STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper PE router must be configured to limit the number of MAC addresses it can learn for each Virtual Private LAN Services (VPLS) bridge domain.

DISA Rule

SV-217075r639663_rule

Vulnerability Number

V-217075

Group Title

SRG-NET-000192-RTR-000002

Rule Version

JUNI-RT-000700

Severity

CAT II

CCI(s)

• CCI-001094 - The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems.

Weight

10

Fix Recommendation

Configure a MAC address learning limit for each VPLS bridge domain.

[edit routing-instances VPLS_CUST2 protocols vpls]
set mac-table-size nnnn

Check Contents

Review the PE router configuration to determine if a MAC address limit has been set for each VPLS bridge domain.

routing-instances {
VPLS_CUST2 {
instance-type vpls;
interface ge-0/1/0.0;
route-distinguisher 22:22;
vrf-target target:22:22;
protocols {
vpls {
site-range 9;
mac-table-size {
nnnn;
}
no-tunnel-services;
site R8 {
site-identifier 8;
interface ge-0/1/0.0;
}
vpls-id 102;
neighbor 8.8.8.8;
}
}
}
}

If a limit has not been configured, this is a finding.

Vulnerability Number

V-217075

Documentable

False

Rule Version

JUNI-RT-000700

Severity Override Guidance

Review the PE router configuration to determine if a MAC address limit has been set for each VPLS bridge domain.

routing-instances {
VPLS_CUST2 {
instance-type vpls;
interface ge-0/1/0.0;
route-distinguisher 22:22;
vrf-target target:22:22;
protocols {
vpls {
site-range 9;
mac-table-size {
nnnn;
}
no-tunnel-services;
site R8 {
site-identifier 8;
interface ge-0/1/0.0;
}
vpls-id 102;
neighbor 8.8.8.8;
}
}
}
}

If a limit has not been configured, this is a finding.

Check Content Reference

M

Target Key

4032

Comments