An error occurred:

Check: RCKS-RTR-000360

RUCKUS ICX Router STIG: RCKS-RTR-000360 (in version v1 r1)

Title

The RUCKUS ICX P router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile. (Cat III impact)

Discussion

Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a QoS framework to differentiate traffic and provide a method to manage network congestion. The Differentiated Services Model (DiffServ) is based on per-hop behavior by categorizing traffic into different classes and enabling each node to enforce a forwarding treatment to each packet as dictated by a policy. Packet markings such as IP Precedence and its successor, Differentiated Services Code Points (DSCP), were defined along with specific per-hop behaviors for key traffic types to enable a scalable QoS solution. DiffServ QoS categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment based on the classification. It is imperative that end-to-end QoS is implemented within the IP core network to provide preferred treatment for mission-critical applications.

Check Content

Review the QoS-ToS mapping of the P router. If the DSCP mapping to priority queues does not comply with the GiG Technical Profile, this is a finding.

Fix Text

Configure DSCP mapping: ICX(config)# qos-tos map dscp-priority 8 to 0 ICX(config)# qos-tos map dscp-priority 0 1 2 3 4 5 6 7 to 1 ICX(config)# qos-tos map dscp-priority 42 44 50 52 53 54 55 56 to 1 ICX(config)# qos-tos map dscp-priority 57 58 59 60 61 62 63 to 1 ICX(config)# qos-tos map dscp-priority 9 10 11 12 13 14 15 25 to 2 ICX(config)# qos-tos map dscp-priority 26 27 29 31 to 2 ICX(config)# qos-tos map dscp-priority 34 36 38 46 to 3 ICX(config)# qos-tos map dscp-priority 40 41 43 45 47 49 51 to 4 ICX(config)# qos-tos map dscp-priority 48 to 5

Additional Identifiers

Rule ID: SV-273603r1110895_rule

Vulnerability ID: V-273603

Group Title: SRG-NET-000193-RTR-000114

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001095

Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service attacks.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-5(2)

Excess Capacity / Bandwidth / Redundancy