STIGQter STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN.

DISA Rule

SV-221122r622190_rule

Vulnerability Number

V-221122

Group Title

SRG-NET-000512-RTR-000009

Rule Version

CISC-RT-000680

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Assign globally unique VPN IDs for each customer bridge domain using VPLS for carrier Ethernet services between multiple sites, and configure the attachment circuits to the appropriate VFI.

Step 1: Configure the pseudowire interfaces with the assigned VC-ID.

SW1(config)# interface Pseudowire12
SW1(config-if-pseudowire)# neighbor 10.2.2.2 100
SW1(config-if-pseudowire)# encapsulation mpls
SW1(config-pseudowire-mpls)# exit
SW1(config-if-pseudowire)# exit
SW1(config)# interface Pseudowire13
SW1(config-if-pseudowire)# neighbor 10.3.3.3 100
SW1(config-if-pseudowire)# encapsulation mpls
SW1(config-pseudowire-mpls)# exit
SW1(config-if-pseudowire)# exit

Step 2: Configure the virtual forwarding instance for the pseudowires as shown in the example with the assigned VPN ID.

SW1(config)# l2vpn vfi context CUST1_VPLS
SW1(config-l2vpn-vfi)# vpn 100
SW1(config-l2vpn-vfi)# member Pseudowire12
SW1(config-l2vpn-vfi)# member Pseudowire13
SW1(config-l2vpn-vfi)# exit

Step 3: Configure the service instance on the attachment circuit as shown in the example below:

SW1(config)# interface ethernet 2/2
SW1(config-if)# service instance 1 ethernet
SW1(config-if-srv)# encapsulation dot1q 100
SW1(config-if-srv)# exit
SW1(config-if)# exit

Step 4: Configure the bridge domain.

SW1(config)# bridge-domain 100
SW1(config-bdomain)# member ethernet 2/2 service-instance 1
SW1(config-bdomain)# member vfi CUST1_VPLS
SW1(config-bdomain)# end

Note: The service instance configured on the attachment circuit must map to the service instance configured on the bridge domain in order to be bound to the correct bridge domain with the VFI that defines the appropriate VPN ID.

Check Contents

Step 1: Review the implementation plan and the VPN IDs assigned to customer VLANs for the VPLS deployment.

Step 2: Review the PE switch configuration to verify that customer attachment circuits are associated to the appropriate VFI. In the example below, the attached circuit at interface GigabitEthernet3 is associated to VPN ID 110.

bridge-domain 100
member vfi CUST1_VPLS
member Ethernet2/2 service instance 1

l2vpn vfi context CUST1_VPLS
vpn id 100
member Pseudowire12
member Pseudowire13



interface Ethernet2/2
service instance 1 ethernet
encapsulation dot1q 100



interface Pseudowire12
encapsulation mpls
neighbor 10.2.2.2 100

interface Pseudowire13
encapsulation mpls
neighbor 10.3.3.3 100

If the attachment circuits have not been bound to the VFI configured with the assigned VPN ID for each VLAN, this is a finding.

Vulnerability Number

V-221122

Documentable

False

Rule Version

CISC-RT-000680

Severity Override Guidance

Step 1: Review the implementation plan and the VPN IDs assigned to customer VLANs for the VPLS deployment.

Step 2: Review the PE switch configuration to verify that customer attachment circuits are associated to the appropriate VFI. In the example below, the attached circuit at interface GigabitEthernet3 is associated to VPN ID 110.

bridge-domain 100
member vfi CUST1_VPLS
member Ethernet2/2 service instance 1

l2vpn vfi context CUST1_VPLS
vpn id 100
member Pseudowire12
member Pseudowire13



interface Ethernet2/2
service instance 1 ethernet
encapsulation dot1q 100



interface Pseudowire12
encapsulation mpls
neighbor 10.2.2.2 100

interface Pseudowire13
encapsulation mpls
neighbor 10.3.3.3 100

If the attachment circuits have not been bound to the VFI configured with the assigned VPN ID for each VLAN, this is a finding.

Check Content Reference

M

Target Key

4075

Comments