DISA STIGS Viewer

The out-of-band management (OOBM) gateway Cisco ACI must be configured to have separate OSPF instances for the managed network and management network.

Overview

Finding ID Version Rule ID IA Controls Severity
V-272071 CACI-RT-000011 SV-272071r1114084_rule   Medium
Description
If the gateway router is not a dedicated device for the OOBM network, implementation of several safeguards for containment of management and production traffic boundaries must occur. Since the managed and management network are separate routing domains, configuration of separate OSPF routing instances is critical on the router to segregate traffic from each network.
STIG Date
Cisco ACI Router Security Technical Implementation Guide 2025-06-18

Details

Check Text (C-76121r1063922_chk)
If this review is for the DODIN Backbone, mark as not applicable.

Verify separate routing instances in the Cisco APIC as shown in the following example:

interface GigabitEthernet 0/0
ip address 10.0.0.1 255.255.255.0
no shutdown
ip route-map "mgmt-routes" permit
router bgp 100 // Management network routing instance

interface GigabitEthernet 0/1
ip address 192.168.1.1 255.255.255.0
no shutdown
ip route-map "managed-routes" permit
router bgp 200 // Managed network routing instance

If separate routing instances are not configured for the managed and management networks, this is a finding.
Fix Text (F-76028r1114083_fix)
Configure separate routing instances for the managed and management networks, as shown in the example below:

interface GigabitEthernet 0/0
ip address 10.0.0.1 255.255.255.0
no shutdown
ip route-map "mgmt-routes" permit
router bgp 100 // Management network routing instance

interface GigabitEthernet 0/1
ip address 192.168.1.1 255.255.255.0
no shutdown
ip route-map "managed-routes" permit
router bgp 200 // Managed network routing instance