STIGQter: STIG Summary: Cisco IOS XE Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.

DISA Rule

SV-216701r531086_rule

Vulnerability Number

V-216701

Group Title

SRG-NET-000512-RTR-000005

Rule Version

CISC-RT-000630

Severity

CAT I

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Configure the PE router to have each VRF bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.

Check Contents

Step 1: Review the design plan for deploying MPLS/L3VPN.

Step 2: Review all CE-facing interfaces and verify that the proper VRF is defined via the "ip vrf forwarding" command. In the example below, COI1 is bound to interface GigabitEthernet0/1, while COI2 is bound to GigabitEthernet0/2.

interface GigabitEthernet0/1
description link to COI1
ip vrf forwarding COI1
ip address x.1.0.1 255.255.255.0
!
interface GigabitEthernet0/2
description link to COI2
ip vrf forwarding COI2
ip address x.2.0.2 255.255.255.0

If any VRFs are not bound to the appropriate physical or logical interface, this is a finding.

The Cisco PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments