The Dell OS10 Router must be configured to restrict traffic destined to itself.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-269872	SRG-NET-000205-RTR-000001	OS10-RTR-000380	SV-269872r1052001_rule	2024-12-11	1

Description
The route processor handles traffic destined to the router—the key component used to build forwarding paths and is also instrumental with all network management functions. Hence, any disruption or denial-of-service (DoS) attack to the route processor can result in mission critical network outages.

ℹ️ Check
Review the access control list (ACL) or filter for the router receive path and verify that it will only process specific management plane and control plane traffic from specific sources. Step 1: Examine the interface configuration for the control plane ACLs applied to the traffic destined to the router control plane from the OOBM management port or front panel data ports. ! control-plane ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in ip access-group MGMT_TRAFFIC_FROM_DATA data in Step 2: Review the control plane ACLs verify traffic is limited appropriately. ! ip access-list MGMT_TRAFFIC_FROM_OOBM seq 10 permit ... seq 20 permit ... seq 30 deny ... log seq 40 deny ... log ! ip access-list MGMT_TRAFFIC_FROM_DATA seq 10 permit ... seq 20 permit ... seq 30 deny ... log seq 40 deny ... log If the router is not configured with a receive-path filter to restrict traffic destined to itself, this is a finding.

ℹ️ Check

Review the access control list (ACL) or filter for the router receive path and verify that it will only process specific management plane and control plane traffic from specific sources. Step 1: Examine the interface configuration for the control plane ACLs applied to the traffic destined to the router control plane from the OOBM management port or front panel data ports. ! control-plane ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in ip access-group MGMT_TRAFFIC_FROM_DATA data in Step 2: Review the control plane ACLs verify traffic is limited appropriately. ! ip access-list MGMT_TRAFFIC_FROM_OOBM seq 10 permit ... seq 20 permit ... seq 30 deny ... log seq 40 deny ... log ! ip access-list MGMT_TRAFFIC_FROM_DATA seq 10 permit ... seq 20 permit ... seq 30 deny ... log seq 40 deny ... log If the router is not configured with a receive-path filter to restrict traffic destined to itself, this is a finding.

✔️ Fix
Configure the router with receive path filters to restrict traffic destined to the router. Step 1: Configure inbound ACLs to restrict which packets should be allowed to reach to the control plane from the OOBM management port and from the front panel data ports. OS10(config)# ip access-list MGMT_TRAFFIC_FROM_OOBM OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# deny ... log OS10(config-ipv4-acl)# deny ... log OS10(config)# ip access-list MGMT_TRAFFIC_FROM_DATA OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# deny ... log OS10(config-ipv4-acl)# deny ... log Step 2: Apply the ACLs to the ingress of the control-plane. OS10(config)# control-plane OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_DATA data in

✔️ Fix

Configure the router with receive path filters to restrict traffic destined to the router. Step 1: Configure inbound ACLs to restrict which packets should be allowed to reach to the control plane from the OOBM management port and from the front panel data ports. OS10(config)# ip access-list MGMT_TRAFFIC_FROM_OOBM OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# deny ... log OS10(config-ipv4-acl)# deny ... log OS10(config)# ip access-list MGMT_TRAFFIC_FROM_DATA OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# permit ... OS10(config-ipv4-acl)# deny ... log OS10(config-ipv4-acl)# deny ... log Step 2: Apply the ACLs to the ingress of the control-plane. OS10(config)# control-plane OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in OS10(config-control-plane)# ip access-group MGMT_TRAFFIC_FROM_DATA data in