STIGQter: STIG Summary: Cisco IOS XE Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.

DISA Rule

SV-216708r531086_rule

Vulnerability Number

V-216708

Group Title

SRG-NET-000193-RTR-000002

Rule Version

CISC-RT-000700

Severity

CAT II

CCI(s)

• CCI-001095 - The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

Weight

10

Fix Recommendation

Configure storm control for each CE-facing interface as shown in the example below:

R1(config)#int g3
R1(config-if)#service instance 10 ethernet
R1(config-if-srv)#storm-control broadcast cir 12000000
R1(config-if-srv)#end

Note: The acceptable range is 10000000 -1000000000 for a gigabit ethernet interface, and 100000000-10000000000 for a ten gigabit interface. Storm control is not supported on most FastEthernet interfaces.

Check Contents

Review the router configuration to verify that storm control is enabled on CE-facing interfaces deploying VPLS as shown in the example below:

interface GigabitEthernet3
no ip address
service instance 10 ethernet
encapsulation untagged
bridge-domain 100
storm-control broadcast cir 12000000
!
!

If storm control is not enabled at a minimum for broadcast traffic, this is a finding.

Vulnerability Number

V-216708

Documentable

False

Rule Version

CISC-RT-000700

Severity Override Guidance

Review the router configuration to verify that storm control is enabled on CE-facing interfaces deploying VPLS as shown in the example below:

interface GigabitEthernet3
no ip address
service instance 10 ethernet
encapsulation untagged
bridge-domain 100
storm-control broadcast cir 12000000
!
!

If storm control is not enabled at a minimum for broadcast traffic, this is a finding.

Check Content Reference

M

Target Key

4028

Comments