STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.

DISA Rule

SV-221131r622190_rule

Vulnerability Number

V-221131

Group Title

SRG-NET-000193-RTR-000112

Rule Version

CISC-RT-000780

Severity

CAT II

CCI(s)

• CCI-001095 - The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

Weight

10

Fix Recommendation

Step 1: Configure a class map for the SCAVENGER class.

SW1(config)# class-map match-all SCAVENGER
SW1(config-cmap)# match ip dscp cs1

Step 2: Add the SCAVENGER class to the policy map as shown in the example below:

SW1(config)# policy-map QOS_POLICY
SW1(config-pmap-c)# no class class-default
SW1(config-pmap)# class SCAVENGER
SW1(config-pmap-c)# bandwidth percent 5
SW1(config-pmap-c)# class class-default
SW1(config-pmap-c)# bandwidth percent 10
SW1(config-pmap-c)# end

Check Contents

Step 1: Verify that a class map has been configured for the Scavenger class as shown in the example below:

class-map match-all SCAVENGER
match ip dscp cs1

Step 2: Verify that the policy map includes the SCAVENGER class with low priority as shown in the following example below:

policy-map QOS_POLICY
class CONTROL_PLANE
priority percent 10
class C2_VOICE
priority percent 10
class VOICE
priority percent 15
class VIDEO
bandwidth percent 25
class PREFERRED_DATA
bandwidth percent 25
class SCAVENGER
bandwidth percent 5
class class-default
bandwidth percent 10

Note: Traffic out of profile must be marked at the customer access layer or CE egress edge.

If the switch is not configured to enforce a QoS policy to limit the effects of packet flooding DoS attacks, this is a finding.

Vulnerability Number

V-221131

Documentable

False

Rule Version

CISC-RT-000780

Severity Override Guidance

Step 1: Verify that a class map has been configured for the Scavenger class as shown in the example below:

class-map match-all SCAVENGER
match ip dscp cs1

Step 2: Verify that the policy map includes the SCAVENGER class with low priority as shown in the following example below:

policy-map QOS_POLICY
class CONTROL_PLANE
priority percent 10
class C2_VOICE
priority percent 10
class VOICE
priority percent 15
class VIDEO
bandwidth percent 25
class PREFERRED_DATA
bandwidth percent 25
class SCAVENGER
bandwidth percent 5
class class-default
bandwidth percent 10

Note: Traffic out of profile must be marked at the customer access layer or CE egress edge.

If the switch is not configured to enforce a QoS policy to limit the effects of packet flooding DoS attacks, this is a finding.

Check Content Reference

M

Target Key

4075

Comments