STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper PE router must be configured to have each VRF with the appropriate Route Distinguisher (RD).

DISA Rule

SV-217069r639663_rule

Vulnerability Number

V-217069

Group Title

SRG-NET-000512-RTR-000007

Rule Version

JUNI-RT-000630

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the correct RD for each VRF.

[edit]
set routing-instances L3VPN_CUST1 route-distinguisher 33:33

Check Contents

Review the RDs that have been assigned for each VRF according to the plan provided by the ISSM. Review the router configuration and verify that the correct RD is configured for each VRF. In the example below, route distinguisher 33:33 has been configured for customer 1.

routing-instances {
L3VPN_CUST1 {
description "Between PE1 & PE2";
instance-type vrf;
interface ge-0/1/0.0;
route-distinguisher 33:33;
vrf-target target:33:33;
vrf-table-label;
protocols {
ospf {
area 0.0.0.1 {
interface ge-0/1/0.0;
}
}
}
}

If the wrong RD has been configured for any VRF, this is a finding.

Vulnerability Number

V-217069

Documentable

False

Rule Version

JUNI-RT-000630

Severity Override Guidance

Review the RDs that have been assigned for each VRF according to the plan provided by the ISSM. Review the router configuration and verify that the correct RD is configured for each VRF. In the example below, route distinguisher 33:33 has been configured for customer 1.

routing-instances {
L3VPN_CUST1 {
description "Between PE1 & PE2";
instance-type vrf;
interface ge-0/1/0.0;
route-distinguisher 33:33;
vrf-target target:33:33;
vrf-table-label;
protocols {
ospf {
area 0.0.0.1 {
interface ge-0/1/0.0;
}
}
}
}

If the wrong RD has been configured for any VRF, this is a finding.

Check Content Reference

M

Target Key

4032

Comments