From Cisco IOS XE Release 3 RTR Security Technical Implementation Guide
Part of SRG-NET-000019-RTR-000013
Associated with: CCI-001414
If the gateway router is not a dedicated device for the out-of-band management network, several safeguards must be implemented for containment of management and production traffic boundaries, otherwise, it is possible that management traffic will not be separated from production traffic.
Verify the Interior Gateway Protocol instance used for the managed network on the Cisco IOS XE router does not redistribute routes into the Interior Gateway Protocol instance used for the management network, and vice versa. The configuration will look similar to the example below: router ospf 1 area 1 authentication message-digest redistribute ospf 1 vrf Mgmt passive-interface default no passive-interface GigabitEthernet0/0 no passive-interface GigabitEthernet0/1 network 200.30.3.0 0.0.0.255 area 1 If the Interior Gateway Protocol instance used for the managed network redistributes routes into the Interior Gateway Protocol instance used for the management network, or vice versa, this is a finding.
On the Cisco IOS XE router configure the Interior Gateway Protocol instance used for the managed network to prohibit redistribution of routes into the Interior Gateway Protocol instance used for the management network, and vice versa. Use the “NO” form of the redistribute command to disable redistribution of the management network. For example: ISR4000(config-router)#no redistribute ospf 1 vrf Mgmt
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer