Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
This requirement is not applicable for the DODIN Backbone. Review the router configuration to verify that access control lists (ACLs) are configured to allow or deny traffic for specific source and destination addresses as well as ports and protocols. These filters should be applied inbound or outbound on the appropriate external and internal interfaces. Review the ACL configuration with the "show ip access-lists in" and "show ip access-lists out" commands. OS10# show ip access-lists in Ingress IP access-list FILTER_EXTERNAL_INGRESS Active on interfaces : ethernet1/1/4 seq 10 deny ip 10.0.0.0/8 any log seq 20 deny tcp any any eq 23 seq 30 permit ip any any If the router is not configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure ACLs to allow or deny traffic for specific source and destination addresses as well as ports and protocols. Step 1: Configure named ACL with appropriate filter rules. OS10(config)# ip access-list FILTER_EXTERNAL_INGRESS OS10(config-ipv4-acl)# deny ip 10.0.0.0/8 any log OS10(config-ipv4-acl)# deny tcp any any eq 23 OS10(config-ipv4-acl)# permit ip any any OS10(config-ipv4-acl)# exit Step 2: Apply the ACLs on the appropriate external and internal interfaces. OS10(config-ipv4-acl)# interface ethernet1/1/4 OS10(conf-if-eth1/1/4)# ip access-group FILTER_EXTERNAL_INGRESS in
Review the router configuration to verify it will reject routes of any Bogon prefixes. The prefix filter must be referenced inbound on the appropriate BGP neighbor statements. Step 1: Verify a prefix list has been configured containing the current Bogon prefixes as shown in the example below. ip prefix-list BOGON_PREFIX_FILTER seq 5 deny 0.0.0.0/8 le 32 ip prefix-list BOGON_PREFIX_FILTER seq 10 deny 10.0.0.0/8 le 32 ip prefix-list BOGON_PREFIX_FILTER seq 15 deny 100.64.0.0/10 le 32 ip prefix-list BOGON_PREFIX_FILTER seq 20 deny 127.0.0.0/8 le 32 ip prefix-list BOGON_PREFIX_FILTER seq 25 deny 169.254.0.0/16 le 32 ip prefix-list BOGON_PREFIX_FILTER seq 30 deny 172.16.0.0/12 le 32 ip prefix-list BOGON_PREFIX_FILTER seq 35 deny 192.0.2.0/24 le 32 ip prefix-list BOGON_PREFIX_FILTER seq 40 deny 192.88.99.0/24 le 32 ip prefix-list BOGON_PREFIX_FILTER seq 45 deny 192.168.0.0/16 le 32 ip prefix-list BOGON_PREFIX_FILTER seq 50 deny 198.18.0.0/15 le 32 ip prefix-list BOGON_PREFIX_FILTER seq 55 deny 198.51.100.0/24 le 32 ip prefix-list BOGON_PREFIX_FILTER seq 60 deny 203.0.113.0/24 le 32 ip prefix-list BOGON_PREFIX_FILTER seq 65 deny 224.0.0.0/4 le 32 ip prefix-list BOGON_PREFIX_FILTER seq 70 deny 240.0.0.0/4 le 32 ip prefix-list BOGON_PREFIX_FILTER seq 75 permit 0.0.0.0/0 ge 8 Step 2: Verify the route map applied to the external neighbors references the configured Bogon prefix list shown above. ! route-map PREFIX_FILTER_MAP permit 10 match ip address prefix-list BOGON_PREFIX_FILTER ! router bgp 10 ! template ebgp ! address-family ipv4 unicast route-map PREFIX_FILTER_MAP in ! neighbor 123.1.1.10 ! address-family ipv4 unicast route-map PREFIX_FILTER_MAP in If the router is not configured to reject inbound route advertisements for any Bogon prefixes, this is a finding.
Ensure all eBGP routers are configured to reject inbound route advertisements for any Bogon prefixes. Step 1: Configure a prefix list containing the current Bogon prefixes. OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 5 deny 0.0.0.0/8 le 32 OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 10 deny 10.0.0.0/8 le 32 OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 15 deny 100.64.0.0/10 le 32 OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 20 deny 127.0.0.0/8 le 32 OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 25 deny 169.254.0.0/16 le 32 OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 30 deny 172.16.0.0/12 le 32 OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 35 deny 192.0.2.0/24 le 32 OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 40 deny 192.88.99.0/24 le 32 OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 45 deny 192.168.0.0/16 le 32 OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 50 deny 198.18.0.0/15 le 32 OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 55 deny 198.51.100.0/24 le 32 OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 60 deny 203.0.113.0/24 le 32 OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 65 deny 224.0.0.0/4 le 32 OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 70 deny 240.0.0.0/4 le 32 OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 75 permit 0.0.0.0/0 ge 8 Step 2: Configure the route map referencing the configured Bogon prefix list. OS10(config)# route-map PREFIX_FILTER_MAP 10 OS10(config-route-map)# match ip address prefix-list BOGON_PREFIX_FILTER OS10(config-route-map)# exit Step 3: Apply the route-map inbound to each external BGP neighbor. OS10(config)# router bgp 10 OS10(config-router-bgp-10)# neighbor 123.1.1.10 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# route-map PREFIX_FILTER_MAP in OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# template ebgp OS10(config-router-template)# address-family ipv4 unicast OS10(config-router-bgp-template-af)# route-map PREFIX_FILTER_MAP in OS10(config-router-bgp-template-af)# exit OS10(config-router-template)# exit OS10(config-router-bgp-10)# exit
Review the router configuration to verify that it will reject routes belonging to the local AS. The prefix filter must be referenced inbound on the appropriate BGP neighbor statements. Step 1: Verify a prefix list has been configured containing the local AS prefixes. ip prefix-list PREFIX_FILTER seq 5 deny 0.0.0.0/8 le 32 ... ... ip prefix-list PREFIX_FILTER seq 73 deny 20.10.10.0/24 le 32 ip prefix-list PREFIX_FILTER seq 74 deny 40.10.10.0/24 le 32 ip prefix-list PREFIX_FILTER seq 75 permit 0.0.0.0/0 ge 8 Step 2: Verify the route map applied to the external neighbors references the configured prefix list shown above. ! route-map PREFIX_FILTER_MAP permit 10 match ip address prefix-list PREFIX_FILTER ! router bgp 10 ! template ebgp ! address-family ipv4 unicast route-map PREFIX_FILTER_MAP in ! neighbor 123.1.1.10 ! address-family ipv4 unicast route-map PREFIX_FILTER_MAP in If the router is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.
Ensure all eBGP routers are configured to reject inbound route advertisements for any prefixes belonging to the local AS. Step 1: Add to the prefix filter list those prefixes belonging to the local autonomous system. OS10(config)# ip prefix-list PREFIX_FILTER seq 73 deny 20.10.10.0/24 le 32 OS10(config)# ip prefix-list PREFIX_FILTER seq 74 deny 40.10.10.0/24 le 32 Step 2: Configure the route map referencing the configured prefix list. OS10(config)# route-map PREFIX_FILTER_MAP 10 OS10(config-route-map)# match ip address prefix-list PREFIX_FILTER OS10(config-route-map)# exit Step 3: Apply the route-map inbound to each external BGP neighbor. OS10(config)# router bgp 10 OS10(config-router-bgp-10)# neighbor 123.1.1.10 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# route-map PREFIX_FILTER_MAP in OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# template ebgp OS10(config-router-template)# address-family ipv4 unicast OS10(config-router-bgp-template-af)# route-map PREFIX_FILTER_MAP in OS10(config-router-bgp-template-af)# exit OS10(config-router-template)# exit OS10(config-router-bgp-10)# exit
Review the router configuration to verify that there are filters defined to only accept routes for prefixes that belong to specific customers. The prefix filter must be referenced inbound on the appropriate BGP neighbor statement. Step 1: Verify prefix lists have been configured for each customer containing prefixes that belong to that customer. OS10# show running-configuration prefix-list ! ... ip prefix-list PREFIX_FILTER_CUST1 seq 5 permit 50.10.10.0/24 le 32 ip prefix-list PREFIX_FILTER_CUST1 seq 10 deny 0.0.0.0/0 ge 8 ip prefix-list PREFIX_FILTER_CUST2 seq 5 permit 60.10.10.0/24 le 32 ip prefix-list PREFIX_FILTER_CUST2 seq 10 deny 0.0.0.0/0 ge 8 ... Step 2: Verify the route map applied to the external neighbors references the configured prefix list shown above. OS10# show running-configuration route-map ! route-map PREFIX_FILTER_CUST1_MAP permit 50 match ip address prefix-list PREFIX_FILTER_CUST1 ! route-map PREFIX_FILTER_CUST2_MAP permit 60 match ip address prefix-list PREFIX_FILTER_CUST2 ! Step 3: Verify the route map applied to the external neighbors references the appropriate route maps shown above. ! router bgp 10 ! neighbor 50.1.1.1 ! address-family ipv4 unicast route-map PREFIX_FILTER_CUST1_MAP in neighbor 60.1.1.1 ! address-family ipv4 unicast route-map PREFIX_FILTER_CUST2_MAP in If the router is not configured to reject inbound route advertisements from each CE router for prefixes that are not allocated to that customer, this is a finding.
