The RUCKUS ICX router must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273670 | RCKS-RTR-001070 | SV-273670r1110956_rule | CCI-004891 | medium |
| Description | ||||
| Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic or debilitating breach or compromise that results in system failure. For example, physically separating the command and control function from the in-flight entertainment function through separate subnetworks in a commercial aircraft provides an increased level of assurance in the trustworthiness of critical system functions. | ||||
| STIG | Date | |||
| RUCKUS ICX Router Security Technical Implementation Guide | 2025-06-03 | |||
Details
Check Text (C-273670r1110956_chk)
Verify the router is configured to implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.
If the router is not configured to implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions, this is a finding.
Fix Text (F-77666r1110031_fix)
Configure the router to implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.
Configure VLANs separate organization-defined traffic:
device# configure terminal
device(config)# vlan 235 name mgmt-vlan
device(config-vlan-235)# tag ethernet 1/x/x
device(config-vlan-235)# interface ve 235
device(config-vif-235)# ip addr x.x.x.x/x
device(config-vif-235)# vlan 200 name ops-vlan
device(config-vlan-200)# tag ethernet 1/x/x
device(config-vlan-200)# interface ve 200
device(config-vif-200)# ip addr x.x.x.x/x
device(config-vif-200)# vlan 210 name user-vlan
device(config-vlan-210)# tag ethernet 1/x/x
device(config-vlan-210)# interface ve 210
device(config-vif-210)# ip addr x.x.x.x/x
device(config-vif-210)#end
device# write memory