STIGQter: STIG Summary: Cisco IOS XE Switch L2S Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.

DISA Rule

SV-220651r539671_rule

Vulnerability Number

V-220651

Group Title

SRG-NET-000193-L2S-000020

Rule Version

CISC-L2-000040

Severity

CAT II

CCI(s)

CCI-001095 - The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

Weight

Fix Recommendation

Step 1: Configure class-maps to match on DSCP values as shown in the configuration example below:

SW1(config-cmap)#class-map match-all C2_VOICE
SW1(config-cmap)# match ip dscp 47
SW1(config-cmap)#class-map match-all VOICE
SW1(config-cmap)# match ip dscp ef
SW1(config-cmap)#class-map match-all VIDEO
SW1(config-cmap)# match ip dscp af41
SW1(config)#class-map match-all PREFERRED_DATA
SW1(config-cmap)# match ip dscp af33
SW1(config-cmap)#exit

Step 2: Configure a policy map to be applied to the core-layer-facing interface that reserves the bandwidth for each traffic type as shown in the example below:

SW1(config)#policy-map QOS_POLICY_SWITCHPORT
SW1(config-pmap-c)#class C2_VOICE
SW1(config-pmap-c)# priority level 1 10
SW1(config-pmap-c)#class VOICE
SW1(config-pmap-c)# priority level 2 15
SW1(config-pmap-c)#class VIDEO
SW1(config-pmap-c)#bandwidth percent 25
SW1(config-pmap-c)#class PREFERRED_DATA
SW1(config-pmap-c)#bandwidth percent 25
SW1(config-pmap-c)#class class-default
SW1(config-pmap-c)#bandwidth percent 25
SW1(config-pmap-c)#exit
SW1(config-pmap)#exit

Step 3: Apply the output service policy to the core-layer-facing interface as shown in the configuration example below:

SW1(config)#int g1/1
SW1(config-if)#service-policy output QOS_POLICY_SWITCHPORT
SW1(config-if)#exit
SW1(config)#int g1/2
SW1(config-if)#service-policy output QOS_POLICY_SWITCHPORT
SW1(config-if)#exit
SW1(config)#int g1/3
SW1(config-if)#service-policy output QOS_POLICY_SWITCHPORT
SW1(config-if)#end.

Check Contents

Step 1: Verify that the class-maps are configured to match on DSCP values as shown in the configuration example below:

class-map match-all C2_VOICE
match ip dscp af47
class-map match-all VOICE
match ip dscp ef
class-map match-all VIDEO
match ip dscp af41
class-map match-all PREFERRED_DATA
match ip dscp af33

Step 2: Verify that the policy map reserves the bandwidth for each traffic type as shown in the following example:

policy-map QOS_POLICY_SWITCHPORT
class C2_VOICE
priority level 1 10
class VOICE
priority level 2 15
class VIDEO
bandwidth percent 25
class PREFERRED_DATA
bandwidth percent 25
class class-default
bandwidth percent 25
verone

interface GigabitEthernet1/1
switchport trunk allowed vlan 100,110,200
switchport mode trunk
service-policy output QOS_POLICY_SWITCHPORT
!
interface GigabitEthernet1/2
switchport access vlan 100
switchport mode access
switchport voice vlan 200
trust device cisco-phone
service-policy output QOS_POLICY_SWITCHPORT
!
interface GigabitEthernet1/2
switchport access vlan 110
switchport mode access
switchport voice vlan 200
trust device cisco-phone
service-policy output QOS_POLICY_SWITCHPORT

If QoS has not been enabled, this is a finding.

The Cisco switch must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments