IGP instances configured on the OOBM gateway router do not peer only with their appropriate routing domain

From Perimeter Router Security Technical Implementation Guide Cisco

Part of IGP instances do not peer with appropriate domain

SV-19297r1_rule IGP instances configured on the OOBM gateway router do not peer only with their appropriate routing domain

Vulnerability discussion

If the gateway router is not a dedicated device for the OOBM network, several safeguards must be implemented for containment of management and production traffic boundaries. Since the managed network and the management network are separate routing domains, separate IGP routing instances must be configured on the router—one for the managed network and one for the OOBM network.

Check content

Verify that the OOBM interface is an adjacency only in the IGP routing domain for the management network. The following would be an example where EIGRP is run on the management network 10.0.0.0 and OSPF in the managed network 172.20.0.0. The network 10.1.20.0/24 is the OOBM backbone and 10.1.1.0 is the local management LAN connecting to the OOBM interfaces of the managed network (i.e., the private and service network) elements. interface Serial0/0 description to_OOBM_Backbone ip address 10.1.20.3 255.255.255.0 interface Fastethernet 0/0 description Enclave_Management_LAN ip address 10.1.1.1 255.255.255.0 interface Fastethernet 0/1 description to_our_PrivateNet ip address 172.20.4.2 255.255.255.0 interface Fastethernet 0/2 description to_our_ServiceNet ip address 172.20.5.2 255.255.255.0 ! router ospf 1 network 172.20.0.0 ! router eigrp 12 network 10.0.0.0 passive-interface Fastethernet 0/1 Note: the passive-interface command is configured to avoid building an EIGRP adjacency with a managed router, while at the same time, enabling EIGRP to advertise the enclave’s management subnet to the EIGRP neighbors of the management network backbone. If the non-dedicated OOBM gateway and the NOC gateway are not connected by an OOB backbone—that is, connectivity is provided over an IP backbone (i.e. NIPRNet)—and an IGP is used to advertise routes within the management network, the IGP traffic must be encapsulated via GRE so that it can traverse the IPsec tunnel. The configuration below is an example of GRE over IPSec. The IPSec policy is applied to the GRE traffic that will encapsulate IGP packets (notice the EIGRP network statement includes the GRE tunnel; hence, EIGRP will form adjacencies with neighbors on the other side of this tunnel. Premise Router Configuration crypto isakmp policy 10 authentication pre-share crypto isakmp key ourkey address 166.4.24.3 ! crypto ipsec transform-set VPN-trans esp-3des esp-md5-hmac ! crypto map vpnmap 10 ipsec-isakmp set peer 166.4.24.3 set transform-set VPN-trans match address 102 ! interface Ethernet1 ip address 10.1.1.1 255.255.255.0 ! interface Serial1/0 ip address 141.22.4.3 255.255.255.252 ! interface Tunnel0 ip address 10.10.255.1 255.255.255.252 ip mtu 1400 tunnel source Serial0/0 tunnel destination 166.4.24.3 crypto map vpnmap ! router eigrp 100 network 10.0.0.0 0.0.0.255 no auto-summary ! ip route 0.0.0.0 0.0.0.0 141.22.4.1 ! access-list 102 permit gre host 141.22.4.3 host 166.4.24.3 OOBM VPN Gateway Configuration crypto isakmp policy 10 authentication pre-share crypto isakmp key ourkey address 141.22.4.3 ! crypto ipsectransform-set VPN-trans esp-3des esp-md5-hmac ! crypto map vpnmap 10 ipsec-isakmp set peer 141.22.4.3 set transform-set VPN-trans match address 102 ! interface Ethernet1 ip address 10.1.2.1 255.255.255.0 ! interface Serial1/0 ip address 166.4.24.3 255.255.255.252 ! interface Tunnel0 ip address 10.10.255.2 255.255.255.252 ip mtu 1400 tunnel source Serial0/0 tunnel destination 141.22.4.3 crypto map vpnmap ! router eigrp 100 network 10.0.0.0 0.0.0.255 no auto-summary ! ip route 0.0.0.0 0.0.0.0 166.4.24.1 ! access-list 102 permit gre host 166.4.24.3 host 141.22.4.3

Fix text

Ensure that multiple IGP instances configured on the OOBM gateway router peer only with their appropriate routing domain. Verify that the all interfaces are configured for the appropriate IGP instance.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer