An error occurred:

Check: RCKS-RTR-000200

RUCKUS ICX Router STIG: RCKS-RTR-000200 (in version v1 r1)

Title

The RUCKUS ICX out-of-band management (OOBM) gateway router must be configured to have separate Interior Gateway Protocol (IGP) instances for the managed network and management network. (Cat II impact)

Discussion

If the gateway router is not a dedicated device for the OOBM network, implementation of several safeguards for containment of management and production traffic boundaries must occur. Since the managed and management network are separate routing domains, configuration of separate IGP routing instances is critical on the router to segregate traffic from each network.

Check Content

This requirement is not applicable for the DODIN Backbone. Verify there is a separate VRF for management and production domains: ICX# show vrf Total number of VRFs configured: 2 Status Codes - A:active, D:pending deletion, I:inactive Name Default RD vrf|v4|v6 Routes Interfaces Mgmt 1:1 A | A| A 12 ve111 ve211 ve311* Prod 10:12 A | A| A 4 ve1117 port-id tn1* Total number of IPv4 unicast route for all non-default VRF is 8 Total number of IPv6 unicast route for all non-default VRF is 8 If the OOBM gateway router does not have separate VRFs for management and production or the interfaces are associated with the wrong VRF, this is a finding.

Fix Text

This requirement is not applicable for the DODIN Backbone. Configure separate Mgmt and Prod VRFs and assign interfaces as appropriate: ICX(config)# vrf Mgmt ICX(config-vrf-Mgmt)# rd 11:11 ICX(config-vrf-Mgmt)# address-family ipv4 unicast ICX(config-vrf-Mgmt)# exit ICX(config)# vrf Prod ICX(config-vrf-Prod)# rd 10:10 ICX(config-vrf-Prod)# address-family ipv4 unicast ICX(config-vrf-Prod)# exit ICX(config)# router ospf vrf Mgmt ICX(config-ospf-router)# area 0 ICX(config-ospf-router)# exit ICX(config)# interface ve 10 ICX(config-vif-10)# vrf forwarding Mgmt Warning: All IPv4 and IPv6 addresses (including link-local) on this interface have been removed have been removed ICX(config-vif-10)# ip address x.x.x.x/24 ICX(config-vif-10)# ip ospf area 0 ICX(config-vif-10)# ip ospf passive ICX(config-vif-10)# exit The above example assigns L3 interface from VLAN 10 to VRF Mgmt.

Additional Identifiers

Rule ID: SV-273588r1110913_rule

Vulnerability ID: V-273588

Group Title: SRG-NET-000019-RTR-000011

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001414

Enforce approved authorizations for controlling the flow of information between connected systems based on organization-defined information flow control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4

Information Flow Enforcement