Rule ID
SV-273588r1110913_rule
Version
V1R1
CCIs
If the gateway router is not a dedicated device for the OOBM network, implementation of several safeguards for containment of management and production traffic boundaries must occur. Since the managed and management network are separate routing domains, configuration of separate IGP routing instances is critical on the router to segregate traffic from each network.
This requirement is not applicable for the DODIN Backbone. Verify there is a separate VRF for management and production domains: ICX# show vrf Total number of VRFs configured: 2 Status Codes - A:active, D:pending deletion, I:inactive Name Default RD vrf|v4|v6 Routes Interfaces Mgmt 1:1 A | A| A 12 ve111 ve211 ve311* Prod 10:12 A | A| A 4 ve1117 port-id tn1* Total number of IPv4 unicast route for all non-default VRF is 8 Total number of IPv6 unicast route for all non-default VRF is 8 If the OOBM gateway router does not have separate VRFs for management and production or the interfaces are associated with the wrong VRF, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure separate Mgmt and Prod VRFs and assign interfaces as appropriate: ICX(config)# vrf Mgmt ICX(config-vrf-Mgmt)# rd 11:11 ICX(config-vrf-Mgmt)# address-family ipv4 unicast ICX(config-vrf-Mgmt)# exit ICX(config)# vrf Prod ICX(config-vrf-Prod)# rd 10:10 ICX(config-vrf-Prod)# address-family ipv4 unicast ICX(config-vrf-Prod)# exit ICX(config)# router ospf vrf Mgmt ICX(config-ospf-router)# area 0 ICX(config-ospf-router)# exit ICX(config)# interface ve 10 ICX(config-vif-10)# vrf forwarding Mgmt Warning: All IPv4 and IPv6 addresses (including link-local) on this interface have been removed have been removed ICX(config-vif-10)# ip address x.x.x.x/24 ICX(config-vif-10)# ip ospf area 0 ICX(config-vif-10)# ip ospf passive ICX(config-vif-10)# exit The above example assigns L3 interface from VLAN 10 to VRF Mgmt.