuration to determine if it is compliant with this requirement. Step 1: Verify that a route filter has been configured to reject prefixes longer than /24, or the least significant prefixes issued to the customers as shown in the example below: ip prefix-list FILTER_PREFIX_LENGTH seq 5 permit 0.0.0.0/0 ge 8 le 24 ip prefix-list FILTER_PREFIX_LENGTH seq 10 deny 0.0.0.0/0 le 32 Step 2: Verify that prefix filtering has been applied to each eBGP peer as shown in the example: router bgp xx neighbor x.1.1.9 remote-as yy neighbor x.1.1.9 prefix-list FILTER_PREFIX_LENGTH in neighbor x.2.1.7 remote-as zz neighbor x.2.1.7 prefix-list FILTER_PREFIX_LENGTH in If the router is not configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure the router to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer. Step 1: Configure a prefix list to reject any prefix that is longer than /24. R1(config)#ip prefix-list FILTER_PREFIX_LENGTH permit 0.0.0.0/0 ge 8 le 24 R1(config)#ip prefix-list FILTER_PREFIX_LENGTH deny 0.0.0.0/0 le 32 Step 2: Apply the prefix list to all eBGP peers as shown in the example below. R1(config)#router bgp xx R1(config-router)#neighbor x.1.1.9 prefix-list FILTER_PREFIX_LENGTH in R1(config-router)#neighbor x.2.1.7 prefix-list FILTER_PREFIX_LENGTH in
Step 1: Review the router configuration to verify that a loopback address has been configured. interface Loopback0 ip address 10.1.1.1 255.255.255.255 Step 2: Verify that the loopback interface is used as the source address for all iBGP sessions. router bgp xx no synchronization no bgp enforce-first-as bgp log-neighbor-changes redistribute static neighbor 10.1.1.1 remote-as xx neighbor 10.1.1.1 password xxxxxxxx neighbor 10.1.1.1 update-source Loopback0 If the router does not use its loopback address as the source address for all iBGP sessions, this is a finding.
Configure the router to use its loopback address as the source address for all iBGP peering. R1(config)#router bgp xx R1(config-router)#neighbor 10.1.1.1 update-source Loopback0
Review the router configuration to determine if it is compliant with this requirement. Verify that a loopback address has been configured as shown in the following example: interface Loopback0 ip address 10.1.1.1 255.255.255.255 By default, routers will use its loopback address for LDP peering. If an address has not be configured on the loopback interface, it will use its physical interface connecting to the LDP peer. If the router-id command is specified that overrides this default behavior, verify that it is a loopback interface as shown in the example below: mpls ldp router-id Loopback0 If the router is not configured to use its loopback address for LDP peering, this is a finding.
Configure the router to use their loopback address as the source address for LDP peering sessions. As noted in the check content, the default behavior is to use its loopback address. R4(config)#mpls ldp router-id lo0
Review the router OSPF or IS-IS configuration and verify that LDP will synchronize with the link-state routing protocol as shown in the example below: OSPF Example: router ospf 1 mpls ldp sync IS-IS Example: router isis mpls ldp sync net 49.0001.1234.1600.5531.00 If the router is not configured to synchronize IGP and LDP, this is a finding.
Configure the MPLS router to synchronize IGP and LDP, minimizing packet loss when an IGP adjacency is established prior to LDP peers completing label exchange. OSPF Example: R2(config)#router ospf 1 R2(config-router)#mpls ldp sync IS-IS Example: R5(config)#router isis R5(config-router)#mpls ldp sync
Review the router configuration to determine RSVP messages are rate limited. Step 1: Determine if MPLS TE is enabled globally and at least one interface as shown in the example below: mpls traffic-eng tunnels … … … interface GigabitEthernet0/2 ip address x.x.x.x 255.255.255.0 mpls traffic-eng tunnels mpls ip Step 2: If MPLS TE is enabled, verify that message pacing is enabled. ip rsvp signalling rate-limit period 30 burst 9 maxsize 2100 limit 50 Note: The command "ip rsvp msg-pacing" has been deprecated by the command "ip rsvp signalling rate-limit" If the router with RSVP-TE enabled does not rate limit RSVP messages based on the link speed and input queue size of adjacent core routers, this is a finding.
Configure the router to rate limit RSVP messages per interface as shown in the example. R2(config)#ip rsvp signalling rate-limit burst 9 maxsize 2100 period 30 limit 50
Review the router configuration to verify that TTL propagation is disabled as shown in the example below: no mpls ip propagate-ttl If the MPLS router is not configured to disable TTL propagation, this is a finding.
Configure the MPLS router to disable TTL propagation as shown in the example below: R5(config)#no mpls ip propagate-ttl
Step 1: Review the design plan for deploying MPLS/L3VPN. Step 2: Review all CE-facing interfaces and verify that the proper VRF is defined via the "ip vrf forwarding" command. In the example below, COI1 is bound to interface GigabitEthernet0/1, while COI2 is bound to GigabitEthernet0/2. interface GigabitEthernet0/1 description link to COI1 ip vrf forwarding COI1 ip address x.1.0.1 255.255.255.0 ! interface GigabitEthernet0/2 description link to COI2 ip vrf forwarding COI2 ip address x.2.0.2 255.255.255.0 If any VRFs are not bound to the appropriate physical or logical interface, this is a finding.
Configure the PE router to have each VRF bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.
Review the design plan for MPLS/L3VPN to determine what RTs have been assigned for each VRF. Review the router configuration and verify that the correct RT is configured for each VRF. In the example below, route target 13:13 has been configured for customer 1. ip vrf CUST1 rd 13:13 route-target export 13:13 route-target import 13:13 If there are VRFs configured with the wrong RT, this is a finding.
Configure the router to have each VRF instance defined with the correct RT. R5(config)#ip vrf CUST1 R5(config-vrf)#route-target import 13:13 R5(config-vrf)#route-target export 13:13 R5(config-vrf)#end
Review the design plan for MPLS/L3VPN to determine what RD have been assigned for each VRF. Review the router configuration and verify that the correct RD is configured for each VRF. In the example below, route distinguisher 13:13 has been configured for customer 1. ip vrf CUST1 rd 13:13 Note: This requirement is only applicable for MPLS L3VPN implementations. If the wrong RD has been configured for any VRF, this is a finding.
Configure the correct RD for each VRF. R5(config)#ip vrf CUST1 R5(config-vrf)#rd 13:13 R5(config-vrf)#end
The Cisco router is not compliant with this requirement; hence, it is a finding. However, the severity level can be downgraded to a category 3 if the router is configured to authenticate targeted LDP sessions using MD5 as shown in the configuration example below. mpls ldp neighbor 10.1.1.2 password xxxxxxx mpls label protocol ldp If the router is not configured to authenticate targeted LDP sessions using MD5, the finding will remain as a CAT II.
The severity level can be downgraded to a category 3 if the router is configured to authenticate targeted LDP sessions using MD5 as shown in the example below. R5(config)#mpls ldp neighbor 10.1.1.2 password xxxxxxxx
Verify that the correct and unique VCID has been configured for the appropriate attachment circuit. In the example below, GigabitEthernet0/1 is the CE-facing interface that is configured for VPWS with the VCID of 55. interface GigabitEthernet0/1 xconnect x.2.2.12 55 encapsulation mpls If the correct VC ID has not been configured on both routers, this is a finding.
Assign globally unique VC IDs for each virtual circuit and configure the attachment circuits with the appropriate VC ID. R5(config)#int g0/1 R5(config-if)#xconnect x.2.2.12 55 encapsulation mpls
Review the implementation plan and the VPN IDs assigned to customer VLANs for the VPLS deployment. Review the PE router configuration to verify that customer attachment circuits are associated to the appropriate VFI. In the example below, the attached circuit at interface GigabitEthernet3 is associated to VPN ID 110. l2 vfi VPLS_A manual vpn id 110 bridge-domain 100 neighbor 10.3.3.3 encapsulation mpls neighbor 10.3.3.4 encapsulation mpls … … … interface GigabitEthernet3 no ip address service instance 10 ethernet encapsulation untagged bridge-domain 100 If the attachment circuits have not been bound to VFI configured with the assigned VPN ID for each VLAN, this is a finding.
Assign globally unique VPN IDs for each customer bridge domain using VPLS for carrier Ethernet services between multiple sites, and configure the attachment circuits to the appropriate VFI. R1(config)#l2 vfi VPLS_A manual R1(config-vfi)#vpn id 110 R1(config-vfi)#neighbor 10.3.3.3 encapsulation mpls R1(config-vfi)#bridge-domain 100 R1(config-vfi)#exit R1(config-if)#service instance 10 ethernet R1(config-if-srv)#encapsulation untagged R1(config-if-srv)#bridge-domain 100 R1(config-if-srv)#end
Review the PE router configuration to verify that split horizon is enabled. By default, split horizon is enabled; hence, the attribute no-split-horizon should not be seen on the neighbor command as shown in the example below: l2 vfi VPLS_A manual vpn id 110 bridge-domain 100 neighbor 10.3.3.3 encapsulation mpls no-split-horizon If split horizon is not enabled, this is a finding. Note: This requirement is only applicable to a mesh VPLS topology. VPLS solves the loop problem by using a split-horizon rule which states that member PE routers of a VPLS must forward VPLS traffic only to the local attachment circuits when they receive the traffic from the other PE routers. In a ring VPLS, split horizon must be disabled so that a PE router can forward a packet received from one pseudowire to another pseudowire. To prevent the consequential loop, at least one span in the ring would not have a pseudowire for any given VPLS instance.
Enable split horizon on all PE routers deploying VPLS in a full-mesh configuration. R1(config)#l2 vfi VPLS_A manual R1(config-vfi)#neighbor 10.3.3.3 encapsulation mpls
Review the router configuration to verify that storm control is enabled on CE-facing interfaces deploying VPLS as shown in the example below: interface GigabitEthernet3 no ip address service instance 10 ethernet encapsulation untagged bridge-domain 100 storm-control broadcast cir 12000000 ! ! If storm control is not enabled at a minimum for broadcast traffic, this is a finding.
Configure storm control for each CE-facing interface as shown in the example below: R1(config)#int g3 R1(config-if)#service instance 10 ethernet R1(config-if-srv)#storm-control broadcast cir 12000000 R1(config-if-srv)#end Note: The acceptable range is 10000000 -1000000000 for a gigabit ethernet interface, and 100000000-10000000000 for a ten gigabit interface. Storm control is not supported on most FastEthernet interfaces.
Review the router configuration to verify that IGMP or MLD snooping has been configured for IPv4 and IPv6 multicast traffic respectively for each VPLS bridge domain. The example below are the steps to verify that IGMP snooping is enabled for a VPLS bridge domain. Step 1: Verify that IGMP snooping is enabled globally. By default, IGMP snooping is enabled globally; hence, the following command should not be in the router configuration: no ip igmp snooping Step 2: If IGMP snooping is enabled globally, it will also be enabled by default for each VPLS bridge domain. Hence, the command no ip igmp snooping should not be configured for any VPLS bridge domain as shown in the example below: bridge-domain 100 no ip igmp snooping ! If the router is not configured to implement IGMP or MLD snooping for each VPLS bridge domain, this is a finding.
Configure IGMP or MLD snooping for IPv4 and IPv6 multicast traffic respectively for each VPLS bridge domain. R1(config)#bridge-domain 100 R1(config-bdomain)#ip igmp snooping R1(config-bdomain)#end
Review the PE router configuration to determine if a MAC address limit has been set for each VPLS bridge domain. bridge-domain 100 mac limit maximum addresses nnnnn If a limit has not been configured, this is a finding.
Configure a MAC address learning limit for each VPLS bridge domain. R1(config-bdomain)#mac limit maximum addresses nnnn
Step 1: Review the router configuration to verify that an ingress ACL is applied to all external or CE-facing interfaces. interface GigabitEthernet0/2 ip address x.1.12.2 255.255.255.252 ip access-group BLOCK_TO_CORE in Step 2: Verify that the ingress ACL discards and logs packets destined to the IP core address space. ip access-list extended BLOCK_TO_CORE deny ip any 10.1.x.0 0.0.255.255 log-input permit ip any any ! If the PE router is not configured to block any traffic with a destination address assigned to the IP core infrastructure, this is a finding. Note: Internet Control Message Protocol (ICMP) echo requests and traceroutes will be allowed to the edge from external adjacent neighbors.
Configure protection for the IP core to be implemented at the edges by blocking any traffic with a destination address assigned to the IP core infrastructure. Step 1: Configure an ingress ACL to discard and log packets destined to the IP core address space. R2(config)#ip access-list extended BLOCK_TO_CORE R2(config-ext-nacl)#deny ip any 10.1.x.0 0.0.255.255 log-input R2(config-ext-nacl)#exit Step 2: Apply the ACL inbound to all external or CE-facing interfaces. R2(config)#int R4(config)#int g0/2 R2(config-if)#ip access-group BLOCK_TO_CORE in R2(config-if)#end
Review the router configuration to determine if uRPF loose mode is enabled on all CE-facing interfaces. interface GigabitEthernet0/2 ip address x.1.12.2 255.255.255.252 ip access-group BLOCK_TO_CORE in ip verify unicast source reachable-via any If uRPF loose mode is not enabled on all CE-facing interfaces, this is a finding.
Configure uRPF loose mode on all CE-facing interfaces as shown in the example below. R2(config)#int R4(config)#int g0/2 R2(config-if)#ip verify unicast source reachable-via any R2(config-if)#end
Review the router configuration and verify that a QoS policy has been configured to provide preferred treatment for mission-critical applications. Step 1: Verify that the class-maps are configured to match on DSCP values as shown in the configuration example below: class-map match-all C2_VOICE match ip dscp af47 class-map match-all VOICE match ip dscp ef class-map match-all VIDEO match ip dscp af41 class-map match-all CONTROL_PLANE match ip dscp cs6 class-map match-all PREFERRED_DATA match ip dscp af33 Step 2: Verify that the policy map reserves the bandwidth for each traffic type as shown in the following example: policy-map QOS_POLICY class C2_VOICE priority percent 10 class VOICE priority percent 15 class VIDEO bandwidth percent 25 class CONTROL_PLANE priority percent 10 class PREFERRED_DATA bandwidth percent 25 class class-default bandwidth percent 15 Step 3: Verify that an output service policy is bound to all interfaces as shown in the configuration example below: interface GigabitEthernet1/1 ip address 10.1.15.1 255.255.255.252 service-policy output QOS_POLICY ! interface GigabitEthernet1/2 ip address 10.1.15.4 255.255.255.252 service-policy output QOS_POLICY Note: Enclaves must mark or re-mark their traffic to be consistent with the DODIN backbone admission criteria to gain the appropriate level of service. A general DiffServ principle is to mark or trust traffic as close to the source as administratively and technically possible. However, certain traffic types might need to be re-marked before handoff to the DODIN backbone to gain admission to the correct class. If such re-marking is required, it is recommended that the re-marking be performed at the CE egress edge. If the router is not configured to enforce a QoS policy in accordance with the QoS DODIN Technical Profile, this is a finding.
Configure to enforce a QoS policy to provide preferred treatment for mission-critical applications. Step 1: Configure class-maps to match on DSCP values as shown in the configuration example below: R5(config-cmap)#class-map match-all C2_VOICE R5(config-cmap)#match ip dscp 47 R5(config-cmap)#class-map match-all VOICE R5(config-cmap)#match ip dscp ef R5(config-cmap)#class-map match-all VIDEO R5(config-cmap)#match ip dscp af41 R5(config-cmap)#class-map match-all CONTROL_PLANE R5(config-cmap)#match ip dscp cs6 R5(config)#class-map match-all PREFERRED_DATA R5(config-cmap)#match ip dscp af33 R5(config-cmap)#exit Step 2: Configure a policy map to be applied to the core-layer-facing interface that reserves the bandwidth for each traffic type as shown in the example below: R5(config)#policy-map QOS_POLICY R5(config-pmap-c)#class C2_VOICE R5(config-pmap-c)#priority percent 10 R5(config-pmap-c)#class VOICE R5(config-pmap-c)#priority percent 15 R5(config-pmap-c)#class VIDEO R5(config-pmap-c)#bandwidth percent 25 R5(config-pmap)#class CONTROL_PLANE R5(config-pmap-c)#priority percent 10 R5(config-pmap-c)#class PREFERRED_DATA R5(config-pmap-c)#bandwidth percent 25 R5(config-pmap-c)#class class-default R5(config-pmap-c)#bandwidth percent 15 R5(config-pmap-c)#exit R5(config-pmap)#exit Step 3: Apply the output service policy to the core-layer-facing interface as shown in the configuration example below: R5(config)#int g1/1 R5(config-if)#service-policy output QOS_POLICY R5(config-if)#exit R5(config)#int g1/2 R5(config-if)#service-policy output QOS_POLICY R5(config-if)#end
Review the router configuration and verify that a QoS policy has been configured to provide preferred treatment for mission-critical applications. Step 1: Verify that the class-maps are configured to match on DSCP values as shown in the configuration example below: class-map match-all PREFERRED_DATA match ip dscp af33 class-map match-all CONTROL_PLANE match ip dscp cs6 class-map match-all VIDEO match ip dscp af41 class-map match-all VOICE match ip dscp ef class-map match-all C2_VOICE match ip dscp 47 Step 2: Verify that the policy map reserves the bandwidth for each traffic type as shown in the following example: policy-map QOS_POLICY class CONTROL_PLANE priority percent 10 class C2_VOICE priority percent 10 class VOICE priority percent 15 class VIDEO bandwidth percent 25 class PREFERRED_DATA bandwidth percent 25 class class-default bandwidth percent 15 Step 3: Verify that an output service policy is bound to all interfaces as shown in the configuration example below: interface GigabitEthernet1/1 ip address 10.1.15.5 255.255.255.252 service-policy output QOS_POLICY ! interface GigabitEthernet1/2 ip address 10.1.15.8 255.255.255.252 service-policy output QOS_POLICY If the router is not configured to implement a QoS policy in accordance with the QoS DODIN Technical Profile, this is a finding.
Configure to enforce a QoS policy to provide preferred treatment for mission-critical applications. Step 1: Configure class-maps to match on DSCP values as shown in the configuration example below: R5(config)#class-map match-all PREFERRED_DATA R5(config-cmap)#match ip dscp af33 R5(config-cmap)#class-map match-all CONTROL_PLANE R5(config-cmap)#match ip dscp cs6 R5(config-cmap)#class-map match-all VIDEO R5(config-cmap)#match ip dscp af41 R5(config-cmap)#class-map match-all VOICE R5(config-cmap)#match ip dscp ef R5(config-cmap)#class-map match-all C2_VOICE R5(config-cmap)#match ip dscp 47 R5(config-cmap)#exit Step 2: Configure a policy map to be applied to the core-layer-facing interface that reserves the bandwidth for each traffic type as shown in the example below: R5(config)#policy-map QOS_POLICY R5(config-pmap)#class CONTROL_PLANE R5(config-pmap-c)#priority percent 10 R5(config-pmap-c)#class C2_VOICE R5(config-pmap-c)#priority percent 10 R5(config-pmap-c)#class VOICE R5(config-pmap-c)#priority percent 15 R5(config-pmap-c)#class VIDEO R5(config-pmap-c)#bandwidth percent 25 R5(config-pmap-c)#class PREFERRED_DATA R5(config-pmap-c)#bandwidth percent 25 R5(config-pmap-c)#class class-default R5(config-pmap-c)#bandwidth percent 15 R5(config-pmap-c)#exit R5(config-pmap)#exit Step 3: Apply the output service policy to all interfaces as shown in the configuration example below: R5(config)#int g1/1 R5(config-if)#service-policy output QOS_POLICY R5(config-if)#exit R5(config)#int g1/2 R5(config-if)#service-policy output QOS_POLICY R5(config-if)#end
Review the router configuration to determine if it is configured to enforce a QoS policy to limit the effects of packet flooding DoS attacks. Step 1: Verify that a class map has been configured for the Scavenger class as shown in the example below. class-map match-all SCAVENGER match ip dscp cs1 Step 2: Verify that the policy map includes the SCAVENGER class with low priority as shown in the following example below. policy-map QOS_POLICY class CONTROL_PLANE priority percent 10 class C2_VOICE priority percent 10 class VOICE priority percent 15 class VIDEO bandwidth percent 25 class PREFERRED_DATA bandwidth percent 25 class SCAVENGER bandwidth percent 5 class class-default bandwidth percent 10 Note: Traffic out of profile must be marked at the customer access layer or CE egress edge. If the router is not configured to enforce a QoS policy to limit the effects of packet flooding DoS attacks, this is a finding.
Step 1: Configure a class map for the SCAVENGER class. R5(config)#class-map match-all SCAVENGER R5(config-cmap)#match ip dscp cs1 Step 2: Add the SCAVENGER class to the policy map as shown in the example below: R5(config)#policy-map QOS_POLICY R5(config-pmap-c)#no class class-default R5(config-pmap)#class SCAVENGER R5(config-pmap-c)#bandwidth percent 5 R5(config-pmap-c)#class class-default R5(config-pmap-c)#bandwidth percent 10 R5(config-pmap-c)#end
Step 1: Review the network's multicast topology diagram. Step 2: Review the router configuration to verify that only the PIM interfaces as shown in the multicast topology diagram are enabled for PIM as shown in the example below: interface GigabitEthernet1/1 ip address 10.1.3.3 255.255.255.0 ip pim sparse-mode If an interface is not required to support multicast routing and it is enabled, this is a finding.
Document all enabled interfaces for PIM in the network's multicast topology diagram. Disable support for PIM on interfaces that are not required to support it. R5(config)#int g1/1 R5(config-if)#no ip pim sparse-mode
This requirement is not applicable for the DODIN Backbone. Step 1: Verify all interfaces enabled for PIM have a neighbor ACL bound to the interface as shown in the example below: interface GigabitEthernet1/1 ip address 10.1.2.2 255.255.255.0 ip pim neighbor-filter PIM_NEIGHBORS ip pim sparse-mode Step 2: Review the configured ACL for filtering PIM neighbors as shown in the example below: ip access-list standard PIM_NEIGHBORS permit 10.1.2.6 If PIM neighbor ACLs are not bound to all interfaces that have PIM enabled, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure neighbor ACLs to only accept PIM control plane traffic from documented PIM neighbors. Bind neighbor ACLs to all PIM enabled interfaces. Step 1: Configure ACL for PIM neighbors. R2(config)#ip access-list standard PIM_NEIGHBORS R2(config-std-nacl)#permit 10.1.2.6 R2(config-std-nacl)#exit Step 2: Apply the ACL to all interfaces enabled for PIM. R2(config)#int g1/1 R2(config-if)#ip pim neighbor-filter PIM_NEIGHBORS
Review the router configuration and verify that admin-scope multicast traffic is blocked at the external edge as shown in the example below: interface GigabitEthernet1/2 ip address x.1.12.2 255.255.255.252 ip pim sparse-mode ip multicast boundary MULTICAST_SCOPE … … … ip access-list standard MULTICAST_SCOPE deny 239.0.0.0 0.255.255.255 permit any If the router is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding.
Step 1: Configure the ACL to deny packets with multicast administratively scoped destination addresses as shown in the example below: R2(config)#ip access-list standard MULTICAST_SCOPE R2(config-std-nacl)#deny 239.0.0.0 0.255.255.255 R2(config-std-nacl)#permit any R2(config-std-nacl)#exit Step 2: Apply the multicast boundary at the appropriate interfaces as shown in the example below: R2(config)#int g1/2 R2(config-if)#ip multicast boundary MULTICAST_SCOPE R2(config-if)#end
The Cisco router does not have a mechanism to limit the multicast forwarding cache. However, the risk associated with this requirement can be fully mitigated by configuring the router to: 1. Filter PIM register messages. 2. Rate limiting the number of PIM register messages. 3. Accept MSDP packets only from known MSDP peers. Step 1: Verify that the RP router is configured to filter PIM register messages for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7. ip pim rp-address 10.1.12.3 ip pim accept-register list PIM_REGISTER_FILTER … … … ip access-list extended PIM_REGISTER_FILTER deny ip any 239.5.0.0 0.0.255.255 permit ip host 10.1.2.6 any permit ip host 10.1.2.7 any deny ip any any Step 2: Verify that the router is configured to rate limiting the number of PIM register messages as shown in the example below. ip pim rp-address 10.2.2.2 ip pim register-rate-limit nn Step 3: Review the router configuration to determine if there is a receive path or interface filter to only accept MSDP packets from known MSDP peers as shown in the example below. Step 3a: Verify that interfaces used for MSDP peering have an inbound ACL as shown in the example. interface GigabitEthernet1/1 ip address x.1.28.8 255.255.255.0 ip access-group EXTERNAL_ACL_INBOUND in ip pim sparse-mode Step 3b: Verify that the ACL restricts MSDP peering to only known sources. ip access-list extended EXTERNAL_ACL_INBOUND permit tcp any any established permit tcp host x.1.28.2 host x.1.28.8 eq 639 deny tcp any host x.1.28.8 eq 639 log permit tcp host x.1.28.2 host 10.1.28.8 eq bgp permit tcp host x.1.28.2 eq bgp host x.1.28.8 permit pim host x.1.28.2 pim host x.1.28.8 … … … deny ip any any log Note: MSDP connections is via TCP port 639 If the RP router is not configured to filter PIM register messages, rate limiting the number of PIM register messages, and accept MSDP packets only from known MSDP peers, this is a finding.
The risk associated with this requirement can be fully mitigated by configuring the router to filter PIM register messages, rate limiting the number of PIM register messages, and accept MSDP packets only from known MSDP peers. Step 1: Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7. R2(config)#ip access-list extended PIM_REGISTER_FILTER R2(config-ext-nacl)#deny ip any 239.5.0.0 0.0.255.255 R2(config-ext-nacl)#permit ip host 10.1.2.6 any R2(config-ext-nacl)#permit ip host 10.1.2.7 any R2(config-ext-nacl)#deny ip any any R2(config-ext-nacl)#exit R2(config)#ip pim accept-register list PIM_REGISTER_FILTER R2(config)#end Step 2: Configure the RP to rate limit the number of multicast register messages. R2(config)#ip pim register-rate-limit nn Step 3: Configure the receive path or interface ACLs to only accept MSDP packets from known MSDP peers. R8(config)#ip access-list extended EXTERNAL_ACL_INBOUND R8(config-ext-nacl)#permit tcp any any established R8(config-ext-nacl)#permit tcp host x.1.28.2 host x.1.28.8 eq 639 R8(config-ext-nacl)#deny tcp any host x.1.28.8 eq 639 R8(config-ext-nacl)#permit tcp host x.1.28.2 host x.1.28.8 eq bgp R8(config-ext-nacl)#permit tcp host x.1.28.2 eq bgp host x.1.28.8 R8(config-ext-nacl)#permit pim host x.1.28.2 host x.1.28.8 … … … R8(config-ext-nacl)#deny ip any any
Verify that the RP router is configured to filter PIM register messages. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7. ip pim rp-address 10.1.12.3 ip pim accept-register list PIM_REGISTER_FILTER … … … ip access-list extended PIM_REGISTER_FILTER deny ip any 239.5.0.0 0.0.255.255 permit ip host 10.1.2.6 any permit ip host 10.1.2.7 any deny ip any any If the RP router peering with PIM-SM routers is not configured with a policy to block registration messages for any undesirable multicast groups and sources, this is a finding.
Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7. R2(config)#ip access-list extended PIM_REGISTER_FILTER R2(config-ext-nacl)#deny ip any 239.5.0.0 0.0.255.255 R2(config-ext-nacl)#permit ip host 10.1.2.6 any R2(config-ext-nacl)#permit ip host 10.1.2.7 any R2(config-ext-nacl)#deny ip any any R2(config-ext-nacl)#exit R2(config)#ip pim accept-register list PIM_REGISTER_FILTER R2(config)#end
Verify that the RP router is configured to filter PIM join messages for any undesirable multicast groups. In the example below, groups from 239.8.0.0/16 are not allowed. ip pim rp-address 10.2.2.2 ip pim accept-rp 10.2.2.2 FILTER_PIM_JOINS … … … ip access-list standard FILTER_PIM_JOINS deny 239.8.0.0 0.0.255.255 permit any ! If the RP is not configured to filter join messages received from the DR for any undesirable multicast groups, this is a finding.
Configure the RP to filter PIM join messages for any undesirable multicast groups as shown in the example below: R2(config)#ip access-list standard PIM_JOIN_FILTER R2(config-std-nacl)#deny 239.8.0.0 0.0.255.255 R2(config-std-nacl)#permit any R2(config-std-nacl)#exit R2(config)#ip pim accept-rp 10.2.2.2 PIM_JOIN_FILTER R2(config)#end
Review the configuration of the RP to verify that it is rate limiting the number of PIM register messages. ip pim rp-address 10.2.2.2 ip pim register-rate-limit nn If the RP is not limiting PIM register messages, this is a finding.
Configure the RP to rate limit the number of multicast register messages. R2(config)#ip pim register-rate-limit nn
Review the configuration of the DR to verify that it is filtering IGMP or MLD Membership Report messages, allowing hosts to join only those groups that have been approved. Step 1: Verify that all host facing interfaces are configured to filter IGMP Membership Report messages (IGMP joins) as shown in the example below: interface GigabitEthernet0/0 ip address 10.3.3.3 255.255.255.0 ip pim sparse-mode ip igmp access-group IGMP_JOIN_FILTER ip igmp version 3 Step 2: Verify that the ACL denies unauthorized groups or permits only authorized groups. The example below denies all groups from 239.8.0.0/16 range. ip access-list standard IGMP_JOIN_FILTER deny 239.8.0.0 0.0.255.255 permit any Note: This requirement is only applicable to Source Specific Multicast (SSM) implementation. This requirement is not applicable to Any Source Multicast (ASM) since the filtering is being performed by the Rendezvous Point router. If the DR is not filtering IGMP or MLD Membership Report messages, this is a finding.
Configure the DR to filter the IGMP or MLD Membership Report messages to allow hosts to join only those multicast groups that have been approved. Step 1: Configure the ACL to filter IGMP Membership Report messages as shown in the example. R3(config)#ip access-list standard IGMP_JOIN_FILTER R3(config-std-nacl)#deny 239.8.0.0 0.0.255.255 R3(config-std-nacl)#permit any R3(config-std-nacl)#exit Step 2: Apply the filter to all host facing interfaces. R3(config)#int g0/0 R3(config-if)#ip igmp access-group IGMP_JOIN_FILTER
Review the configuration of the DR to verify that it is filtering IGMP or MLD report messages, allowing hosts to only join multicast groups from sources that have been approved. Step 1: Verify that all host-facing interfaces are configured to filter IGMP Membership Report messages (IGMP joins) as shown in the example below: interface GigabitEthernet0/0 ip address 10.3.3.3 255.255.255.0 ip pim sparse-mode ip igmp access-group IGMP_JOIN_FILTER ip igmp version 3 Step 2: Verify that the ACL denies unauthorized sources or allows only authorized sources. The example below denies all groups from 232.8.0.0/16 range and permits sources only from the x.0.0.0/8 network. ip access-list extended IGMP_JOIN_FILTER deny ip any 232.8.0.0 0.0.255.255 permit ip x.0.0.0 0.255.255.255 any deny ip any any Note: This requirement is only applicable to Source Specific Multicast (SSM) implementation. If the DR is not filtering IGMP or MLD report messages, this is a finding.
Configure the DR to filter the IGMP and MLD report messages to allow hosts to join only those multicast groups from sources that have been approved as shown in the example. R3(config)#ip access-list extended IGMP_JOIN_FILTER R3(config-ext-nacl)#deny ip any 232.8.0.0 0.0.255.255 R3(config-ext-nacl)#permit ip x.0.0.0 0.255.255.255 any R3(config-ext-nacl)#deny ip any any R3(config-ext-nacl)#exit Step 2: Apply the filter to all host facing interfaces. R3(config)#int g0/0 R3(config-if)#ip igmp access-group IGMP_JOIN_FILTER
Review the DR configuration to verify that it is limiting the number of mroute states via IGMP or MLD. Verify IGMP limits have been configured globally or on each host-facing interface via the ip igmp limit command as shown in the example. interface GigabitEthernet0/0 ip address 10.3.3.3 255.255.255.0 … … … ip igmp limit nn If the DR is not limiting multicast join requests via IGMP or MLD on a global or interfaces basis, this is a finding.
Configure the DR on a global or interface basis to limit the number of mroute states resulting from IGMP or MLD membership reports. R3(config)#int g0/0 R3(config-if)#ip igmp limit 2
Review the DR configuration to verify that the SPT switchover threshold is increased (default is "0") or set to infinity (never switch over). ip pim rp-address 10.2.2.2 ip pim spt-threshold infinity If the DR is not configured to increase the SPT threshold or set to infinity to minimalize (S, G) state, this is a finding.
Configure the DR to increase the SPT threshold or set it to infinity to minimalize (S, G) state within the multicast topology where ASM is deployed. R3(config)#ip pim spt-threshold infinity
Review the router configuration to determine if there is a receive path or interface filter to only accept MSDP packets from known MSDP peers. Step 1: Verify that interfaces used for MSDP peering have an inbound ACL as shown in the example. interface GigabitEthernet1/1 ip address x.1.28.8 255.255.255.0 ip access-group EXTERNAL_ACL_INBOUND in ip pim sparse-mode Step 2: Verify that the ACL restricts MSDP peering to only known sources. ip access-list extended EXTERNAL_ACL_INBOUND permit tcp any any established permit tcp host x.1.28.2 host x.1.28.8 eq 639 deny tcp any host x.1.28.8 eq 639 log permit tcp host x.1.28.2 host 10.1.28.8 eq bgp permit tcp host x.1.28.2 eq bgp host x.1.28.8 permit pim host x.1.28.2 pim host x.1.28.8 … … … deny ip any any log Note: MSDP connections is via TCP port 639. If the router is not configured to only accept MSDP packets from known MSDP peers, this is a finding.
Configure the receive path or interface ACLs to only accept MSDP packets from known MSDP peers. R8(config)#ip access-list extended EXTERNAL_ACL_INBOUND R8(config-ext-nacl)#permit tcp any any established R8(config-ext-nacl)#permit tcp host x.1.28.2 host x.1.28.8 eq 639 R8(config-ext-nacl)#deny tcp any host x1.28.8 eq 639 R8(config-ext-nacl)#permit tcp host x.1.28.2 host x.1.28.8 eq bgp R8(config-ext-nacl)#permit tcp host x.1.28.2 eq bgp host x.1.28.8 R8(config-ext-nacl)#permit pim host x.1.28.2 host x.1.28.8 … … … R8(config-ext-nacl)#deny ip any any
Review the router configuration to determine if received MSDP packets are authenticated. ip msdp peer x.1.28.8 remote-as 8 ip msdp password peer x.1.28.8 xxxxxxxxxxxx If the router does not require MSDP authentication, this is a finding.
Configure the router to authenticate MSDP messages as shown in the following example: R2(config)#ip msdp password peer x.1.28.8 xxxxxxxxxxxx
Review the router configuration to determine if there is import policy to block source-active multicast advertisements for any undesirable multicast groups, as well as any (S, G) states with undesirable source addresses. Step 1: Verify that an inbound source-active filter is bound to each MSDP peer. ip msdp peer x.1.28.2 remote-as 2 ip msdp sa-filter in x.1.28.2 list INBOUND_MSDP_SA_FILTER Step 2: Review the access lists referenced by the source-active filter to verify that undesirable multicast groups, auto-RP, single source multicast (SSM) groups, and advertisements from undesirable sources are blocked. ip access-list extended INBOUND_MSDP_SA_FILTER deny ip any host 224.0.1.3 deny ip any host 224.0.1.24 deny ip any host 224.0.1.22 deny ip any host 224.0.1.2 deny ip any host 224.0.1.35 deny ip any host 224.0.1.60 deny ip any host 224.0.1.39 deny ip any host 224.0.1.40 deny ip any 232.0.0.0 0.255.255.255 deny ip any 239.0.0.0 0.255.255.255 deny ip 10.0.0.0 0.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any permit ip any any If the router is not configured with an import policy to filter undesirable SA multicast advertisements, this is a finding.
Configure the MSDP router to filter received source-active multicast advertisements for any undesirable multicast groups and sources as shown in the example below: R8(config)#ip access-list extended INBOUND_MSDP_SA_FILTER R8(config-ext-nacl)#deny ip any host 224.0.1.3 ! Rwhod R8(config-ext-nacl)#deny ip any host 224.0.1.24 ! Microsoft-ds R8(config-ext-nacl)#deny ip any host 224.0.1.22 ! SVRLOC R8(config-ext-nacl)#deny ip any host 224.0.1.2 ! SGI-Dogfight R8(config-ext-nacl)#deny ip any host 224.0.1.35 ! SVRLOC-DA R8(config-ext-nacl)#deny ip any host 224.0.1.60 ! hp-device-disc R8(config-ext-nacl)#deny ip any host 224.0.1.39 ! Auto-RP R8(config-ext-nacl)#deny ip any host 224.0.1.40 ! Auto-RP R8(config-ext-nacl)#deny ip any 232.0.0.0 0.255.255.255 ! SSM range R8(config-ext-nacl)#deny ip any 239.0.0.0 0.255.255.255 ! Admin scoped range R8(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 any ! RFC 1918 address range R8(config-ext-nacl)#deny ip 127.0.0.0 0.255.255.255 any ! RFC 1918 address range R8(config-ext-nacl)#deny ip 172.16.0.0 0.15.255.255 any ! RFC 1918 address range R8(config-ext-nacl)#deny ip 192.168.0.0 0.0.255.255 any ! RFC 1918 address range R8(config-ext-nacl)#permit ip any any R8(config-ext-nacl)#exit R8(config)#ip msdp sa-filter in x.1.28.2 list INBOUND_MSDP_SA_FILTER
Review the router configuration to determine if there is export policy to block local source-active multicast advertisements. Step 1: Verify that an outbound source-active filter is bound to each MSDP peer as shown in the example below: ip msdp peer 10.1.28.8 remote-as 8 ip msdp sa-filter out 10.1.28.8 list OUTBOUND_MSDP_SA_FILTER Step 2: Review the access lists referenced by the source-active filters and verify that MSDP source-active messages being sent to MSDP peers do not leak advertisements that are local. ip access-list extended OUTBOUND_MSDP_SA_FILTER deny ip 10.0.0.0 0.255.255.255 any permit ip any any If the router is not configured with an export policy to filter local source-active multicast advertisements, this is a finding.
Configure the router with an export policy avoid global visibility of local multicast (S, G) states. The example below will prevent exporting multicast active sources belonging to the private network. R8(config)#ip access-list extended OUTBOUND_MSDP_SA_FILTER R8(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 any R8(config-ext-nacl)#permit ip any any R8(config-ext-nacl)#exit R8(config)#ip msdp sa-filter in x.1.28.2 list OUTBOUND_MSDP_SA_FILTER
Review the router configuration to determine if it is configured to limit the amount of source-active messages it accepts on a per-peer basis. ip msdp peer x.1.28.2 remote-as nn ip msdp sa-filter in 10.1.28.2 list MSDP_SA_FILTER ip msdp sa-limit X.1.28.2 nnn If the router is not configured to limit the source-active messages it accepts, this is a finding.
Configure the router to limit the amount of source-active messages it accepts from each peer. R8(config)#ip msdp sa-limit x.1.28.2 nnn
Verify that the loopback interface is used as the source address for all MSDP packets generated by the router. ip msdp peer x.44.2.34 connect-source Loopback12 remote-as nn If the router does not use its loopback address as the source address when originating MSDP traffic, this is a finding.
Configure the router to use its loopback address is used as the source address when sending MSDP packets. R2(config)#ip msdp peer x.44.2.34 connect-source lo12 remote-as nn
This requirement is not applicable for the DODIN Backbone. Review the router configuration to verify uRPF or an egress ACL has been configured on all internal interfaces to restrict the router from accepting outbound IP packets that contain an illegitimate address in the source address field. uRPF example: interface GigabitEthernet0/1 description downstream link to LAN ip address 10.1.25.5 255.255.255.0 ip verify unicast source reachable-via rx Egress ACL example: interface GigabitEthernet0/1 description downstream link to LAN ip address 10.1.25.5 255.255.255.0 ip access-group EGRESS_FILTER in … … … ip access-list extended EGRESS_FILTER permit udp 10.1.15.0 0.0.0.255 any eq domain permit tcp 10.1.15.0 0.0.0.255 any eq ftp permit tcp 10.1.15.0 0.0.0.255 any eq ftp-data permit tcp 10.1.15.0 0.0.0.255 any eq www permit icmp 10.1.15.0 0.0.0.255 any permit icmp 10.1.15.0 0.0.0.255 any echo deny ip any any If uRPF or an egress ACL to restrict the router from accepting outbound IP packets that contain an illegitimate address in the source address field has not been configured on all internal interfaces in an enclave, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure the router to ensure that an egress ACL or uRPF is configured on internal interfaces to restrict the router from accepting any outbound IP packet that contains an illegitimate address in the source field. The example below enables uRPF. R5(config)#int g0/1 R5(config-if)#ip verify unicast source reachable-via rx
This requirement is not applicable for the DODIN Backbone. Review the router configuration to determine if it will block all packets with IP options. ip access-list extended EXTERNAL_ACL permit tcp any any established deny ip any any option any-options permit … … … … deny ip any any log-input If the router is not configured to drop all packets with IP options, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure the router to drop all packets with IP options. R1(config)#ip access-list extended EXTERNAL_ACL R1(config-ext-nacl)#15 deny ip any any option any-options
Review the BGP configuration to verify that TTL security has been configured for each external neighbor as shown in the example below: router bgp xx no synchronization bgp log-neighbor-changes neighbor x.1.1.9 remote-as yy neighbor x.1.1.9 password xxxxxxxx neighbor x.1.1.9 ttl-security hops 1 neighbor x.2.1.7 remote-as zz neighbor x.2.1.7 password xxxxxxxx neighbor x.2.1.7 ttl-security hops 1 If the router is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.
Configure TTL security on all external BGP neighbors as shown in the example below: R1(config)#router bgp xx R1(config-router)#neighbor x.1.1.9 ttl-security hops 1 R1(config-router)#neighbor x.2.1.7 ttl-security hops 1
This check is Not Applicable for JRSS internal EBGP use. Review the BGP configuration to determine if it is peering with multiple autonomous systems. Interview the ISSM and router administrator to determine if unique keys are being used. router bgp xx no synchronization bgp log-neighbor-changes neighbor x.1.1.9 remote-as yy neighbor x.1.1.9 password yyyyyyyy neighbor x.2.1.7 remote-as zz neighbor x.2.1.7 password zzzzzzzzz If unique keys are not being used, this is a finding.
Configure the router to use unique keys for each AS that it peers with as shown in the example below: R1(config)#router bgp xx R1(config-router)#neighbor x.1.1.9 password yyyyyyyy R1(config-router)#neighbor x.2.1.7 password zzzzzzzzz
Review the router configuration to determine if it will ignore or drop all packets with IP options as shown in the examples below: ip options drop or ip options ignore If the router is not configured to drop or block all packets with IP options, this is a finding.
Configure the router to ignore or drop all packets with IP options as shown in the examples below: R4(config)#ip options ignore or R4(config)#ip options drop
Review the router to verify that CEF is enabled. IPv4 Example: ip cef IPv6 Example: ipv6 cef If CEF is not enabled, this is a finding.
Enable CEF IPv4 Example: ip cef IPv6 Example: ipv6 cef
Review the router configuration to determine if the hop limit has been configured for Router Advertisement messages as shown in the example. ipv6 hop-limit 128 If it has been configured and has not been set to at least 32, it is a finding.
Configure the router to advertise a hop limit of at least 32 in Router Advertisement messages. R1(config)#ipv6 hop-limit 128
Review the router configuration to ensure FEC0::/10 IPv6 addresses are not defined. If IPv6 Site Local Unicast addresses are defined, this is a finding.
Configure the router using only authorized IPv6 addresses.
This requirement is not applicable for the DoDIN Backbone. Review the router configuration to verify that Router Advertisements are suppressed on all external IPv6-enabled interfaces as shown in the example below. interface gigabitethernet1/0 ipv6 address 2001::1:0:22/64 ipv6 nd ra suppress If the router is not configured to suppress Router Advertisements on all external IPv6-enabled interfaces, this is a finding.
Configure the router to suppress Router Advertisements on all external IPv6-enabled interfaces as shown in the example below. R1(config)#int g1/0 R1(config-if)#ipv6 nd ra suppress R1(config-if)#end
This requirement is not applicable for the DODIN Backbone. Review the router configuration to determine if it is configured to drop IPv6 undetermined transport packets. Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface. interface gigabitethernet1/0 ipv6 address 2001::1:0:22/64 ipv6 traffic-filter FILTER_IPV6 in Step 2: Verify that the ACL drops undetermined transport packets as shown in the example below. ipv6 access-list FILTER_IPV6 deny ipv6 any any log undetermined-transport permit ipv6 … … … … deny ipv6 any any log If the router is not configured to drop IPv6 undetermined transport packets, this is a finding.
Configure the router to drop IPv6 undetermined transport packets as shown in the example below. R1(config)#ipv6 access-list FILTER_IPV6 R1(config-ipv6-acl)#deny ipv6 any any undetermined-transport log R1(config-ipv6-acl)#permit ipv6 … … … … R1(config-ipv6-acl)#deny ipv6 any any log R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6 in
This requirement is not applicable for the DODIN Backbone. Review the router configuration to determine if it is configured to drop IPv6 packets containing a Routing Header of type 0, 1, or 3-255. Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface. interface gigabitethernet1/0 ipv6 address 2001::1:0:22/64 ipv6 traffic-filter FILTER_IPV6 in Step 2: Verify that the ACL drops IPv6 packets with a Routing Header type 0, 1, or 3-255 as shown in the example below. ipv6 access-list FILTER_IPV6 permit ipv6 any host 2001:DB8::1:1:1234 routing-type 2 deny ipv6 any any log routing permit ipv6 … … … … deny ipv6 any any log Note: The example above allows routing-type 2 in the event Mobility IPv6 is deployed. If the router is not configured to drop IPv6 packets containing a Routing Header of type 0, 1, or 3-255, this is a finding.
Configure the router to drop IPv6 packets with Routing Header of type 0, 1, or 3-255 as shown in the example below. R1(config)#ipv6 access-list FILTER_IPV6 R1(config-ipv6-acl)#permit ipv6 any host 2001:DB8::0:1:1:1234 routing-type 2 R1(config-ipv6-acl)#deny ipv6 any any routing log R1(config-ipv6-acl)#permit … … … … R1(config-ipv6-acl)#deny ipv6 any any log R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6
This requirement is not applicable for the DODIN Backbone. Review the router configuration to determine if it is compliant with this requirement. Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface. interface gigabitethernet1/0 ipv6 address 2001::1:0:22/64 ipv6 traffic-filter FILTER_IPV6 in Step 2: Verify that the ACL drops IPv6 packets containing a Hop-by-Hop header with option type values of 0x04 (Tunnel Encapsulation Limit), 0xC9 (Home Address Destination), or 0xC3 (NSAP Address) as shown in the example below. ipv6 access-list FILTER_IPV6 deny hbh any any dest-option-type 4 log deny hbh any any dest-option-type 195 log deny hbh any any dest-option-type home-address log permit ipv6 … … … … deny ipv6 any any log If the router is not configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values, this is a finding.
Drop IPv6 packets containing a Hop-by-Hop header as shown in the example below. R1(config)#ipv6 access-list FILTER_IPV6 R1(config-ipv6-acl)#deny hbh any any dest-option-type 4 log R1(config-ipv6-acl)#deny hbh any any dest-option-type 195 log R1(config-ipv6-acl)#deny hbh any any dest-option-type home-address log R1(config-ipv6-acl)# permit ipv6 … … … … R1(config-ipv6-acl)#deny ipv6 any any log R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6 R1(config-if)#end
This requirement is not applicable for the DODIN Backbone. Review the router configuration to determine if it is compliant with this requirement. Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface. interface gigabitethernet1/0 ipv6 address 2001::1:0:22/64 ipv6 traffic-filter FILTER_IPV6 in Step 2: Verify that the ACL drops IPv6 packets containing a Destination Option header with option type values of 0x05 (Router Alert) or 0xC2 (Jumbo Payload) as shown in the example below. ipv6 access-list FILTER_IPV6 deny 60 any any dest-option-type 5 log deny 60 any any dest-option-type 194 log permit ipv6 … … … … deny ipv6 any any log If the router is not configured to drop IPv6 packets containing a Destination Option header with option type values of 0x05 (Router Alert) or 0xC2 (Jumbo Payload), this is a finding.
Configure the router to drop IPv6 packets containing a Destination Option header with option type values of 0x05 (Router Alert) or 0xC2 (Jumbo Payload) as shown in the example below. R1(config)#ipv6 access-list FILTER_IPV6 R1(config-ipv6-acl)#deny 60 any any dest-option-type 5 log R1(config-ipv6-acl)#deny 60 any any dest-option-type 194 log R1(config-ipv6-acl)#permit … … … … R1(config-ipv6-acl)#deny ipv6 any any log R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6 R1(config-if)#end
This requirement is not applicable for the DODIN Backbone. Review the router configuration to determine if it is compliant with this requirement. Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface. interface gigabitethernet1/0 ipv6 address 2001::1:0:22/64 ipv6 traffic-filter FILTER_IPV6 in Step 2: Verify that the ACL drops IPv6 packets containing an extension header with the Endpoint Identification option as shown in the example below. ipv6 access-list FILTER_IPV6 deny any any dest-option-type 138 log permit ipv6 … … … … deny ipv6 any any log If the router is not configured to drop IPv6 packets containing an extension header with the Endpoint Identification option, this is a finding.
Configure the router to drop IPv6 packets containing an option type values of 0x8A (Endpoint Identification) regardless of whether it appears in a Hop-by-Hop or Destination Option header as shown in the example below. R1(config)#ipv6 access-list FILTER_IPV6 R1(config-ipv6-acl)#deny any any dest-option-type 138 log R1(config-ipv6-acl)#permit ipv6 … … … … R1(config-ipv6-acl)# deny ipv6 any any log R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6 R1(config-if)#end
This requirement is not applicable for the DODIN Backbone. Review the router configuration and determine if filters are bound to the applicable interfaces to drop IPv6 packets containing a Destination Option header with option type value of 0xC3 (NSAP address). Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface. interface gigabitethernet1/0 ipv6 address 2001::1:0:22/64 ipv6 traffic-filter FILTER_IPV6 in Step 2: Verify that the ACL drops IPv6 packets containing the NSAP address option within Destination Option header as shown in the example below. ipv6 access-list FILTER_IPV6 deny 60 any any dest-option-type 195 log permit ipv6 … … … … deny ipv6 any any log If the router is not configured to drop IPv6 packets containing the NSAP address option within Destination Option header, this is a finding.
Configure the router to to drop IPv6 packets containing the NSAP address option within Destination Option header as shown in the example below. R1(config)#ipv6 access-list FILTER_IPV6 R1(config-ipv6-acl)#deny 60 any any dest-option-type 195 log R1(config-ipv6-acl)#permit … … … … R1(config-ipv6-acl)# deny ipv6 any any log R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6 R1(config-if)#end
This requirement is not applicable for the DODIN Backbone. Review the router configuration and determine if filters are bound to the applicable interfaces to drop all inbound IPv6 packets containing an undefined option type value regardless of whether they appear in a Hop-by-Hop or Destination Option header. Undefined values are 0x02, 0x03, 0x06, 0x9 – 0xE, 0x10 – 0x22, 0x24, 0x25, 0x27 – 0x2F, and 0x31 – 0xFF. Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface. interface gigabitethernet1/0 ipv6 address 2001::1:0:22/64 ipv6 traffic-filter FILTER_IPV6 in Step 2: Verify that the ACL drops IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type as shown in the example below. ipv6 access-list FILTER_IPV6 deny any any dest-option-type 2 deny any any dest-option-type 3 deny any any dest-option-type 6 deny any any dest-option-type 9 deny any any dest-option-type 10 deny any any dest-option-type 11 deny any any dest-option-type 12 deny any any dest-option-type 13 deny any any dest-option-type 14 deny any any dest-option-type 16 … deny any any dest-option-type 34 deny any any dest-option-type 36 deny any any dest-option-type 37 deny any any dest-option-type 39 … deny any any dest-option-type 47 deny any any dest-option-type 49 … deny any any dest-option-type 255 permit … … … … deny ipv6 any any log Note: Because hop-by-hop and destination options have the same exact header format, they can be combined under the dest-option-type keyword. Since Hop-by-Hop and Destination Option headers have non-overlapping types, you can use dest-option-type to match either. If the router is not configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type, this is a finding.
Configure the router to drop all inbound IPv6 packets containing an undefined option type value regardless of whether they appear in a Hop-by-Hop or Destination Option header as shown in the example below. R1(config)#ipv6 access-list FILTER_IPV6 R1(config-ipv6-acl)#deny any any dest-option-type 2 R1(config-ipv6-acl)#deny any any dest-option-type 3 R1(config-ipv6-acl)#deny any any dest-option-type 6 R1(config-ipv6-acl)#deny any any dest-option-type 9 R1(config-ipv6-acl)#deny any any dest-option-type 10 R1(config-ipv6-acl)#deny any any dest-option-type 11 R1(config-ipv6-acl)#deny any any dest-option-type 12 R1(config-ipv6-acl)#deny any any dest-option-type 13 R1(config-ipv6-acl)#deny any any dest-option-type 14 R1(config-ipv6-acl)#deny any any dest-option-type 16 … R1(config-ipv6-acl)#deny any any dest-option-type 34 R1(config-ipv6-acl)#deny any any dest-option-type 36 R1(config-ipv6-acl)#deny any any dest-option-type 37 R1(config-ipv6-acl)#deny any any dest-option-type 39 … R1(config-ipv6-acl)#deny any any dest-option-type 47 R1(config-ipv6-acl)#deny any any dest-option-type 49 … R1(config-ipv6-acl)#deny any any dest-option-type 255 R1(config-ipv6-acl)#permit … … … … R1(config-ipv6-acl)#deny ipv6 any any log R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6