STIGQter STIGQter: STIG Summary: SDN Using NV Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 27 Feb 2017:

Virtual Extensible Local Area Network (VXLAN) identifiers must be mapped to the appropriate VLAN identifiers.

DISA Rule

SV-87761r1_rule

Vulnerability Number

V-73109

Group Title

NET-SDN-021

Rule Version

NET-SDN-021

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the appropriate VLAN-to-VNI mapping on all VXLAN-enabled switches.

Check Contents

Review the VXLAN topology and documentation for the SDN deployment that identifies each VXLAN segment via VNI, VLAN membership, and the VLAN-to-VNI mapping to be implemented.

Review the VTEP configuration of all physical VXLAN-enabled switches to verify that the appropriate VLAN-to-VNI mapping has been defined.

If the correct VLAN-to-VNI mapping has not been configured on all VXLAN-enabled switches, this is a finding.

Note: This requirement is only applicable to VNIs that must be defined on each VXLAN-enabled switch. In addition, this requirement is applicable to the implementation of technologies similar to VXLAN (e.g., NVGRE, STT) for the purpose of transporting traffic between virtual machines residing on different physical hosts.

Vulnerability Number

V-73109

Documentable

False

Rule Version

NET-SDN-021

Severity Override Guidance

Review the VXLAN topology and documentation for the SDN deployment that identifies each VXLAN segment via VNI, VLAN membership, and the VLAN-to-VNI mapping to be implemented.

Review the VTEP configuration of all physical VXLAN-enabled switches to verify that the appropriate VLAN-to-VNI mapping has been defined.

If the correct VLAN-to-VNI mapping has not been configured on all VXLAN-enabled switches, this is a finding.

Note: This requirement is only applicable to VNIs that must be defined on each VXLAN-enabled switch. In addition, this requirement is applicable to the implementation of technologies similar to VXLAN (e.g., NVGRE, STT) for the purpose of transporting traffic between virtual machines residing on different physical hosts.

Check Content Reference

M

Target Key

3089

Comments