V-273614

Discussion

The OOBM network is an IP network used exclusively for the transport of operations, administration, maintenance, and provisioning (OAM&P) data from the network being managed to the operations support system (OSS) components located at the NOC. Its design provides connectivity to each managed network device, enabling network management traffic to flow between the managed network elements and the NOC. This allows the use of paths separate from those used by the managed network.

Check Content

This requirement is not applicable for the DODIN Backbone.

Review the network topology diagram to determine connectivity between the managed network and the NOC. Review the OOBM gateway router configuration to validate the path the management traffic traverses. Verify only management traffic is forwarded through the OOBM interface or IPsec tunnel.

If an OOBM link is used, verify the only authorized management traffic is transported to the NOC by reviewing the outbound ACL applied to the OOBM interface as shown in the example below:

1. Note the outbound ACL applied to the OOBM interface.

interface ethernet 1/1/1
 port-name OOBM-to-NOC
 ip access-group MGMT_TRAFFIC_ACL out logging enable
!

2. Review the outbound ACL and verify only management traffic is forwarded to the NOC.

ip access-list extended MGMT_TRAFFIC_ACL
 sequence 10 permit tcp x.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq radius
 sequence 20 permit tcp x.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq ssh
 sequence 30 permit udp x.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp
 sequence 40 permit udp x.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq shell
 sequence 50 permit icmp x.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255
 sequence 60 deny ip any any log
!

If traffic other than authorized management traffic is permitted through the OOBM interface, this is a finding.