STIGQter STIGQter: STIG Summary: Cisco IOS-XE Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN.

DISA Rule

SV-221042r622190_rule

Vulnerability Number

V-221042

Group Title

SRG-NET-000512-RTR-000009

Rule Version

CISC-RT-000680

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Assign globally unique VPN IDs for each customer bridge domain using VPLS for carrier Ethernet services between multiple sites, and configure the attachment circuits to the appropriate VFI.

SW1(config)#l2 vfi VPLS_A manual
SW1(config-vfi)#vpn id 110
SW1(config-vfi)#neighbor 10.3.3.3 encapsulation mpls
SW1(config-vfi)#bridge-domain 100
SW1(config-vfi)#exit
SW1(config)#int g0/1
SW1(config-if)#service instance 10 ethernet
SW1(config-if-srv)#encapsulation untagged
SW1(config-if-srv)#bridge-domain 100
SW1(config-if-srv)#end

Check Contents

Step 1: Review the implementation plan and the VPN IDs assigned to customer VLANs for the VPLS deployment.

Step 2: Review the PE switch configuration to verify that customer attachment circuits are associated to the appropriate VFI. In the example below, the attached circuit at interface GigabitEthernet0/1 is associated to VPN ID 110.

l2 vfi VPLS_A manual
vpn id 110
bridge-domain 100
neighbor 10.3.3.3 encapsulation mpls
neighbor 10.3.3.4 encapsulation mpls



interface GigabitEthernet0/1
no switchport
no ip address
service instance 10 ethernet
encapsulation untagged
bridge-domain 100

If the attachment circuits have not been bound to the VFI configured with the assigned VPN ID for each VLAN, this is a finding.

Vulnerability Number

V-221042

Documentable

False

Rule Version

CISC-RT-000680

Severity Override Guidance

Step 1: Review the implementation plan and the VPN IDs assigned to customer VLANs for the VPLS deployment.

Step 2: Review the PE switch configuration to verify that customer attachment circuits are associated to the appropriate VFI. In the example below, the attached circuit at interface GigabitEthernet0/1 is associated to VPN ID 110.

l2 vfi VPLS_A manual
vpn id 110
bridge-domain 100
neighbor 10.3.3.3 encapsulation mpls
neighbor 10.3.3.4 encapsulation mpls



interface GigabitEthernet0/1
no switchport
no ip address
service instance 10 ethernet
encapsulation untagged
bridge-domain 100

If the attachment circuits have not been bound to the VFI configured with the assigned VPN ID for each VLAN, this is a finding.

Check Content Reference

M

Target Key

4074

Comments