STIGQter STIGQter: STIG Summary: Cisco IOS Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco P router must be configured to implement a Quality-of-Service (QoS) policy in accordance with the QoS DODIN Technical Profile.

DISA Rule

SV-216620r531085_rule

Vulnerability Number

V-216620

Group Title

SRG-NET-000193-RTR-000114

Rule Version

CISC-RT-000770

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure a QoS policy in accordance with the QoS DODIN Technical Profile.

Step 1: Configure class-maps to match on DSCP values as shown in the configuration example below.

R5(config)#class-map match-all PREFERRED_DATA
R5(config-cmap)#match ip dscp af33
R5(config-cmap)#class-map match-all CONTROL_PLANE
R5(config-cmap)#match ip dscp cs6
R5(config-cmap)#class-map match-all VIDEO
R5(config-cmap)#match ip dscp af41
R5(config-cmap)#class-map match-all VOICE
R5(config-cmap)#match ip dscp ef
R5(config-cmap)#class-map match-all C2_VOICE
R5(config-cmap)#match ip dscp 47
R5(config-cmap)#exit

Step 2: Configure a policy map to be applied to the core-layer-facing interface that reserves the bandwidth for each traffic type as shown in the example below.

R5(config)#policy-map QOS_POLICY
R5(config-pmap)#class CONTROL_PLANE
R5(config-pmap-c)#priority percent 10
R5(config-pmap-c)#class C2_VOICE
R5(config-pmap-c)#priority percent 10
R5(config-pmap-c)#class VOICE
R5(config-pmap-c)#priority percent 15
R5(config-pmap-c)#class VIDEO
R5(config-pmap-c)#bandwidth percent 25
R5(config-pmap-c)#class PREFERRED_DATA
R5(config-pmap-c)#bandwidth percent 25
R5(config-pmap-c)#class class-default
R5(config-pmap-c)#bandwidth percent 15
R5(config-pmap-c)#exit
R5(config-pmap)#exit

Step 3: Apply the output service policy to all interfaces as shown in the configuration example below.

R5(config)#int g1/1
R5(config-if)#service-policy output QOS_POLICY
R5(config-if)#exit
R5(config)#int g1/2
R5(config-if)#service-policy output QOS_POLICY
R5(config-if)#end

Check Contents

Review the router configuration and verify that a QoS policy has been configured to provide preferred treatment for mission-critical applications in accordance with the QoS DODIN Technical Profile.

Step 1: Verify that the class-maps are configured to match on DSCP values as shown in the configuration example below.

class-map match-all PREFERRED_DATA
match ip dscp af33
class-map match-all CONTROL_PLANE
match ip dscp cs6
class-map match-all VIDEO
match ip dscp af41
class-map match-all VOICE
match ip dscp ef
class-map match-all C2_VOICE
match ip dscp 47

Step 2: Verify that the policy map reserves the bandwidth for each traffic type as shown in the following example:

policy-map QOS_POLICY
class CONTROL_PLANE
priority percent 10
class C2_VOICE
priority percent 10
class VOICE
priority percent 15
class VIDEO
bandwidth percent 25
class PREFERRED_DATA
bandwidth percent 25
class class-default
bandwidth percent 15

Step 3: Verify that an output service policy is bound to all interfaces as shown in the configuration example below.

interface GigabitEthernet1/1
ip address 10.1.15.5 255.255.255.252
service-policy output QOS_POLICY
!
interface GigabitEthernet1/2
ip address 10.1.15.8 255.255.255.252
service-policy output QOS_POLICY

If the router is not configured to implement a QoS policy in accordance with the QoS DODIN Technical Profile, this is a finding.

Vulnerability Number

V-216620

Documentable

False

Rule Version

CISC-RT-000770

Severity Override Guidance

Review the router configuration and verify that a QoS policy has been configured to provide preferred treatment for mission-critical applications in accordance with the QoS DODIN Technical Profile.

Step 1: Verify that the class-maps are configured to match on DSCP values as shown in the configuration example below.

class-map match-all PREFERRED_DATA
match ip dscp af33
class-map match-all CONTROL_PLANE
match ip dscp cs6
class-map match-all VIDEO
match ip dscp af41
class-map match-all VOICE
match ip dscp ef
class-map match-all C2_VOICE
match ip dscp 47

Step 2: Verify that the policy map reserves the bandwidth for each traffic type as shown in the following example:

policy-map QOS_POLICY
class CONTROL_PLANE
priority percent 10
class C2_VOICE
priority percent 10
class VOICE
priority percent 15
class VIDEO
bandwidth percent 25
class PREFERRED_DATA
bandwidth percent 25
class class-default
bandwidth percent 15

Step 3: Verify that an output service policy is bound to all interfaces as shown in the configuration example below.

interface GigabitEthernet1/1
ip address 10.1.15.5 255.255.255.252
service-policy output QOS_POLICY
!
interface GigabitEthernet1/2
ip address 10.1.15.8 255.255.255.252
service-policy output QOS_POLICY

If the router is not configured to implement a QoS policy in accordance with the QoS DODIN Technical Profile, this is a finding.

Check Content Reference

M

Target Key

4027

Comments