STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco PE switch providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit.

DISA Rule

SV-221121r622190_rule

Vulnerability Number

V-221121

Group Title

SRG-NET-000512-RTR-000008

Rule Version

CISC-RT-000670

Severity

CAT I

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Assign globally unique VC IDs for each virtual circuit and configure the attachment circuits with the appropriate VC ID.

Check Contents

Verify that the correct and unique VCID has been configured for the appropriate attachment circuit. In the example below Ethernet2/1 is the CE-facing interface that is configured for VPWS with the VCID of 55.

Step 1: Review the L2VPN virtual circuits and determine the member attachment circuit and pseudowire.

l2vpn xconnect context VC55
member Ethernet2/1
member Pseudowire55

Step 2: Determine the VCID as configured for neighbor and verify the same VCID is defined on the remote PE device.

port-profile type pseudowire MPLS_PROFILE
encapsulation mpls

interface Pseudowire55
neighbor 10.10.22.1 55
inherit port-profile MPLS_PROFILE

Note: VPWS is also known as Ethernet over MPLS (EoMPLS) and Ethernet Virtual Circuit (EVC).

If the correct VC ID has not been configured on both switches, this is a finding.

The Cisco PE switch providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments