Management traffic is not classified and marked at the nearest upstream MLS or router when management traffic must traverse several nodes to reach the management network.

From Infrastructure Router Security Technical Implementation Guide Juniper

Part of Management traffic is not classified and marked

SV-19314r1_rule Management traffic is not classified and marked at the nearest upstream MLS or router when management traffic must traverse several nodes to reach the management network.

Vulnerability discussion

When network congestion occurs, all traffic has an equal chance of being dropped. Prioritization of network management traffic must be implemented to ensure that even during periods of severe network congestion, the network can be managed and monitored. Quality of Service (QoS) provisioning categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment through congestion avoidance techniques. Implementing QoS within the network makes network performance more predictable and bandwidth utilization more effective. Most important, since the same bandwidth is being used to manage the network, it provides some assurance that there will be bandwidth available to troubleshoot outages and restore availability when needed. When management traffic must traverse several nodes to reach the management network, management traffic should be classified and marked at the nearest upstream MLS or router. In addition, all core routers within the managed network must be configured to provide preferred treatment based on the QoS markings. This will ensure that management traffic receives preferred treatment (per-hop behavior) at each forwarding device along the path to the management network. traffic.

Check content

Review the configuration of the MLS or router to determine if the management traffic is classified and marked to a favorable PHB at the distribution layer. According to the DISN approved QoS classifications, control plane and management plane traffic should use DSCP 48 (Network-Control PHB). In the example configurations below, an infrastructure router within the managed network’s distribution layer will classify and mark at ingress all traffic destined to management network with DSCP 48. firewall { family inet { filter set-FC-to-network-control { term match-management-network-prefix { from { destination-address { 10.10.10.0/24; } } then { forwarding-class network-control; accept; } } term accept-all { then accept; } } } } interfaces { fe-0/0/2 { description “link to LAN1” unit 0 { family inet { filter { input set-FC-to-network-control; } address 192.168.1.1/24; } } } fe-0/0/2 { description “link to LAN2” unit 0 { family inet { filter { input set-FC-to-network-control; } address 192.168.2.1/24; } } } ge-0/0/1 { description “link to core” unit 0 { family inet { address 192.168.2.1/24; } } } } By default, rewrite rules are not applied to interfaces. Without rewriting the DSCP value in the packet, the packet will be transmitted with the original value prior to classifying by the local router. To apply a rewrite rule, you can either use the default rules or design new rules. In either case, you must apply the rules to the outgoing interface under the class-of-service hierarchy as shown in the following configuration: class-of-service { interfaces { ge-0/0/1 { unit 0 { rewrite-rules { dscp default; } } } } }

Fix text

When management traffic must traverse several nodes to reach the management network, classify and mark management traffic at the nearest upstream MLS or router.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer