STIGQter STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco PE router providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate pseudowire ID for each attachment circuit.

DISA Rule

SV-216795r531087_rule

Vulnerability Number

V-216795

Group Title

SRG-NET-000512-RTR-000008

Rule Version

CISC-RT-000670

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Assign globally unique pseudowire IDs for each virtual circuit and configure the attachment circuits with the appropriate pseudowire ID.

RP/0/0/CPU0:R3(config)#l2vpn
RP/0/0/CPU0:R3(config-l2vpn)#xconnect group COI1
RP/0/0/CPU0:R3(config-l2vpn-xc)#p2p COI1-S1-S2
RP/0/0/CPU0:R3(config-l2vpn-xc-p2p)#interface g0/0/0/1
RP/0/0/CPU0:R3(config-l2vpn-xc-p2p)#neighbor 10.1.12.4 pw-id 55

Check Contents

Verify that the correct pseudowire ID has been configured for the appropriate attachment circuit. In the example below GigabitEthernet0/0/0/1 is the CE-facing interface that is configured for VPWS.

l2vpn
pw-class ETHOM
encapsulation mpls
!
!
xconnect group COI1
p2p COI1-S1-S2
interface GigabitEthernet0/0/0/1
neighbor ipv4 10.1.12.4 pw-id 55
pw-class ETHOM
!
!
!
!

If the correct pseudowire ID has not been configured on both routers, this is a finding.

Vulnerability Number

V-216795

Documentable

False

Rule Version

CISC-RT-000670

Severity Override Guidance

Verify that the correct pseudowire ID has been configured for the appropriate attachment circuit. In the example below GigabitEthernet0/0/0/1 is the CE-facing interface that is configured for VPWS.

l2vpn
pw-class ETHOM
encapsulation mpls
!
!
xconnect group COI1
p2p COI1-S1-S2
interface GigabitEthernet0/0/0/1
neighbor ipv4 10.1.12.4 pw-id 55
pw-class ETHOM
!
!
!
!

If the correct pseudowire ID has not been configured on both routers, this is a finding.

Check Content Reference

M

Target Key

4029

Comments