Rule ID
SV-269879r1052022_rule
Version
V1R2
CCIs
CCI-001097
The OOBM network is an IP network used exclusively for the transport of OAM&P data from the network being managed to the OSS components located at the NOC. Its design provides connectivity to each managed network device, enabling network management traffic to flow between the managed network elements and the NOC. This allows the use of paths separate from those used by the managed network.
This requirement is not applicable for the DODIN Backbone. Review the network topology diagram to determine connectivity between the managed network and the NOC. Review the OOBM gateway router configuration to validate the path that the management traffic traverses. Verify that only management traffic is forwarded through the OOBM interface. If traffic other than authorized management traffic is permitted through the OOBM interface, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure ACLs based on port, source IP address, and destination IP address to permit only authorized management traffic through the OOBM interfaces used for forwarding management data. Step 1: Configure named ACL with appropriate filter rules. OS10(config)# ip access-list MGMT_TRAFFIC_TO_NOC OS10(config-ipv4-acl)# permit tcp 10.10.0.0/16 10.10.0.0/16 eq 22 OS10(config-ipv4-acl)# permit udp 10.10.0.0/16 10.10.0.0/16 range 161 162 OS10(config-ipv4-acl)# permit udp 10.10.0.0/16 10.10.0.0/16 range 1812 1813 OS10(config-ipv4-acl)# permit tcp 10.10.0.0/16 10.10.0.0/16 range 1812 1813 OS10(config-ipv4-acl)# permit udp 10.10.0.0/16 10.10.0.0/16 eq 123 OS10(config-ipv4-acl)# permit udp 10.10.0.0/16 10.10.0.0/16 eq 514 OS10(config-ipv4-acl)# permit tcp 10.10.0.0/16 10.10.0.0/16 eq 6514 OS10(config-ipv4-acl)# deny ip any any log Step 2: Apply the ACLs on the appropriate external and internal interfaces. OS10(config-ipv4-acl)# interface ethernet1/1/1 OS10(conf-if-eth1/1/4)# ip access-group MGMT_TRAFFIC_TO_NOC out