STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Dell OS10 Switch Router Security Technical Implementation Guide

V-269872

CAT I (High)

The Dell OS10 Router must be configured to restrict traffic destined to itself.

Rule ID

SV-269872r1052001_rule

STIG

Dell OS10 Switch Router Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-001097

Discussion

The route processor handles traffic destined to the router—the key component used to build forwarding paths and is also instrumental with all network management functions. Hence, any disruption or denial-of-service (DoS) attack to the route processor can result in mission critical network outages.

Check Content

Review the access control list (ACL) or filter for the router receive path and verify that it will only process specific management plane and control plane traffic from specific sources.

Step 1: Examine the interface configuration for the control plane ACLs applied to the traffic destined to the router control plane from the OOBM management port or front panel data ports.

!
control-plane
 ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in
 ip access-group MGMT_TRAFFIC_FROM_DATA data in

Step 2: Review the control plane ACLs verify traffic is limited appropriately.

!
ip access-list MGMT_TRAFFIC_FROM_OOBM
 seq 10 permit ...
 seq 20 permit ...
 seq 30 deny ... log
 seq 40 deny ... log

!
ip access-list MGMT_TRAFFIC_FROM_DATA
 seq 10 permit ...
 seq 20 permit ...
 seq 30 deny ... log
 seq 40 deny ... log

If the router is not configured with a receive-path filter to restrict traffic destined to itself, this is a finding.

Fix Text

Configure the router with receive path filters to restrict traffic destined to the router.

Step 1: Configure inbound ACLs to restrict which packets should be allowed to reach to the control plane from the OOBM management port and from the front panel data ports. 

OS10(config)# ip access-list MGMT_TRAFFIC_FROM_OOBM
OS10(config-ipv4-acl)# permit ...
OS10(config-ipv4-acl)# permit ...
OS10(config-ipv4-acl)# deny ... log
OS10(config-ipv4-acl)# deny ... log

OS10(config)# ip access-list MGMT_TRAFFIC_FROM_DATA
OS10(config-ipv4-acl)# permit ...
OS10(config-ipv4-acl)# permit ...
OS10(config-ipv4-acl)# deny ... log
OS10(config-ipv4-acl)# deny ... log

Step 2: Apply the ACLs to the ingress of the control-plane.

OS10(config)# control-plane
OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in
OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_DATA data in