STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco PE router must be configured to enforce the split-horizon rule for all pseudowires within a Virtual Private LAN Services (VPLS) bridge domain.

DISA Rule

SV-216797r531087_rule

Vulnerability Number

V-216797

Group Title

SRG-NET-000512-RTR-000010

Rule Version

CISC-RT-000690

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Enable split horizon on all PE routers deploying VPLS in a full-mesh configuration.

RP/0/0/CPU0:R3(config)#l2vpn
RP/0/0/CPU0:R3(config-l2vpn)#bridge group L2GROUP
RP/0/0/CPU0:R3(config-l2vpn-bg)#bridge-domain L2_BRIDGE_COI1
RP/0/0/CPU0:R3(config-l2vpn-bg-bd)#interface GigabitEthernet0/0/0/2
RP/0/0/CPU0:R3(config-l2vpn-bg-bd-ac)#split-horizon group
RP/0/0/CPU0:R3(config-l2vpn-bg-bd-ac)#end

Check Contents

Review the PE router configuration to verify that split horizon is enabled at each attachment circuit within each bridge domain as shown in the example below.

bridge group L2GROUP
bridge-domain L2_BRIDGE_COI1
interface GigabitEthernet0/0/0/2
split-horizon group
!

If split horizon is not enabled, this is a finding.

Note: This requirement is only applicable to a mesh VPLS topology. VPLS solves the loop problem by using a split-horizon rule which states that member PE routers of a VPLS must forward VPLS traffic only to the local attachment circuits when they receive the traffic from the other PE routers. In a ring VPLS, split horizon must be disabled so that a PE router can forward a packet received from one pseudowire to another pseudowire. To prevent the consequential loop, at least one span in the ring would not have a pseudowire for any given VPLS instance.

Vulnerability Number

V-216797

Documentable

False

Rule Version

CISC-RT-000690

Severity Override Guidance

Review the PE router configuration to verify that split horizon is enabled at each attachment circuit within each bridge domain as shown in the example below.

bridge group L2GROUP
bridge-domain L2_BRIDGE_COI1
interface GigabitEthernet0/0/0/2
split-horizon group
!

If split horizon is not enabled, this is a finding.

Note: This requirement is only applicable to a mesh VPLS topology. VPLS solves the loop problem by using a split-horizon rule which states that member PE routers of a VPLS must forward VPLS traffic only to the local attachment circuits when they receive the traffic from the other PE routers. In a ring VPLS, split horizon must be disabled so that a PE router can forward a packet received from one pseudowire to another pseudowire. To prevent the consequential loop, at least one span in the ring would not have a pseudowire for any given VPLS instance.

Check Content Reference

M

Target Key

4029

Comments