An inbound ACL is not configured for the management network sub-interface of the trunk link to block non-management traffic.

From Perimeter Router Security Technical Implementation Guide

Part of No inbound ACL for mgmt network sub-interface

SV-19092r1_rule An inbound ACL is not configured for the management network sub-interface of the trunk link to block non-management traffic.

Vulnerability discussion

If the management systems reside within the same layer 2 switching domain as the managed network elements, then separate VLANs will be deployed to provide separation at that level. In this case, the management network still has its own subnet while at the same time it is defined as a unique VLAN. Inter-VLAN routing or the routing of traffic between nodes residing in different subnets requires a router or multi-layer switch (MLS). Access control lists must be used to enforce the boundaries between the management network and the network being managed. All physical and virtual (i.e. MLS SVI) routed interfaces must be configured with ACLs to prevent the leaking of unauthorized traffic from one network to the other.

Check content

Review the router configuration and verify that an inbound ACL has been configured for the management network sub-interface.

Fix text

If a router is used to provide inter-VLAN routing, configure an inbound ACL for the management network sub-interface for the trunk link to block non-management traffic.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer