STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco PE router must be configured to limit the number of MAC addresses it can learn for each Virtual Private LAN Services (VPLS) bridge domain.

DISA Rule

SV-216800r531087_rule

Vulnerability Number

V-216800

Group Title

SRG-NET-000192-RTR-000002

Rule Version

CISC-RT-000720

Severity

CAT II

CCI(s)

• CCI-001094 - The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems.

Weight

10

Fix Recommendation

Configure a MAC address learning limit for each VPLS bridge domain.

RP/0/0/CPU0:R3(config)#l2vpn
RP/0/0/CPU0:R3(config-l2vpn)#bridge group L2GROUP
RP/0/0/CPU0:R3(config-l2vpn-bg)#bridge-domain L2_BRIDGE_COI1
RP/0/0/CPU0:R3(config-l2vpn-bg-bd)#interface GigabitEthernet0/0/0/2
RP/0/0/CPU0:R3(config-l2vpn-bg-bd-ac)#mac limit maximum nnn
RP/0/0/CPU0:R3(config-l2vpn-bg-bd-ac)#end

Check Contents

Review the PE router configuration to determine if a MAC address limit has been set for each VPLS bridge domain.

bridge group L2GROUP
bridge-domain L2_BRIDGE_COI1
interface GigabitEthernet0/0/0/2
mac
limit
maximum nnnn
!
!

If a limit has not been configured, this is a finding.

Vulnerability Number

V-216800

Documentable

False

Rule Version

CISC-RT-000720

Severity Override Guidance

Review the PE router configuration to determine if a MAC address limit has been set for each VPLS bridge domain.

bridge group L2GROUP
bridge-domain L2_BRIDGE_COI1
interface GigabitEthernet0/0/0/2
mac
limit
maximum nnnn
!
!

If a limit has not been configured, this is a finding.

Check Content Reference

M

Target Key

4029

Comments