Check: CISC-RT-000420
Cisco IOS XR Router RTR STIG:
CISC-RT-000420
(in versions v2 r4 through v1 r0.1)
Title
The Cisco out-of-band management (OOBM) gateway router must be configured to have separate IGP instances for the managed network and management network. (Cat II impact)
Discussion
If the gateway router is not a dedicated device for the OOBM network, implementation of several safeguards for containment of management and production traffic boundaries must occur. Since the managed and management network are separate routing domains, configuration of separate Interior Gateway Protocol routing instances is critical on the router to segregate traffic from each network.
Check Content
This requirement is not applicable for the DODIN Backbone. Verify that the OOBM interface is an adjacency in the IGP domain for the management network via separate VRF as shown in the example below. router ospf 2 vrf MGMT area 0 interface GigabitEthernet0/0/0/0.2 ! ! ! ! router ospf 3 vrf PROD area 0 interface GigabitEthernet0/0/0/0.3 ! ! ! ! If the router is not configured to have separate IGP instances for the managed network and management network, this is a finding.
Fix Text
This requirement is not applicable for the DODIN Backbone. Configure the router to have a separate IGP instance for the management network as shown in the example below. RP/0/0/CPU0:R2(config)#router ospf 2 vrf MGMT RP/0/0/CPU0:R2(config-ospf-vrf)#area 0 RP/0/0/CPU0:R2(config-ospf-vrf-ar)#interface GigabitEthernet0/0/0/0.2 RP/0/0/CPU0:R2(config-ospf-vrf-ar-if)#exit RP/0/0/CPU0:R2(config-ospf-vrf-ar)#exit RP/0/0/CPU0:R2(config-ospf-vrf)#exit RP/0/0/CPU0:R2(config-ospf)#exit RP/0/0/CPU0:R2(config)#router ospf 3 vrf PROD RP/0/0/CPU0:R2(config-ospf-vrf)#area 0 RP/0/0/CPU0:R2(config-ospf-vrf-ar)#interface GigabitEthernet0/0/0/0.3 RP/0/0/CPU0:R2(config-ospf-vrf-ar-if)#end
Additional Identifiers
Rule ID: SV-216770r531087_rule
Vulnerability ID: V-216770
Group Title: SRG-NET-000019-RTR-000011
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001414 |
The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |