STIGQter: STIG Summary: Router Security Requirements Guide Version: 4 Release: 2 Benchmark Date: 23 Apr 2021:

The PE router must be configured to enforce the split-horizon rule for all pseudowires within a Virtual Private LAN Services (VPLS) bridge domain.

DISA Rule

SV-207181r604135_rule

Vulnerability Number

V-207181

Group Title

SRG-NET-000512

Rule Version

SRG-NET-000512-RTR-000010

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Enable split horizon on all PE routers deploying VPLS in a full-mesh configuration.

Check Contents

Review the PE router configuration to verify that split horizon is enabled.

If it is disabled, this is a finding.

Note: In a ring VPLS, split horizon is disabled so that a PE router can forward a packet received from one pseudowire to another pseudowire. To prevent the consequential loop, at least one span in the ring would not have a pseudowire for any given VPLS instance.

Vulnerability Number

V-207181

Documentable

False

Rule Version

SRG-NET-000512-RTR-000010

Severity Override Guidance

Review the PE router configuration to verify that split horizon is enabled.

If it is disabled, this is a finding.

Note: In a ring VPLS, split horizon is disabled so that a PE router can forward a packet received from one pseudowire to another pseudowire. To prevent the consequential loop, at least one span in the ring would not have a pseudowire for any given VPLS instance.

Check Content Reference

M

Target Key

2917

Comments