Free DISA STIG and SRG Library | Vaulted

V-17834

An inbound ACL is not configured for the management network sub-interface of the trunk link to block non-management traffic.

Finding ID
NET1005
Rule ID
SV-19308r1_rule
Severity
Cat II
CCE
(None)
Group Title
No inbound ACL for mgmt network sub-interface
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

If the management systems reside within the same layer 2 switching domain as the managed network elements, then separate VLANs will be deployed to provide separation at that level. In this case, the management network still has its own subnet while at the same time it is defined as a unique VLAN. Inter-VLAN routing or the routing of traffic between nodes residing in different subnets requires a router or multi-layer switch (MLS). Access control lists must be used to enforce the boundaries between the management network and the network being managed. All physical and virtual (i.e. MLS SVI) routed interfaces must be configured with ACLs to prevent the leaking of unauthorized traffic from one network to the other.

Fix Text

If a router is used to provide inter-VLAN routing, configure an inbound ACL for the management network sub-interface for the trunk link to block non-management traffic.

Check Content

Review the router configuration and verify that an inbound ACL has been configured for the management network sub-interface as illustrated in the following example configuration: IOS interface GigabitEthernet3 no ip redirects no ip directed-broadcast interface GigabitEthernet3.10 encapsulation dot1q 10 description Management VLAN ip address 10.1.1.1 255.255.255.0 ip access-group 108 in ! access-list 108 permit …

Responsibility

System Administrator