The out-of-band management (OOBM) gateway Cisco ACI must be configured to have separate OSPF instances for the managed network and management network.
Overview
Finding ID | Version | Rule ID | IA Controls | Severity |
V-272071 | CACI-RT-000011 | SV-272071r1114084_rule | Medium |
Description |
If the gateway router is not a dedicated device for the OOBM network, implementation of several safeguards for containment of management and production traffic boundaries must occur. Since the managed and management network are separate routing domains, configuration of separate OSPF routing instances is critical on the router to segregate traffic from each network. |
STIG | Date |
Cisco ACI Router Security Technical Implementation Guide | 2025-06-18 |
Details
Check Text (C-76121r1063922_chk) |
If this review is for the DODIN Backbone, mark as not applicable. Verify separate routing instances in the Cisco APIC as shown in the following example: interface GigabitEthernet 0/0 ip address 10.0.0.1 255.255.255.0 no shutdown ip route-map "mgmt-routes" permit router bgp 100 // Management network routing instance interface GigabitEthernet 0/1 ip address 192.168.1.1 255.255.255.0 no shutdown ip route-map "managed-routes" permit router bgp 200 // Managed network routing instance If separate routing instances are not configured for the managed and management networks, this is a finding. |
Fix Text (F-76028r1114083_fix) |
Configure separate routing instances for the managed and management networks, as shown in the example below: interface GigabitEthernet 0/0 ip address 10.0.0.1 255.255.255.0 no shutdown ip route-map "mgmt-routes" permit router bgp 100 // Management network routing instance interface GigabitEthernet 0/1 ip address 192.168.1.1 255.255.255.0 no shutdown ip route-map "managed-routes" permit router bgp 200 // Managed network routing instance |