STIGQter STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.

DISA Rule

SV-216798r531087_rule

Vulnerability Number

V-216798

Group Title

SRG-NET-000193-RTR-000002

Rule Version

CISC-RT-000700

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure storm control for each CE-facing interface as shown in the example below.

RP/0/0/CPU0:R3(config)#l2vpn
RP/0/0/CPU0:R3(config-l2vpn)#bridge group L2GROUP
RP/0/0/CPU0:R3(config-l2vpn-bg)# bridge-domain L2_BRIDGE_COI1
RP/0/0/CPU0:R3(config-l2vpn-bg-bd)#interface GigabitEthernet0/0/0/2
RP/0/0/CPU0:R3(config-l2vpn-bg-bd-ac)#storm-control broadcast kbps 1200
RP/0/0/CPU0:R3(config-l2vpn-bg-bd-ac)#storm-control multicast kbps 1200
RP/0/0/CPU0:R3(config-l2vpn-bg-bd-ac)#storm-control unknown-unicast kbps 1200
RP/0/0/CPU0:R3(config-l2vpn-bg-bd-ac)#end

Note: The acceptable range is 10000000 -1000000000 for a gigabit ethernet interface, and 100000000-10000000000 for a ten gigabit interface. Storm control is not supported on most FastEthernet interfaces.

Check Contents

Review the router configuration to verify that storm control is enabled on CE-facing interfaces deploying VPLS as shown in the example below.

bridge group L2GROUP
bridge-domain L2_BRIDGE_COI1
interface GigabitEthernet0/0/0/2
storm-control unknown-unicast kbps 1200
storm-control multicast kbps 1200
storm-control broadcast kbps 1200
split-horizon group
!

If storm control is not enabled at a minimum for broadcast traffic, this is a finding.

Vulnerability Number

V-216798

Documentable

False

Rule Version

CISC-RT-000700

Severity Override Guidance

Review the router configuration to verify that storm control is enabled on CE-facing interfaces deploying VPLS as shown in the example below.

bridge group L2GROUP
bridge-domain L2_BRIDGE_COI1
interface GigabitEthernet0/0/0/2
storm-control unknown-unicast kbps 1200
storm-control multicast kbps 1200
storm-control broadcast kbps 1200
split-horizon group
!

If storm control is not enabled at a minimum for broadcast traffic, this is a finding.

Check Content Reference

M

Target Key

4029

Comments