STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DODIN Technical Profile.

DISA Rule

SV-216804r531087_rule

Vulnerability Number

V-216804

Group Title

SRG-NET-000193-RTR-000113

Rule Version

CISC-RT-000760

Severity

CAT III

CCI(s)

• CCI-001095 - The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

Weight

10

Fix Recommendation

Configure a QoS policy in accordance with the QoS DODIN Technical Profile.

Step 1: Configure class-maps to match on DSCP values as shown in the configuration example below.

RP/0/0/CPU0:R2(config-cmap)#class-map match-all C2_VOICE
RP/0/0/CPU0:R2(config-cmap)#match dscp 47
RP/0/0/CPU0:R2(config-cmap)#class-map match-all VOICE
RP/0/0/CPU0:R2(config-cmap)#match dscp ef
RP/0/0/CPU0:R2(config-cmap)#class-map match-all VIDEO
RP/0/0/CPU0:R2(config-cmap)#match dscp af41
RP/0/0/CPU0:R2(config-cmap)#class-map match-all CONTROL_PLANE
RP/0/0/CPU0:R2(config-cmap)#match dscp cs6
RP/0/0/CPU0:R2(config-cmap)#class-map match-all PREFERRED_DATA
RP/0/0/CPU0:R2(config-cmap)#match dscp af33
RP/0/0/CPU0:R2(config-cmap)#exit

Step 2: Configure a policy map to be applied to the core-layer-facing interface that reserves the bandwidth for each traffic type as shown in the example below.

RP/0/0/CPU0:R2(config-pmap)#policy-map QOS_POLICY
RP/0/0/CPU0:R2(config-pmap)#class C2_VOICE
RP/0/0/CPU0:R2(config-pmap-c)#bandwidth percent 10
RP/0/0/CPU0:R2(config-pmap-c)#class VOICE
RP/0/0/CPU0:R2(config-pmap-c)#bandwidth percent 15
RP/0/0/CPU0:R2(config-pmap-c)#class VIDEO
RP/0/0/CPU0:R2(config-pmap-c)#bandwidth percent 25
RP/0/0/CPU0:R2(config-pmap-c)#class CONTROL_PLANE
RP/0/0/CPU0:R2(config-pmap-c)#bandwidth percent 10
RP/0/0/CPU0:R2(config-pmap-c)#class PREFERRED_DATA
RP/0/0/CPU0:R2(config-pmap-c)#bandwidth percent 25
RP/0/0/CPU0:R2(config-pmap-c)#class class-default
RP/0/0/CPU0:R2(config-pmap-c)#bandwidth percent 15
RP/0/0/CPU0:R2(config-pmap-c)#exit

Step 3: Apply the output service policy to the core-layer-facing interface as shown in the configuration example below.

RP/0/0/CPU0:R2(config)#int g0/0/0/1
RP/0/0/CPU0:R2(config-if)#service-policy output QOS_POLICY
RP/0/0/CPU0:R2(config-if)#exit
RP/0/0/CPU0:R2(config)#int g0/0/0/2
RP/0/0/CPU0:R2(config-if)#service-policy output QOS_POLICY
RP/0/0/CPU0:R2(config-if)#end

Check Contents

Review the router configuration and verify that a QoS policy has been configured to provide preferred treatment for mission-critical applications in accordance with the QoS DODIN Technical Profile.

Step 1: Verify that the class-maps are configured to match on DSCP values as shown in the configuration example below.

class-map match-all VIDEO
match dscp af41
end-class-map
!
class-map match-all VOICE
match dscp ef
end-class-map
!
class-map match-all C2_VOICE
match dscp 47
end-class-map
!
class-map match-all CONTROL_PLANE
match dscp cs6
end-class-map
!
class-map match-all PREFERRED_DATA
match dscp af33
end-class-map
!

Step 2: Verify that the policy map reserves the bandwidth for each traffic type as shown in the following example:

policy-map QOS_POLICY
class C2_VOICE
bandwidth percent 10
!
class VOICE
bandwidth percent 15
!
class VIDEO
bandwidth percent 25
!
class CONTROL_PLANE
bandwidth percent 10
!
class PREFERRED_DATA
bandwidth percent 25
!
class class-default
bandwidth percent 15
!
end-policy-map
!

Step 3: Verify that an output service policy is bound to all interface as shown in the configuration example below.

interface GigabitEthernet0/0/0/1
service-policy output QOS_POLICY
ipv4 address x.1.24.2 255.255.255.252
!
interface GigabitEthernet0/0/0/2
service-policy output QOS_POLICY
ipv4 address x.1.24.5 255.255.255.252

Note: Enclaves must mark or re-mark their traffic to be consistent with the DODIN backbone admission criteria to gain the appropriate level of service. A general DiffServ principle is to mark or trust traffic as close to the source as administratively and technically possible. However, certain traffic types might need to be re-marked before handoff to the DODIN backbone to gain admission to the correct class. If such re-marking is required, it is recommended that the re-marking be performed at the CE egress edge.

If the router is not configured to enforce a QoS policy in accordance with the QoS DODIN Technical Profile, this is a finding.

Vulnerability Number

V-216804

Documentable

False

Rule Version

CISC-RT-000760

Severity Override Guidance

Review the router configuration and verify that a QoS policy has been configured to provide preferred treatment for mission-critical applications in accordance with the QoS DODIN Technical Profile.

Step 1: Verify that the class-maps are configured to match on DSCP values as shown in the configuration example below.

class-map match-all VIDEO
match dscp af41
end-class-map
!
class-map match-all VOICE
match dscp ef
end-class-map
!
class-map match-all C2_VOICE
match dscp 47
end-class-map
!
class-map match-all CONTROL_PLANE
match dscp cs6
end-class-map
!
class-map match-all PREFERRED_DATA
match dscp af33
end-class-map
!

Step 2: Verify that the policy map reserves the bandwidth for each traffic type as shown in the following example:

policy-map QOS_POLICY
class C2_VOICE
bandwidth percent 10
!
class VOICE
bandwidth percent 15
!
class VIDEO
bandwidth percent 25
!
class CONTROL_PLANE
bandwidth percent 10
!
class PREFERRED_DATA
bandwidth percent 25
!
class class-default
bandwidth percent 15
!
end-policy-map
!

Step 3: Verify that an output service policy is bound to all interface as shown in the configuration example below.

interface GigabitEthernet0/0/0/1
service-policy output QOS_POLICY
ipv4 address x.1.24.2 255.255.255.252
!
interface GigabitEthernet0/0/0/2
service-policy output QOS_POLICY
ipv4 address x.1.24.5 255.255.255.252

Note: Enclaves must mark or re-mark their traffic to be consistent with the DODIN backbone admission criteria to gain the appropriate level of service. A general DiffServ principle is to mark or trust traffic as close to the source as administratively and technically possible. However, certain traffic types might need to be re-marked before handoff to the DODIN backbone to gain admission to the correct class. If such re-marking is required, it is recommended that the re-marking be performed at the CE egress edge.

If the router is not configured to enforce a QoS policy in accordance with the QoS DODIN Technical Profile, this is a finding.

Check Content Reference

M

Target Key

4029

Comments