STIGQter STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco PE router providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN.

DISA Rule

SV-216796r531087_rule

Vulnerability Number

V-216796

Group Title

SRG-NET-000512-RTR-000009

Rule Version

CISC-RT-000680

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Assign globally unique VPN IDs for each customer using VPLS for carrier Ethernet services between multiple sites, and configure the attachment circuits to the appropriate VFI.

RP/0/0/CPU0:R3(config)#l2vpn
RP/0/0/CPU0:R3(config-l2vpn)#bridge group L2GROUP
RP/0/0/CPU0:R3(config-l2vpn-bg)#bridge-domain L2_BRIDGE_COI1
RP/0/0/CPU0:R3(config-l2vpn-bg-bd)#interface GigabitEthernet0/0/0/2
RP/0/0/CPU0:R3(config-l2vpn-bg-bd-ac)#exit
RP/0/0/CPU0:R3(config-l2vpn-bg-bd)#vfi VFI_COI1
RP/0/0/CPU0:R3(config-l2vpn-bg-bd-vfi)#vpn-id 101

Check Contents

Review the implementation plan and the VPN IDs assigned to customer VLANs for the VPLS deployment.

Review the PE router configuration to verify that customer attachment circuits are associated to the appropriate VFI. In the example below, the attached circuit at interface GigabitEthernet0/0/0/2 is associated to VPN ID 110.

interface GigabitEthernet0/0/0/2
l2transport



l2vpn
pw-class ETH_O_MPLS
encapsulation mpls
transport-mode ethernet
!
!
bridge group L2GROUP
bridge-domain L2_BRIDGE_COI1
interface GigabitEthernet0/0/0/2
!
vfi VFI_COI1
vpn-id 101
neighbor 10.1.1.1 pw-id 55
pw-class ETH_O_MPLS
!
neighbor 10.2.2.2 pw-id 55
pw-class ETH_O_MPLS
!
!
!
!

If the attachment circuits have not been bound to VFI configured with the assigned VPN ID for each VLAN, this is a finding.

Vulnerability Number

V-216796

Documentable

False

Rule Version

CISC-RT-000680

Severity Override Guidance

Review the implementation plan and the VPN IDs assigned to customer VLANs for the VPLS deployment.

Review the PE router configuration to verify that customer attachment circuits are associated to the appropriate VFI. In the example below, the attached circuit at interface GigabitEthernet0/0/0/2 is associated to VPN ID 110.

interface GigabitEthernet0/0/0/2
l2transport



l2vpn
pw-class ETH_O_MPLS
encapsulation mpls
transport-mode ethernet
!
!
bridge group L2GROUP
bridge-domain L2_BRIDGE_COI1
interface GigabitEthernet0/0/0/2
!
vfi VFI_COI1
vpn-id 101
neighbor 10.1.1.1 pw-id 55
pw-class ETH_O_MPLS
!
neighbor 10.2.2.2 pw-id 55
pw-class ETH_O_MPLS
!
!
!
!

If the attachment circuits have not been bound to VFI configured with the assigned VPN ID for each VLAN, this is a finding.

Check Content Reference

M

Target Key

4029

Comments