Rule ID
SV-269880r1052242_rule
Version
V1R2
CCIs
CCI-001097
If the gateway router is not a dedicated device for the OOBM network, several safeguards must be implemented for containment of management and production traffic boundaries. It is imperative that hosts from the managed network are not able to access the OOBM gateway router.
This requirement is not applicable for the DODIN Backbone. If the OOBM gateway router is a dedicated device for the OOBM network, this requirement is not applicable. Review the access control list (ACL) or filter for the router receive path. Verify that only traffic sourced from the OOBM network or the NOC is allowed to access the router. Step 1: Examine the interface configuration for the inbound ACL applied to the OOBM interfaces. ! interface ethernet1/1/1 description "OOB link to NOC" ip address 10.10.1.1/24 ip access-group MGMT_TRAFFIC_FROM_NOC in ! interface ethernet1/1/2 description "link to OOBM LAN access switch" ip address 10.10.2.1/24 ip access-group MGMT_TRAFFIC_FROM_OOBM_LAN in Step 2: Review the inbound ACL bound to any OOBM interface connecting to the OOBM backbone and verify traffic destined to the OS10 OOBM router is only from the OOBM or NOC address space. ! ip access-list MGMT_TRAFFIC_FROM_NOC seq 10 permit ip 10.10.1.0/24 host 10.10.1.1 seq 20 permit ip 10.10.1.0/24 host 10.10.2.1 seq 30 deny ip any host 10.10.1.1 log seq 40 deny ip any host 10.10.2.1 log seq 50 permit ip 10.10.1.0/24 10.10.2.0/24 seq 60 deny ip any any log Step 3: Review the inbound ACL bound to any OOBM LAN interfaces and verify traffic destined to the OS10 OOBM router is from the OOBM LAN address space. ! ip access-list MGMT_TRAFFIC_FROM_OOBM_LAN seq 10 permit ip 10.10.2.0/24 host 10.10.1.1 seq 20 permit ip 10.10.2.0/24 host 10.10.2.1 seq 30 deny ip any host 10.10.1.1 log seq 40 deny ip any host 10.10.2.1 log seq 50 permit ip 10.10.2.0/24 10.10.1.0/24 seq 60 deny ip any any log If the router does not block any traffic destined to itself that is not sourced from the OOBM network or the NOC, this is a finding.
This requirement is not applicable for the DODIN Backbone. If the OOBM gateway router is a dedicated device for the OOBM network, this requirement is not applicable. Step 1: Configure an inbound ACL to bind to any OOBM interface connecting to the OOBM backbone which ensures that traffic destined to the OS10 OOBM router is only from the OOBM or NOC address space. OS10(config)# ip access-list MGMT_TRAFFIC_FROM_NOC OS10(config-ipv4-acl)# seq 10 permit ip 10.10.1.0/24 host 10.10.1.1 OS10(config-ipv4-acl)# seq 20 permit ip 10.10.1.0/24 host 10.10.2.1 OS10(config-ipv4-acl)# seq 30 deny ip any host 10.10.1.1 log OS10(config-ipv4-acl)# seq 40 deny ip any host 10.10.2.1 log OS10(config-ipv4-acl)# seq 50 permit ip 10.10.1.0/24 10.10.2.0/24 OS10(config-ipv4-acl)# seq 60 deny ip any any log OS10(config-ipv4-acl)# exit Step 2: Configure an inbound ACL to bind to any OOBM LAN interfaces which ensures that traffic destined to the OS10 OOBM router is from the OOBM LAN address space. OS10(config)# ip access-list MGMT_TRAFFIC_FROM_OOBM_LAN OS10(config-ipv4-acl)# seq 10 permit ip 10.10.2.0/24 host 10.10.1.1 OS10(config-ipv4-acl)# seq 20 permit ip 10.10.2.0/24 host 10.10.2.1 OS10(config-ipv4-acl)# seq 30 deny ip any host 10.10.1.1 log OS10(config-ipv4-acl)# seq 40 deny ip any host 10.10.2.1 log OS10(config-ipv4-acl)# seq 50 permit ip 10.10.2.0/24 10.10.1.0/24 OS10(config-ipv4-acl)# seq 60 deny ip any any log OS10(config-ipv4-acl)# exit Step 3: Apply the ACLs to the OOBM interfaces. OS10(config)# interface ethernet1/1/1 OS10(conf-if-eth1/1/1)# ip access-group MGMT_TRAFFIC_FROM_NOC in OS10(conf-if-eth1/1/1)# exit OS10(config)# interface ethernet1/1/2 OS10(conf-if-eth1/1/2)# ip access-group MGMT_TRAFFIC_FROM_OOBM_LAN in OS10(conf-if-eth1/1/2)# exit Ensure that traffic from the managed network is not able to access the OOBM gateway router using either receive path or interface ingress ACLs.