CISC-RT-000760 - The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DODIN Technical Profile - QoS policy in accordance with the QoS DODIN Technical Profile.

Information

Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a QoS framework to differentiate traffic and provide a method to manage network congestion. The Differentiated Services Model (DiffServ) is based on per-hop behavior by categorizing traffic into different classes and enabling each node to enforce a forwarding treatment to each packet as dictated by a policy.

Packet markings such as IP Precedence and its successor, Differentiated Services Code Points (DSCP), were defined along with specific per-hop behaviors for key traffic types to enable a scalable QoS solution. DiffServ QoS categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment based on the classification. It is imperative that end-to-end QoS is implemented within the IP core network to provide preferred treatment for mission-critical applications.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure a QoS policy in accordance with the QoS DODIN Technical Profile.

Step 1: Configure class-maps to match on DSCP values as shown in the configuration example below.

R5(config-cmap)#class-map match-all C2_VOICE
R5(config-cmap)#match ip dscp 47
R5(config-cmap)#class-map match-all VOICE
R5(config-cmap)#match ip dscp ef
R5(config-cmap)#class-map match-all VIDEO
R5(config-cmap)#match ip dscp af41
R5(config-cmap)#class-map match-all CONTROL_PLANE
R5(config-cmap)#match ip dscp cs6
R5(config)#class-map match-all PREFERRED_DATA
R5(config-cmap)#match ip dscp af33
R5(config-cmap)#exit

Step 2: Configure a policy map to be applied to the core-layer-facing interface that reserves the bandwidth for each traffic type as shown in the example below.

R5(config)#policy-map QOS_POLICY
R5(config-pmap-c)#class C2_VOICE
R5(config-pmap-c)#priority percent 10
R5(config-pmap-c)#class VOICE
R5(config-pmap-c)#priority percent 15
R5(config-pmap-c)#class VIDEO
R5(config-pmap-c)#bandwidth percent 25
R5(config-pmap)#class CONTROL_PLANE
R5(config-pmap-c)#priority percent 10
R5(config-pmap-c)#class PREFERRED_DATA
R5(config-pmap-c)#bandwidth percent 25
R5(config-pmap-c)#class class-default
R5(config-pmap-c)#bandwidth percent 15
R5(config-pmap-c)#exit
R5(config-pmap)#exit

Step 3: Apply the output service policy to the core-layer-facing interface as shown in the configuration example below.

R5(config)#int g1/1
R5(config-if)#service-policy output QOS_POLICY
R5(config-if)#exit
R5(config)#int g1/2
R5(config-if)#service-policy output QOS_POLICY
R5(config-if)#end

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS_Router_Y22M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5(2), CAT|III, CCI|CCI-001095, Rule-ID|SV-216619r531085_rule, STIG-ID|CISC-RT-000760, STIG-Legacy|SV-105777, STIG-Legacy|V-96639, Vuln-ID|V-216619

Plugin: Cisco

Control ID: 17ed6b7067020a7e2960b927e198164c3c2f4ace099d9d23cceb2f1223132c39