Configure all eBGP routers to reject inbound route advertisements from a CE router for prefixes that are not allocated to that customer. Step 1: Configure a prefix list for each customer containing prefixes belonging to each. OS10(config)# ip prefix-list PREFIX_FILTER_CUST1 seq 5 permit 50.10.10.0/24 le 32 OS10(config)# ip prefix-list PREFIX_FILTER_CUST1 seq 10 deny 0.0.0.0/0 ge 8 OS10(config)# ip prefix-list PREFIX_FILTER_CUST2 seq 5 permit 60.10.10.0/24 le 32 OS10(config)# ip prefix-list PREFIX_FILTER_CUST2 seq 10 deny 0.0.0.0/0 ge 8 Step 2: Configure the route map referencing the configured prefix list. OS10(config)# route-map PREFIX_FILTER_CUST1_MAP 50 OS10(config-route-map)# match ip address prefix-list PREFIX_FILTER_CUST1 OS10(config-route-map)# exit OS10(config)# route-map PREFIX_FILTER_CUST2_MAP 50 OS10(config-route-map)# match ip address prefix-list PREFIX_FILTER_CUST2 OS10(config-route-map)# exit Step 3: Apply the route-map inbound to each external BGP neighbor. OS10(config)# router bgp 10 OS10(config-router-bgp-10)# neighbor 50.1.1.1 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# route-map PREFIX_FILTER_CUST1_MAP in OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# neighbor 60.1.1.1 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# route-map PREFIX_FILTER_CUST2_MAP in OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# exit
This requirement is not applicable for the DODIN Backbone. Review the router configuration to verify that there is a filter defined to only advertise routes for prefixes that belong to any customers or the local AS. The prefix filter must be referenced outbound on the appropriate BGP neighbor statements. Step 1: Verify prefix lists have been configured for each customer containing prefixes that belong to that customer. OS10# show running-configuration prefix-list ! ... ip prefix-list PREFIX_FILTER_A seq 5 permit 50.10.10.0/24 le 32 ip prefix-list PREFIX_FILTER_A seq 10 permit 60.10.10.0/24 le 32 ip prefix-list PREFIX_FILTER_A seq 15 deny 0.0.0.0/0 ge 8 ... Step 2: Verify the route map applied to the external neighbors references the configured prefix list shown above. OS10# show running-configuration route-map ! route-map PREFIX_FILTER_A_MAP permit 50 match ip address prefix-list PREFIX_FILTER_A Step 3: Verify the route map applied to the external neighbors references the appropriate route maps shown above. ! router bgp 10 ! neighbor 50.1.1.1 ! address-family ipv4 unicast route-map PREFIX_FILTER_A_MAP out If the router is not configured to reject outbound route advertisements that belong to any customers or the local AS, this is a finding.
Configure all eBGP routers to filter outbound route advertisements for prefixes that are not allocated to or belong to any customer or the local AS. Step 1: Configure a prefix list for each customer containing prefixes belonging to each. OS10(config)# ip prefix-list PREFIX_FILTER_A seq 5 permit 50.10.10.0/24 le 32 OS10(config)# ip prefix-list PREFIX_FILTER_A seq 10 permit 60.10.10.0/24 le 32 OS10(config)# ip prefix-list PREFIX_FILTER_A seq 15 deny 0.0.0.0/0 ge 8 Step 2: Configure the route map referencing the configured prefix list. OS10(config)# route-map PREFIX_FILTER_A_MAP 50 OS10(config-route-map)# match ip address prefix-list PREFIX_FILTER_A OS10(config-route-map)# exit Step 3: Apply the route-map outbound to each external BGP neighbor. OS10(config)# router bgp 10 OS10(config-router-bgp-10)# neighbor 50.1.1.1 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# route-map PREFIX_FILTER_A_MAP out OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# exit
By default, the Dell OS10 Router rejects route advertisements from BGP peers that do not list their AS number as the first AS in the AS_PATH attribute. Verify that this behavior has not been disable by reviewing the running-configuration of BGP: OS10# show running-configuration bgp ! router bgp 100 no enforce-first-as … ! Verify that "no enforce-first-as" has not been configured for BGP. If "no enforce-first-as" has been configured, this is a finding.
Configure the BGP router to reject route advertisements from BGP peers that do not list their AS number as the first AS in the AS_PATH attribute. OS10# configure terminal OS10 (config)# router bgp 100 OS10(config-router-bgp-100)# enforce-first-as OS10(config-router-bgp-100)# end
This requirement is not applicable for the DODIN Backbone. Review the router configuration to verify the router is configured to deny updates received from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer. Step 1: Review router configuration and verify that there is an as-path access-list statement defined to only accept routes from a CE router whose AS did not originate the route. OS10# show running-configuration as-path ! ... ip as-path access-list AS_PATH_FILTER_CUST1 permit 10.* ip as-path access-list AS_PATH_FILTER_CUST1 deny .* ip as-path access-list AS_PATH_FILTER_CUST2 permit 200 ip as-path access-list AS_PATH_FILTER_CUST2 deny .* ... Step 2: Verify the route map applied to the external neighbors references the configured as-path access list shown above. OS10# show running-configuration route-map ! route-map AS_PATH_FILTER_CUST1_MAP permit 50 match ip address prefix-list AS_PATH_FILTER_CUST1 ! route-map AS_PATH_FILTER_CUST2_MAP permit 60 match ip address prefix-list AS_PATH_FILTER_CUST2 ! Step 3: Verify the route map applied to the external neighbors references the appropriate route maps shown above. ! router bgp 10 ! neighbor 50.1.1.1 ! address-family ipv4 unicast route-map AS_PATH_FILTER_CUST1_MAP in neighbor 60.1.1.1 ! address-family ipv4 unicast route-map AS_PATH_FILTER_CUST2_MAP in If the router is not configured to reject updates from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer, this is a finding.
Configure the router to reject updates from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer. Step 1: Configure a prefix list for each customer containing prefixes belonging to each. OS10(config)# ip as-path access-list AS_PATH_FILTER_CUST1 permit 10.* OS10(config)# ip as-path access-list AS_PATH_FILTER_CUST1 deny .* OS10(config)# ip as-path access-list AS_PATH_FILTER_CUST2 permit 200 OS10(config)# ip as-path access-list AS_PATH_FILTER_CUST2 deny .* Step 2: Configure the route map referencing the configured prefix list. OS10(config)# route-map AS_PATH_FILTER_CUST1_MAP 50 OS10(config-route-map)# match ip address prefix-list AS_PATH_FILTER_CUST1 OS10(config-route-map)# exit OS10(config)# route-map AS_PATH_FILTER_CUST2_MAP 50 OS10(config-route-map)# match ip address prefix-list AS_PATH_FILTER_CUST2 OS10(config-route-map)# exit Step 3: Apply the route-map inbound to each external BGP neighbor. OS10(config)# router bgp 10 OS10(config-router-bgp-10)# neighbor 50.1.1.1 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# route-map AS_PATH_FILTER_CUST1_MAP in OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# neighbor 60.1.1.1 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# route-map AS_PATH_FILTER_CUST2_MAP in OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# exit
If IPv4 or IPv6 multicast routing is enabled, verify all interfaces enabled for PIM are documented in the network's multicast topology diagram. Review the router configuration to determine if multicast routing is enabled and which interfaces are enabled for PIM. ! ip multicast-routing ! interface vlan100 no shutdown ip pim sparse-mode If an interface is not required to support multicast routing and it is enabled, this is a finding.
Disable support for PIM on interfaces that are not required to support it. interface vlan100 no ip pim sparse-mode
This requirement is not applicable for the DODIN Backbone. Review the multicast topology diagram and determine if router interfaces are enabled for IPv4 or IPv6 multicast routing. If the router is enabled for multicast routing, verify all interfaces enabled for PIM have a neighbor filter bound to the interface. The neighbor filter must only accept PIM control plane traffic from the documented PIM neighbors. Step 1: Verify that a PIM neighbor filter has been configured. ! ip access-list PIM_NBR_FILTER seq 10 permit ip 10.10.10.2/32 any Step 2: Verify all interfaces enabled for PIM have the neighbor filter bound to the interface. ! interface vlan100 no shutdown ip pim sparse-mode ip pim neighbor-filter PIM_NBR_FILTER If PIM neighbor filters are not bound to all interfaces that have PIM enabled, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure neighbor filters to only accept PIM control plane traffic from documented PIM neighbors. Bind neighbor filters to all PIM enabled interfaces. Step 1: Configure an ACL that only permits documented neighbors. OS10(config)# ip access-list PIM_NBR_FILTER OS10(config-ipv4-acl)# permit ip 10.10.10.2/32 any Step 2: Apply the ACL to the PIM interfaces. OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip pim neighbor-filter PIM_NBR_FILTER
Review the router configuration to verify that inactive interfaces have been disabled as shown below. ! interface ethernet1/1/6 shutdown no switchport ! interface ethernet1/1/7 shutdown no switchport If an interface is not being used but is configured or enabled, this is a finding.
Disable all inactive interfaces on the router as shown in the example below. OS10(config)# default interface ethernet 1/1/6 OS10(config)# interface ethernet 1/1/6 OS10(conf-if-eth1/1/6)# no switchport OS10(conf-if-eth1/1/6)# shutdown
This requirement is not applicable for the DODIN Backbone. Review the configuration of the router connecting to the alternate gateway. Verify there are no BGP neighbors configured to the remote AS that belongs to the alternate gateway service provider. OS10# show running-configuration bgp ! router bgp 10 ! neighbor 50.1.1.1 ! address-family ipv4 unicast ... ! neighbor 120.100.5.2 ! address-family ipv6 unicast ... ! ... If there are BGP neighbors connecting the remote AS of the alternate gateway service provider, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure the router such that there are no BGP neighbors configured to the remote AS that belongs to the alternate gateway service provider. OS10(config)# router bgp 10 OS10(config-router-bgp-10)# no neighbor 120.100.5.2
This requirement is not applicable for the DODIN Backbone. Verify the OOBM interface is an adjacency in the IGP routing domain for the management network. Verify the IGP instance used for the management network is configured in a separate VRF from that used for the managed networks. ! router ospf 1 vrf OOBM router-id 77.0.0.10 ... ! router ospf 2 vrf PROD router-id 88.0.0.88 ... ! If the router does not enforce that IGP instances configured on the OOBM gateway router peer only with their own routing domain, this is a finding.
Configure the router to enforce that IGP instances configured on the OOBM gateway router peer only with their own routing domain. OS10(config)# ip vrf OOBM OS10(conf-vrf)# exit OS10(config)# ip vrf PROD OS10(conf-vrf)# exit OS10(config)# router ospf 1 vrf OOBM OS10(config-router-ospf-1)# router-id 77.0.0.10 OS10(config-router-ospf-1)# exit OS10(config)# router ospf 2 vrf PROD OS10(config-router-ospf-2)# router-id 88.0.0.88 OS10(config-router-ospf-2)# exit
This requirement is not applicable for the DODIN Backbone. Verify the IGP instance used for the managed network does not redistribute routes into the IGP instance used for the management network, and vice versa. Examine the configuration to verify that routes configured to be redistributed into the management network do not originate in a managed network, and vice versa. ! router ospf 10 vrf OOBM redistribute bgp 4 route-map dell4 If the IGP instance used for the managed network redistributes routes into the IGP instance used for the management network, or vice versa, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure the IGP instance used for the managed network to prohibit redistribution of routes into the IGP instance used for the management network, and vice versa. Delete any inappropriate route redistribution commands using the "no redistribute" command. OS10(config)# router ospf 10 vrf OOBM OS10(config-router-ospf-10)# no redistribute bgp 4 route-map dell4
Verify the RP router is configured to filter PIM register messages. ! ip access-list PIM_REGFILTER seq 10 permit ip 10.10.10.2/32 any ! ! ip pim register-filter PIM_REGFILTER ! If the RP router peering with PIM-SM routers is not configured with a PIM import policy to block registration messages for any undesirable multicast groups and sources, this is a finding.
Configure the RP router to filter PIM register messages received from a multicast DR for any undesirable multicast groups or sources. OS10# configure terminal OS10(config)# OS10(config)# OS10(config)# ip access-list PIM_REGFILTER OS10(config-ipv4-acl)# permit ip 10.10.10.2/32 any OS10(config-ipv4-acl)# exit OS10(config)# OS10(config)# ip pim register-filter PIM_REGFILTER
Verify the RP router is configured to filter PIM join messages for any undesirable multicast groups. ! interface vlan100 no shutdown ip pim sparse-mode ip pim join-filter PIM_JOINFILTER ! ip access-list PIM_JOINFILTER seq 10 permit ip 10.10.10.0/24 226.1.1.0/24 seq 20 permit ip any 225.1.1.0/24 If the RP is not configured to filter join messages received from the DR for any undesirable multicast groups, this is a finding.
Configure the RP to filter PIM join messages for any undesirable multicast groups. Step 1: Configure an ACL that identifies which groups are allowed to join. OS10(config)# ip access-list PIM_JOINFILTER OS10(config-ipv4-acl)# permit ip 10.10.10.0/24 226.1.1.0/24 OS10(config-ipv4-acl)# permit ip any 225.1.1.0/24 Step 2: Configure a PIM join filter on the PIM interfaces. OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ip pim join-filter PIM_JOINFILTER NOTES: * Dell Technologies recommends not using the IP PIM join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source. Excessive traffic generates when the join process from the RP back to the source is blocked due to a new source group being permitted in the join-filter. This results in the new source becoming stuck in registering on the DR and the continuous generation of UDP-encapsulated registration messages between the DR and RP routers which are sent to the CPU. * Do not to configure a PIM join-filter on a source connected interface (IIF) on first hop router (FHR) node. Applying PIM join-filter with the rule, deny ip any any might block creation of the S,G entries. * When configuring a join filter, it applies for both incoming and outgoing joins. There is no option to specify in or out parameters while configuring a join filter.
Review the router configuration to verify that audit logging is enabled. ! logging audit enable Review the router configuration to verify that all ACL rules that drop packets are configured to log the event. ! ip access-list FILTER_EXTERNAL_INGRESS seq 10 permit ... seq 20 permit ... seq 30 permit ... seq 40 deny ip any any log If audit logging is disabled or an ACL is not configured to log dropped packets, this is a finding.
Configure the router to enable audit logging and to log all packets dropped by ACL rules. OS10(config)# logging audit enable OS10(config)# ip access-list FILTER_EXTERNAL_INGRESS OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# deny ip any any log
Review the router configuration. For every protocol that affects the routing or forwarding tables (where information is exchanged between neighbors), verify that neighbor router authentication is encrypting the authentication key. Verify the routing protocols are configured to use encryption ! interface vlan400 ipv6 ospf 10 area 0.0.0.1 ipv6 ospf authentication ipsec spi 4017 sha1 1234567890123456789012345678901234567890 ... ip ospf 1 area 0.0.0.1 ip ospf message-digest-key 1 md5 1234567812345678 If authentication is not encrypting the authentication key, this is a finding.
Configure the router to use encryption for routing protocol authentication. OS10(config)# interface vlan 400 OS10(conf-if-vl-400)# ipv6 ospf 10 area 0.0.0.1 OS10(conf-if-vl-400)# ipv6 ospf authentication ipsec spi 4017 sha1 1234567890123456789012345678901234567890 OS10(conf-if-vl-400)# OS10(conf-if-vl-400)# ip ospf 1 area 0.0.0.1 OS10(conf-if-vl-400)# ip ospf message-digest-key 1 md5 1234567812345678 OS10(conf-if-vl-400)# exit
Review the router configuration to verify it is using a NIST-validated FIPS 198-1 message authentication code algorithm to authenticate routing protocol messages. ! interface vlan400 ipv6 ospf 10 area 0.0.0.1 ipv6 ospf authentication ipsec spi 4017 sha1 1234567890123456789012345678901234567890 If a NIST-validated FIPS 198-1 message authentication code algorithm is not being used to authenticate routing protocol messages, this is a finding.
Configure routing protocol authentication to use a NIST-validated FIPS 198-1 message authentication code algorithm. OS10(config)# interface vlan 400 OS10(conf-if-vl-400)# ipv6 ospf 10 area 0.0.0.1 OS10(conf-if-vl-400)# ipv6 ospf authentication ipsec spi 4017 sha1 1234567890123456789012345678901234567890 OS10(conf-if-vl-400)# exit
Review the router configuration and interview the system administrator to verify that a mechanism for traffic prioritization and bandwidth reservation exists. Verify the class-maps are configured to match on DSCP, protocols, or access control lists (ACLs) that identify traffic types based on ports. ! class-map type qos 6Q_BestEffort_dscp match ip-any dscp 0 ! class-map type qos 6Q_NetworkControl_dscp match ip-any dscp 48 ! class-map type qos 6Q_PreferData_dscp match ip-any dscp 16 ! class-map type qos 6Q_Scavenger_dscp match ip-any dscp 8 ! class-map type qos 6Q_Video_dscp match ip-any dscp 38 ! class-map type qos 6Q_Voice_dscp match ip-any dscp 49 ! class-map type qos 6Q_Voice_dscp_15 match ip-any dscp 15 ! class-map type queuing 6Q_BestEffort match queue 1 ! class-map type queuing 6Q_NetworkControl match queue 5 ! class-map type queuing 6Q_PreferData match queue 2 ! class-map type queuing 6Q_Scavenger match queue 0 ! class-map type queuing 6Q_Unused_6 match queue 6 ! class-map type queuing 6Q_Unused_7 match queue 7 ! class-map type queuing 6Q_Video match queue 3 ! class-map type queuing 6Q_Voice match queue 4 ! policy-map type qos 6Q_PolicyMapIn_dscp ! class 6Q_Scavenger_dscp set qos-group 0 ! class 6Q_BestEffort_dscp set qos-group 1 ! class 6Q_PreferData_dscp set qos-group 2 ! class 6Q_Video_dscp set qos-group 3 ! class 6Q_Voice_dscp set qos-group 4 ! class 6Q_Voice_dscp_15 set qos-group 4 set dscp 45 ! class 6Q_NetworkControl_dscp set qos-group 5 ! policy-map type queuing 6Q_PolicyMapOut_100G ! class 6Q_Scavenger bandwidth percent 10 shape min mbps 10000 max mbps 10000 ! class 6Q_BestEffort bandwidth percent 18 ! class 6Q_NetworkControl bandwidth percent 5 shape min mbps 5000 max mbps 5000 ! class 6Q_PreferData bandwidth percent 30 shape min mbps 30000 max mbps 30000 ! class 6Q_Unused_6 bandwidth percent 1 ! class 6Q_Unused_7 bandwidth percent 1 ! class 6Q_Video bandwidth percent 15 shape min mbps 15000 max mbps 15000 ! class 6Q_Voice bandwidth percent 20 shape min mbps 20000 max mbps 20000 ! Verify the policy-map is configured to set DSCP values for the defined class-maps in accordance with the QoS GIG Technical Profile. policy-map type qos 6Q_PolicyMapIn_dscp ! class 6Q_Scavenger_dscp set qos-group 0 ! class 6Q_BestEffort_dscp set qos-group 1 ! class 6Q_PreferData_dscp set qos-group 2 ! class 6Q_Video_dscp set qos-group 3 ! class 6Q_Voice_dscp set qos-group 4 ! class 6Q_Voice_dscp_15 set qos-group 4 set dscp 45 ! class 6Q_NetworkControl_dscp set qos-group 5 ! policy-map type queuing 6Q_PolicyMapOut_100G ! class 6Q_Scavenger bandwidth percent 10 shape min mbps 10000 max mbps 10000 ! class 6Q_BestEffort bandwidth percent 18 ! class 6Q_NetworkControl bandwidth percent 5 shape min mbps 5000 max mbps 5000 ! class 6Q_PreferData bandwidth percent 30 shape min mbps 30000 max mbps 30000 ! class 6Q_Unused_6 bandwidth percent 1 ! class 6Q_Unused_7 bandwidth percent 1 ! class 6Q_Video bandwidth percent 15 shape min mbps 15000 max mbps 15000 ! class 6Q_Voice bandwidth percent 20 shape min mbps 20000 max mbps 20000 ! Verify that input and output service policies are bound to the appropriate interfaces. ! interface ethernet1/1/2 service-policy input type qos 6Q_PolicyMapIn_dscp service-policy output type queuing 6Q_PolicyMapOut_100G ! Note: The GTP QOS document (GTP-0009) can be downloaded via the following link: https://intellipedia.intelink.gov/wiki/Portal:GIG_Technical_Guidance/GTG_GTPs/GTP_Development_List If the router is not configured to implement a QoS policy in accordance with the QoS GIG Technical Profile, this is a finding.
Implement a mechanism for traffic prioritization and bandwidth reservation. This mechanism must enforce the traffic priorities specified by the Combatant Commands/Services/Agencies. Step 1: Configure QoS class-maps to match on DSCP values as shown in the configuration example below: OS10(config)# class-map type qos 6Q_BestEffort_dscp OS10(config-cmap-qos)# match ip-any dscp 0 OS10(config-cmap-qos)# ! OS10(config-cmap-qos)# class-map type qos 6Q_NetworkControl_dscp OS10(config-cmap-qos)# match ip-any dscp 48 OS10(config-cmap-qos)# ! OS10(config-cmap-qos)# class-map type qos 6Q_PreferData_dscp OS10(config-cmap-qos)# match ip-any dscp 16 OS10(config-cmap-qos)# ! OS10(config-cmap-qos)# class-map type qos 6Q_Scavenger_dscp OS10(config-cmap-qos)# match ip-any dscp 8 OS10(config-cmap-qos)# ! OS10(config-cmap-qos)# class-map type qos 6Q_Video_dscp OS10(config-cmap-qos)# match ip-any dscp 38 OS10(config-cmap-qos)# ! OS10(config-cmap-qos)# class-map type qos 6Q_Voice_dscp OS10(config-cmap-qos)# match ip-any dscp 49 OS10(config-cmap-qos)# ! OS10(config-cmap-qos)# class-map type qos 6Q_Voice_dscp_15 OS10(config-cmap-qos)# match ip-any dscp 15 OS10(config-cmap-qos)# ! OS10(config-cmap-qos)# exit OS10(config)# Step 2: Configure policy-maps to map traffic qos classes to qos-groups. OS10(config)# policy-map type qos 6Q_PolicyMapIn_dscp OS10(config-pmap-qos)# ! OS10(config-pmap-qos)# class 6Q_Scavenger_dscp OS10(config-pmap-c-qos)# set qos-group 0 OS10(config-pmap-c-qos)# ! OS10(config-pmap-c-qos)# class 6Q_BestEffort_dscp OS10(config-pmap-c-qos)# set qos-group 1 OS10(config-pmap-c-qos)# ! OS10(config-pmap-c-qos)# class 6Q_PreferData_dscp OS10(config-pmap-c-qos)# set qos-group 2 OS10(config-pmap-c-qos)# ! OS10(config-pmap-c-qos)# class 6Q_Video_dscp OS10(config-pmap-c-qos)# set qos-group 3 OS10(config-pmap-c-qos)# ! OS10(config-pmap-c-qos)# class 6Q_Voice_dscp OS10(config-pmap-c-qos)# set qos-group 4 OS10(config-pmap-c-qos)# ! OS10(config-pmap-c-qos)# class 6Q_Voice_dscp_15 OS10(config-pmap-c-qos)# set qos-group 4 OS10(config-pmap-c-qos)# set dscp 45 OS10(config-pmap-c-qos)# ! OS10(config-pmap-c-qos)# class 6Q_NetworkControl_dscp OS10(config-pmap-c-qos)# set qos-group 5 OS10(config-pmap-c-qos)# ! OS10(config-pmap-c-qos)# exit OS10(config-pmap-qos)# exit Step 3: Configure queuing class-maps as shown in the configuration example below: OS10(config)# class-map type queuing 6Q_Scavenger OS10(config-cmap-queuing)# match queue 0 OS10(config-cmap-queuing)# ! OS10(config-cmap-queuing)# class-map type queuing 6Q_BestEffort OS10(config-cmap-queuing)# match queue 1 OS10(config-cmap-queuing)# ! OS10(config-cmap-queuing)# class-map type queuing 6Q_PreferData OS10(config-cmap-queuing)# match queue 2 OS10(config-cmap-queuing)# ! OS10(config-cmap-queuing)# class-map type queuing 6Q_Video OS10(config-cmap-queuing)# match queue 3 OS10(config-cmap-queuing)# ! OS10(config-cmap-queuing)# class-map type queuing 6Q_Voice OS10(config-cmap-queuing)# match queue 4 OS10(config-cmap-queuing)# ! OS10(config-cmap-queuing)# class-map type queuing 6Q_NetworkControl OS10(config-cmap-queuing)# match queue 5 OS10(config-cmap-queuing)# ! OS10(config-cmap-queuing)# exit OS10(config)# Step 4: Configure policy maps to preserve bandwidth for each queue. OS10(config-pmap-qos)# OS10(config-pmap-qos)# policy-map type queuing 6Q_PolicyMapOut_100G OS10(config-pmap-queuing)# ! OS10(config-pmap-queuing)# class 6Q_Scavenger OS10(config-pmap-c-que)# bandwidth percent 10 OS10(config-pmap-c-que)# shape min mbps 10000 max mbps 10000 OS10(config-pmap-c-que)# ! OS10(config-pmap-c-que)# class 6Q_BestEffort OS10(config-pmap-c-que)# bandwidth percent 20 OS10(config-pmap-c-que)# ! OS10(config-pmap-c-que)# class 6Q_NetworkControl OS10(config-pmap-c-que)# bandwidth percent 5 OS10(config-pmap-c-que)# shape min mbps 5000 max mbps 5000 OS10(config-pmap-c-que)# ! OS10(config-pmap-c-que)# class 6Q_PreferData OS10(config-pmap-c-que)# bandwidth percent 30 OS10(config-pmap-c-que)# shape min mbps 30000 max mbps 30000 OS10(config-pmap-c-que)# ! OS10(config-pmap-c-que)# class 6Q_Video OS10(config-pmap-c-que)# bandwidth percent 15 OS10(config-pmap-c-que)# shape min mbps 15000 max mbps 15000 OS10(config-pmap-c-que)# ! OS10(config-pmap-c-que)# class 6Q_Voice OS10(config-pmap-c-que)# bandwidth percent 20 OS10(config-pmap-c-que)# shape min mbps 20000 max mbps 20000 OS10(config-pmap-c-que)# ! Step 5: Apply the input and output service policy to all interfaces as shown in the configuration example below: OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# service-policy input type qos 6Q_PolicyMapIn_dscp OS10(conf-if-eth1/1/2)# service-policy output type queuing 6Q_PolicyMapOut_100G
Review the access control list (ACL) or filter for the router receive path and verify that it will only process specific management plane and control plane traffic from specific sources. Step 1: Examine the interface configuration for the control plane ACLs applied to the traffic destined to the router control plane from the OOBM management port or front panel data ports. ! control-plane ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in ip access-group MGMT_TRAFFIC_FROM_DATA data in Step 2: Review the control plane ACLs verify traffic is limited appropriately. ! ip access-list MGMT_TRAFFIC_FROM_OOBM seq 10 permit ... seq 20 permit ... seq 30 deny ... log seq 40 deny ... log ! ip access-list MGMT_TRAFFIC_FROM_DATA seq 10 permit ... seq 20 permit ... seq 30 deny ... log seq 40 deny ... log If the router is not configured with a receive-path filter to restrict traffic destined to itself, this is a finding.
Configure the router with receive path filters to restrict traffic destined to the router. Step 1: Configure inbound ACLs to restrict which packets should be allowed to reach to the control plane from the OOBM management port and from the front panel data ports. OS10(config)# ip access-list MGMT_TRAFFIC_FROM_OOBM OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# deny ... log OS10(config-ipv4-acl)# deny ... log OS10(config)# ip access-list MGMT_TRAFFIC_FROM_DATA OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# deny ... log OS10(config-ipv4-acl)# deny ... log Step 2: Apply the ACLs to the ingress of the control-plane. OS10(config)# control-plane OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_DATA data in
Review the access control list (ACL) for the control plane receive path. Verify that it will drop all fragmented ICMP packets destined to itself. Step 1: Review the router configuration to verify that an ACL is configured that drops fragmented ICMP packets. ! ip access-list FILTER_FRAGMENTED_ICMP seq 10 deny icmp any any log fragment ... seq 20 permit ip any any Step 2: Examine the configuration to verify the ACL above is applied to packets destined to the control plane. ! control-plane ip access-group FILTER_FRAGMENTED_ICMP data in Note: As shown above, OS10 can filter fragmented packets that arrive on the front panel data ports. OS10 does not support filtering fragmented packets arriving on the OOBM management ethernet interface. If the router is not configured with a receive-path filter to drop all fragmented ICMP packets, this is a finding.
Ensure all routers have their receive path filter configured to drop all fragmented ICMP packets. Step 1: Configure a control-plane ACL that drops fragmented ICMP packets. OS10(config)# ip access-list FILTER_FRAGMENTED_ICMP OS10(config-ipv4-acl)# seq 10 deny icmp any any log fragment OS10(config-ipv4-acl)# seq 20 permit ip any any Step 2: Apply the ACL above to the control-plane. OS10(config)# control-plane OS10(config-control-plane)# ip access-group FILTER_FRAGMENTED_ICMP data in
Review the router configuration to verify that there is a filter defined to block route advertisements for prefixes that belong to the IP core. The prefix filter must be referenced outbound on the appropriate BGP neighbor statements. Step 1: Verify a prefix list has been configured containing the current IP core prefixes as shown in the example below. ip prefix-list CORE_PREFIX_FILTER seq 5 deny 20.0.0.0/24 ge 8 le 32 ip prefix-list CORE_PREFIX_FILTER seq 10 deny 30.0.0.0/24 ge 8 le 32 ip prefix-list CORE_PREFIX_FILTER seq 15 permit 0.0.0.0/0 ge 8 Step 2: Verify the route map applied to the external neighbors references the configured prefix list shown above. ! route-map CORE_PREFIX_FILTER_MAP permit 10 match ip address prefix-list CORE_PREFIX_FILTER ! router bgp 10 ! neighbor 40.1.1.10 ! address-family ipv4 unicast route-map CORE_PREFIX_FILTER_MAP OUT If the router is not configured to reject outbound route advertisements that belong to the IP core, this is a finding.
Configure all eBGP routers to filter outbound route advertisements belonging to the IP core. Step 1: Add to the prefix filter list those prefixes belonging to the IP core. OS10(config)# ip prefix-list CORE_PREFIX_FILTER seq 5 deny 20.0.0.0/24 ge 8 le 32 OS10(config)# ip prefix-list CORE_PREFIX_FILTER seq 10 deny 30.0.0.0/24 ge 8 le 32 OS10(config)# ip prefix-list CORE_PREFIX_FILTER seq 15 permit 0.0.0.0/0 ge 8 Step 2: Configure the route map referencing the configured prefix list. OS10(config)# route-map CORE_PREFIX_FILTER_MAP 10 OS10(config-route-map)# match ip address prefix-list CORE_PREFIX_FILTER OS10(config-route-map)# exit Step 3: Apply the route-map inbound to each external BGP neighbor. OS10(config)# router bgp 10 OS10(config-router-bgp-10)# neighbor 40.1.1.10 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# route-map CORE_PREFIX_FILTER_MAP out OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# template ebgp OS10(config-router-template)# address-family ipv4 unicast OS10(config-router-bgp-template-af)# route-map CORE_PREFIX_FILTER_MAP out OS10(config-router-bgp-template-af)# exit OS10(config-router-template)# exit OS10(config-router-bgp-10)# exit
This requirement is not applicable for the DODIN Backbone. Review the network topology diagram to determine connectivity between the managed network and the NOC. Review the OOBM gateway router configuration to validate the path that the management traffic traverses. Verify that only management traffic is forwarded through the OOBM interface. If traffic other than authorized management traffic is permitted through the OOBM interface, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure ACLs based on port, source IP address, and destination IP address to permit only authorized management traffic through the OOBM interfaces used for forwarding management data. Step 1: Configure named ACL with appropriate filter rules. OS10(config)# ip access-list MGMT_TRAFFIC_TO_NOC OS10(config-ipv4-acl)# permit tcp 10.10.0.0/16 10.10.0.0/16 eq 22 OS10(config-ipv4-acl)# permit udp 10.10.0.0/16 10.10.0.0/16 range 161 162 OS10(config-ipv4-acl)# permit udp 10.10.0.0/16 10.10.0.0/16 range 1812 1813 OS10(config-ipv4-acl)# permit tcp 10.10.0.0/16 10.10.0.0/16 range 1812 1813 OS10(config-ipv4-acl)# permit udp 10.10.0.0/16 10.10.0.0/16 eq 123 OS10(config-ipv4-acl)# permit udp 10.10.0.0/16 10.10.0.0/16 eq 514 OS10(config-ipv4-acl)# permit tcp 10.10.0.0/16 10.10.0.0/16 eq 6514 OS10(config-ipv4-acl)# deny ip any any log Step 2: Apply the ACLs on the appropriate external and internal interfaces. OS10(config-ipv4-acl)# interface ethernet1/1/1 OS10(conf-if-eth1/1/4)# ip access-group MGMT_TRAFFIC_TO_NOC out
This requirement is not applicable for the DODIN Backbone. If the OOBM gateway router is a dedicated device for the OOBM network, this requirement is not applicable. Review the access control list (ACL) or filter for the router receive path. Verify that only traffic sourced from the OOBM network or the NOC is allowed to access the router. Step 1: Examine the interface configuration for the inbound ACL applied to the OOBM interfaces. ! interface ethernet1/1/1 description "OOB link to NOC" ip address 10.10.1.1/24 ip access-group MGMT_TRAFFIC_FROM_NOC in ! interface ethernet1/1/2 description "link to OOBM LAN access switch" ip address 10.10.2.1/24 ip access-group MGMT_TRAFFIC_FROM_OOBM_LAN in Step 2: Review the inbound ACL bound to any OOBM interface connecting to the OOBM backbone and verify traffic destined to the OS10 OOBM router is only from the OOBM or NOC address space. ! ip access-list MGMT_TRAFFIC_FROM_NOC seq 10 permit ip 10.10.1.0/24 host 10.10.1.1 seq 20 permit ip 10.10.1.0/24 host 10.10.2.1 seq 30 deny ip any host 10.10.1.1 log seq 40 deny ip any host 10.10.2.1 log seq 50 permit ip 10.10.1.0/24 10.10.2.0/24 seq 60 deny ip any any log Step 3: Review the inbound ACL bound to any OOBM LAN interfaces and verify traffic destined to the OS10 OOBM router is from the OOBM LAN address space. ! ip access-list MGMT_TRAFFIC_FROM_OOBM_LAN seq 10 permit ip 10.10.2.0/24 host 10.10.1.1 seq 20 permit ip 10.10.2.0/24 host 10.10.2.1 seq 30 deny ip any host 10.10.1.1 log seq 40 deny ip any host 10.10.2.1 log seq 50 permit ip 10.10.2.0/24 10.10.1.0/24 seq 60 deny ip any any log If the router does not block any traffic destined to itself that is not sourced from the OOBM network or the NOC, this is a finding.
This requirement is not applicable for the DODIN Backbone. If the OOBM gateway router is a dedicated device for the OOBM network, this requirement is not applicable. Step 1: Configure an inbound ACL to bind to any OOBM interface connecting to the OOBM backbone which ensures that traffic destined to the OS10 OOBM router is only from the OOBM or NOC address space. OS10(config)# ip access-list MGMT_TRAFFIC_FROM_NOC OS10(config-ipv4-acl)# seq 10 permit ip 10.10.1.0/24 host 10.10.1.1 OS10(config-ipv4-acl)# seq 20 permit ip 10.10.1.0/24 host 10.10.2.1 OS10(config-ipv4-acl)# seq 30 deny ip any host 10.10.1.1 log OS10(config-ipv4-acl)# seq 40 deny ip any host 10.10.2.1 log OS10(config-ipv4-acl)# seq 50 permit ip 10.10.1.0/24 10.10.2.0/24 OS10(config-ipv4-acl)# seq 60 deny ip any any log OS10(config-ipv4-acl)# exit Step 2: Configure an inbound ACL to bind to any OOBM LAN interfaces which ensures that traffic destined to the OS10 OOBM router is from the OOBM LAN address space. OS10(config)# ip access-list MGMT_TRAFFIC_FROM_OOBM_LAN OS10(config-ipv4-acl)# seq 10 permit ip 10.10.2.0/24 host 10.10.1.1 OS10(config-ipv4-acl)# seq 20 permit ip 10.10.2.0/24 host 10.10.2.1 OS10(config-ipv4-acl)# seq 30 deny ip any host 10.10.1.1 log OS10(config-ipv4-acl)# seq 40 deny ip any host 10.10.2.1 log OS10(config-ipv4-acl)# seq 50 permit ip 10.10.2.0/24 10.10.1.0/24 OS10(config-ipv4-acl)# seq 60 deny ip any any log OS10(config-ipv4-acl)# exit Step 3: Apply the ACLs to the OOBM interfaces. OS10(config)# interface ethernet1/1/1 OS10(conf-if-eth1/1/1)# ip access-group MGMT_TRAFFIC_FROM_NOC in OS10(conf-if-eth1/1/1)# exit OS10(config)# interface ethernet1/1/2 OS10(conf-if-eth1/1/2)# ip access-group MGMT_TRAFFIC_FROM_OOBM_LAN in OS10(conf-if-eth1/1/2)# exit Ensure that traffic from the managed network is not able to access the OOBM gateway router using either receive path or interface ingress ACLs.
Review the router configuration. For every protocol that affects the routing or forwarding tables (where information is exchanged between neighbors), verify that neighbor router authentication is enabled. Verify the routing protocols are configured to authenticate neighbors. ! interface vlan400 ipv6 ospf 10 area 0.0.0.1 ipv6 ospf authentication ipsec spi 4017 sha1 1234567890123456789012345678901234567890 ... ip ospf 1 area 0.0.0.1 ip ospf message-digest-key 1 md5 $$c95abfd48ae6bcffc281603e960d49860dab21b300c5ea1febf7b674320be879 If authentication is not enabled, this is a finding.
Configure authentication to be enabled for every protocol that affects the routing or forwarding tables. OS10(config)# interface vlan 400 OS10(conf-if-vl-400)# ipv6 ospf 10 area 0.0.0.1 OS10(conf-if-vl-400)# ipv6 ospf authentication ipsec spi 4018 sha1 1234567890123456789012345678901234567890 OS10(conf-if-vl-400)# ip ospf 1 area 0.0.0.1 OS10(conf-if-vl-400)# ip ospf message-digest-key 1 md5 $$9d5679ab0b6ff43439c05e8059fefcccf05a20062d9679720bdecd630843c545 OS10(conf-if-vl-400)# exit
Review the router configuration. Verify that unique keys are used for each AS that it peers with. ! interface vlan400 ipv6 ospf 10 area 0.0.0.1 ipv6 ospf authentication ipsec spi 4017 sha1 1234567890123456789012345678901234567890 ... ip ospf 1 area 0.0.0.1 ip ospf message-digest-key 1 md5 $$c95abfd48ae6bcffc281603e960d49860dab21b300c5ea1febf7b674320be879 If any keys are found not to be unique for each autonomous system, this is a finding.
Configure unique keys for each AS that the router peers with. OS10(config)# interface vlan 400 OS10(conf-if-vl-400)# ipv6 ospf 10 area 0.0.0.1 OS10(conf-if-vl-400)# ipv6 ospf authentication ipsec spi 4018 sha1 1234567890123456789012345678901234567890 OS10(conf-if-vl-400)# ip ospf 1 area 0.0.0.1 OS10(conf-if-vl-400)# ip ospf message-digest-key 1 md5 $$9d5679ab0b6ff43439c05e8059fefcccf05a20062d9679720bdecd630843c545 OS10(conf-if-vl-400)# exit
Review the router configuration. Document the date when routing protocol keys were changed and manually change them at least every 180 days. If the routing authentication keys have not been changed in more than 180 days, this is a finding.
Manually change the routing protocol authentication keys. Example: OS10(config)# interface vlan 400 OS10(conf-if-vl-400)# ipv6 ospf 10 area 0.0.0.1 OS10(conf-if-vl-400)# ipv6 ospf authentication ipsec spi 4017 sha1 1234567890123456789012345678901234567890 OS10(conf-if-vl-400)# OS10(conf-if-vl-400)# ip ospf 1 area 0.0.0.1 OS10(conf-if-vl-400)# ip ospf message-digest-key 1 md5 1234567812345678 OS10(conf-if-vl-400)# exit
Review the Dell OS10 Switch configuration to verify that zero-touch deployment has been disabled. Verify that ZTD has been disabled by checking with the following command: OS10# show ztd-status ----------------------------------- ZTD Status : disabled ZTD State : init Protocol State : idle Reason : ----------------------------------- OS10# if ZTD is enabled, this is a finding.
Disable zero-touch deployment. Log in to the device and make any configuration change and then issue the following commands: OS10# write memory OS10# ztd stop OS10# reload
Determine whether control plane protection has been implemented on the device by verifying traffic types have been classified based on importance levels and a policy has been configured to filter and rate limit the traffic according to each class. Use the show control-plane info command to review the Control Plane Policing (CoPP) policies. OS10# show control-plane info Queue Min Rate Limit(in pps) Max Rate Limit(in pps) Protocols 0 600 600 ISCSI UNKNOWN UNICAST 1 1000 1000 OPEN_FLOW SFLOW 2 400 400 IGMP PIM 3 600 1000 VLT NDS 4 500 1000 IPV6_ICMP IPV4_ICMP 5 500 1000 ICMPV6_RS ICMPV6_NS ICMPV6_RA ICMPV6_NA 6 500 1000 ARP_REQ SERVICEABILITY 7 500 1000 ARP_RESP 8 500 500 SSH TELNET TACACS NTP FTP 9 600 600 FCOE NVME 10 600 1000 LACP 11 400 400 RSTP PVST MSTP 12 500 500 DOT1X LLDP FEFD 13 600 1000 IPV6_OSPF IPV4_OSPF 14 600 1000 OSPF_HELLO 15 600 1000 BGP 16 500 500 IPV6_DHCP IPV4_DHCP 17 600 1000 VRRP 18 700 700 BFD 19 1400 2000 REMOTE CPS 20 300 300 MCAST DATA 21 100 100 ACL LOGGING 22 300 300 MCAST KNOWN DATA 23 100 100 PTP 24 100 100 PORT_SECURITY OS10# Use the show running-configuration class-map and policy-map to review configured CoPP policies. OS10# show running-configuration class-map ! class-map type application class-iscsi ! class-map type control-plane example-copp-class-map-name OS10# OS10# show running-configuration policy-map ! policy-map type application policy-iscsi ! policy-map type control-plane example-copp-policy-map-name ! class example-copp-class-map-name set qos-group 2 police cir 100 pir 100 OS10# Use the show qos control-plane command to review whether custom CoPP policies have been configured. OS10# show qos control-plane Service-policy (input): example-copp-policy-map-name If the router does not have appropriate control plane protection implemented, this is a finding.
Implement control plane protection by classifying traffic types based on importance and configure filters to restrict and rate limit the traffic directed to and processed by the RP according to each class. Step 1: Create an appropriate QoS policy for CoPP. OS10(config)# class-map type control-plane example-copp-class-map-name OS10(config-cmap-control-plane)# exit OS10(config)# policy-map type control-plane example-copp-policy-map-name OS10(config-pmap-control-plane)# class example-copp-class-map-name OS10(config-pmap-c)# set qos-group 2 OS10(config-pmap-c)# police cir 100 pir 100 Step 2: Assign the control-plane service-policy. OS10(config)# control-plane OS10(conf-control-plane)# service-policy input example-copp-policy-map-name
Review the Dell OS10 Switch configuration to determine if gratuitous ARP is disabled on all external interfaces. Verify that gratuitous ARP has not been enabled on each external interface by checking that the following has not been configured: ip arp gratuitous update If gratuitous ARP is enabled on any external interface, this is a finding.
Configure the Dell OS10 Switch to disable gratuitous arp on all external interfaces as shown in the example below: OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no ip arp gratuitous update
Review the router configuration to determine if IP directed broadcast is enabled. Perform the following command and verify that bc_forwarding = 0 for all interfaces. If bc_forwarding = 1 then directed broadcast is enabled. The default value is 0, disabled. OS10# system "sudo sysctl net.ipv4.conf | grep bc_forwarding" If IP directed broadcast is enabled on Layer 3 interfaces, this is a finding.
Disable IP directed broadcasts on all Layer 3 interfaces with the following commands. OS10# system "echo net.ipv4.conf.all.bc_forwarding = 0 > /tmp/directed_broadcast.conf" OS10# system "echo net.ipv4.conf.default.bc_forwarding = 0 >> /tmp/directed_broadcast.conf" OS10# system "sudo cp /tmp/directed_broadcast.conf /etc/sysctl.d/" OS10# system "sudo sysctl net.ipv4.conf.all.bc_forwarding=0"
Review the device configuration to determine if controls have been defined to ensure the router does not send ICMP unreachable notifications out to any external interfaces. Verify the "ip unreachables" command is not configured on any external interfaces. Note: the default setting has ICMP unreachable notifications disabled, so if "ip unreachables" is not present in the interface configuration then it is disabled. ! interface ethernet1/1/4 ip unreachables If ICMP unreachable notifications are enabled on any external interfaces, this is a finding.
Disable ICMP unreachable notifications on all external interfaces. OS10(config)# interface ethernet 1/1/4 OS10(conf-if-eth1/1/4)# no ip unreachables
Review the router configuration to verify the number of received prefixes from each eBGP neighbor is controlled. Verify that a maximum-prefix value is configured in the appropriate neighbor entries or templates. router bgp 10 ! template ebgp ! address-family ipv4 unicast maximum-prefix 10 50 If the router is not configured to control the number of prefixes received from each peer to protect against route table flooding and prefix deaggregation attacks, this is a finding.
Configure all eBGP routers to use the maximum prefixes feature to protect against route table flooding and prefix deaggregation attacks. OS10(config)#router bgp 10 OS10(config-router-bgp-10)# template ebgp OS10(config-router-template)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# maximum-prefix 10 50
This requirement is not applicable for the DODIN Backbone. Review the router configuration to verify that there is a filter to reject inbound route advertisements that are greater than /24 or the least significant prefixes issued to the customer, whichever is larger. The prefix filter must be referenced outbound on the appropriate BGP neighbor statements. Step 1: Verify prefix lists have been configured for each customer containing prefixes that belong to that customer. OS10# show running-configuration prefix-list ! ip prefix-list LONG_PREFIX_FILTER permit 0.0.0.0/0 ge 8 le 24 ip prefix-list LONG_PREFIX_FILTER deny 0.0.0.0/0 Step 2: Verify the route map applied to the external neighbors references the configured prefix list shown above. OS10# show running-configuration route-map ! route-map LONG_PREFIX_FILTER_MAP permit 50 match ip address prefix-list LONG_PREFIX_FILTER Step 3: Verify the route map applied to the external neighbors references the appropriate route maps shown above. ! router bgp 10 ! neighbor 50.1.1.1 ! address-family ipv4 unicast route-map LONG_PREFIX_FILTER_MAP in If the router is not configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer, this is a finding.
Ensure all eBGP routers are configured to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer. Step 1: Configure a prefix list for each customer containing prefixes belonging to each. OS10(config)# ip prefix-list LONG_PREFIX_FILTER permit 0.0.0.0/0 ge 8 le 24 OS10(config)# ip prefix-list LONG_PREFIX_FILTER deny 0.0.0.0/0 Step 2: Configure the route map referencing the configured prefix list. OS10(config)# route-map LONG_PREFIX_FILTER_MAP 50 OS10(config-route-map)# match ip address prefix-list LONG_PREFIX_FILTER OS10(config-route-map)# exit Step 3: Apply the route-map outbound to each external BGP neighbor. OS10(config)# router bgp 10 OS10(config-router-bgp-10)# neighbor 50.1.1.1 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# route-map LONG_PREFIX_FILTER_MAP in OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# exit
Review the configuration of the RP to verify that it is rate limiting the number of multicast register messages. Step 1: Verify that a control-plane class map for PIM packets has been configured. OS10# show running-configuration class-map ! class-map type control-plane PIM-CLASS-MAP match pim Step 2: Verify that a control-plane policy map for PIM packets has been configured that applies an appropriate rate limit in packets per second. OS10# show running-configuration policy-map ! policy-map type control-plane PIM-POLICY-MAP ! class PIM-CLASS-MAP set qos-group 2 police cir 10 pir 50 Step 3: Verify the service policy has been assigned to the control plane. OS10# show running-configuration control-plane ! control-plane service-policy input PIM-POLICY-MAP If the RP is not limiting multicast register messages, this is a finding.
Configure the RP to rate limit the number of multicast register messages. Step 1: Configure a control-plane class map for PIM packets. OS10(config)# class-map type control-plane PIM-CLASS-MAP OS10(config-cmap-control-plane)# match pim Step 2: Configure a control-plane policy map for PIM packets that applies an appropriate rate limit in packets per second. OS10(config)# policy-map type control-plane PIM-POLICY-MAP OS10(config-pmap-control-plane)# class PIM-CLASS-MAP OS10 (config-pmap-c)# set qos-group 2 OS10 (config-pmap-c)# police cir 10 pir 50 Step 3: Assign the service policy to the control plane. OS10(config)# control-plane OS10(config-control-plane)# service-policy input PIM-POLICY-MAP
Review the configuration of the DR to verify that it is filtering IGMP or MLD report messages, allowing hosts to join only those groups that have been approved. Note: This requirement is only applicable to Source Specific Multicast (SSM) implementation. This requirement is not applicable to Any Source Multicast (ASM) since the filtering is being performed by the Rendezvous Point router. Step 1: Verify that SSM is in use. If not, this requirement is not applicable. ! ip access-list ssm-1 seq 10 permit ip any 236.0.0.0/8 ! ip pim ssm-range ssm-1 Step 2: Verify that each interface applies an appropriate inbound IGMP filter that permits or denies IGMP messages. ! interface vlan100 no shutdown ip access-group IGMP_FILTER in ! ip access-list IGMP_FILTER seq 10 deny 2 224.0.0.22 239.8.0.0/16 ttl eq 1 seq 20 permit ip any any If the DR is not filtering IGMP or MLD report messages, this is a finding.
Configure the DR to filter the IGMP and MLD report messages to allow hosts to join only those multicast groups that have been approved. OS10(config)# ip access-list IGMP_FILTER OS10(config-ipv4-acl)# deny 2 224.0.0.22 239.8.0.0/16 ttl eq 1 OS10(config-ipv4-acl)# permit ip any any OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip access-group IGMP_FILTER in
Review the configuration of the DR to verify that it is filtering IGMP or MLD report messages, allowing hosts to only join multicast groups from sources that have been approved. Note: This requirement is only applicable to Source Specific Multicast (SSM) implementation. Step 1: Verify that SSM is in use. If not, this requirement is not applicable. ! ip access-list ssm-1 seq 10 permit ip any 236.0.0.0/8 ! ip pim ssm-range ssm-1 Step 2: Verify that each interface applies an appropriate inbound IGMP filter that permits or denies IGMP messages. ! interface vlan100 no shutdown ip access-group IGMP_FILTER in ! ip access-list IGMP_FILTER seq 10 deny 2 224.0.0.22 239.8.0.0/16 ttl eq 1 seq 20 permit 2 224.0.0.0/24 238.5.0.0/16 seq 30 permit ip any any If the DR is not filtering IGMP or MLD report messages, this is a finding.
Configure the DR to filter the IGMP and MLD report messages to allow hosts to join only those multicast groups from sources that have been approved. OS10(config)# ip access-list IGMP_FILTER OS10(config-ipv4-acl)# deny 2 224.0.0.22 239.8.0.0/16 ttl eq 1 OS10(config-ipv4-acl)# permit 2 224.0.0.0/24 238.5.0.0/16 OS10(config-ipv4-acl)# permit ip any any OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip access-group IGMP_FILTER in
Review the router configuration to verify that a loopback address has been configured. ! interface loopback2 no shutdown ip address 10.11.12.13/32 Verify that a loopback interface is used as the source address for all iBGP sessions. ! router bgp 10 ! neighbor 192.0.2.4 update-source loopback2 If the router does not use its loopback address as the source address for all iBGP sessions, this is a finding.
Ensure that the router's loopback address is used as the source address when originating traffic. OS10(config)# router bgp 10 OS10(conf-router-bgp-10)# neighbor 192.0.2.4 OS10(conf-router-neighbor)# update-source Loopback 1
This requirement is not applicable for the DODIN Backbone. Review the router configuration to determine if the hop limit has been configured for Router Advertisement messages. Verify the ipv6 nd hop-limit settings are not configured less than 32. ! interface ethernet1/1/4 ... ipv6 nd hop-limit 32 If it has been configured and has not been set to at least 32, it is a finding.
Configure each IPv6 interface to advertise a hop limit of at least 32 in Router Advertisement messages as in the example below. OS10(config)# interface ethernet 1/1/4 OS10(conf-if-eth1/1/4)# ipv6 nd send-ra OS10(conf-if-eth1/1/4)# ipv6 nd hop-limit 32
Review the router configuration to ensure FEC0::/10 IP addresses are not defined. If IPv6 Site Local Unicast addresses are defined, this is a finding.
Configure the router using only authorized IPv6 addresses.
This requirement is not applicable for the DODIN Backbone. Review the router configuration to verify Router Advertisements are not enabled on all external IPv6-enabled interfaces. Verify the ipv6 nd send-ra setting is not configured. ! interface ethernet1/1/4 ... ipv6 nd send-ra If the router is not configured to suppress Router Advertisements on all external IPv6-enabled interfaces, this is a finding.
Configure the router to suppress Router Advertisements on all external IPv6-enabled interfaces. OS10(config)# interface ethernet 1/1/4 OS10(conf-if-eth1/1/4)# no ipv6 nd send-ra
Review the Dell OS10 Switch configuration to determine if support-assist is disabled. OS10# show support-assist status EULA support-assist : Rejected Service : Disabled OS10# If support-assist is enabled, this is a finding.
Configure the Dell OS10 Switch to disable support-assist as shown in the example below: OS10(config)# eula-consent support-assist reject