STIGQter: STIG Summary: Router Security Requirements Guide Version: 4 Release: 2 Benchmark Date: 23 Apr 2021:

The PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.

DISA Rule

SV-207128r604135_rule

Vulnerability Number

V-207128

Group Title

SRG-NET-000193

Rule Version

SRG-NET-000193-RTR-000002

Severity

CAT II

CCI(s)

• CCI-001095 - The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

Weight

10

Fix Recommendation

Configure storm control for each VPLS bridge domain. Base the suppression threshold on expected traffic rates plus some additional capacity.

Check Contents

Review the router configuration to verify that storm control is enabled on CE-facing interfaces deploying VPLS.

If storm control is not enabled for broadcast traffic, this is a finding.

Note: The threshold level can be from 0 to 100 percent of the link's bandwidth, where "0" suppresses all traffic. Most FastEthernet switching modules do not support multicast and unicast traffic storm control.

Vulnerability Number

V-207128

Documentable

False

Rule Version

SRG-NET-000193-RTR-000002

Severity Override Guidance

Review the router configuration to verify that storm control is enabled on CE-facing interfaces deploying VPLS.

If storm control is not enabled for broadcast traffic, this is a finding.

Note: The threshold level can be from 0 to 100 percent of the link's bandwidth, where "0" suppresses all traffic. Most FastEthernet switching modules do not support multicast and unicast traffic storm control.

Check Content Reference

M

Target Key

2917

Comments