Title

The out-of-band management (OOBM) gateway Cisco ACI must be configured to have separate OSPF instances for the managed network and management network. (Cat II impact)

Discussion

If the gateway router is not a dedicated device for the OOBM network, implementation of several safeguards for containment of management and production traffic boundaries must occur. Since the managed and management network are separate routing domains, configuration of separate OSPF routing instances is critical on the router to segregate traffic from each network.

Check Content

If this review is for the DODIN Backbone, mark as not applicable. Verify separate routing instances in the Cisco APIC as shown in the following example: interface GigabitEthernet 0/0 ip address 10.0.0.1 255.255.255.0 no shutdown ip route-map "mgmt-routes" permit router bgp 100 // Management network routing instance interface GigabitEthernet 0/1 ip address 192.168.1.1 255.255.255.0 no shutdown ip route-map "managed-routes" permit router bgp 200 // Managed network routing instance If separate routing instances are not configured for the managed and management networks, this is a finding.

Fix Text

Configure separate routing instances for the managed and management networks, as shown in the example below: interface GigabitEthernet 0/0 ip address 10.0.0.1 255.255.255.0 no shutdown ip route-map "mgmt-routes" permit router bgp 100 // Management network routing instance interface GigabitEthernet 0/1 ip address 192.168.1.1 255.255.255.0 no shutdown ip route-map "managed-routes" permit router bgp 200 // Managed network routing instance

Additional Identifiers

Rule ID: SV-272071r1064581_rule

Vulnerability ID: V-272071

Group Title: SRG-NET-000019-RTR-000011

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.