STIGQter: STIG Summary: Cisco IOS XE Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco PE router providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN.

DISA Rule

SV-216706r531086_rule

Vulnerability Number

V-216706

Group Title

SRG-NET-000512-RTR-000009

Rule Version

CISC-RT-000680

Severity

CAT I

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Assign globally unique VPN IDs for each customer bridge domain using VPLS for carrier Ethernet services between multiple sites, and configure the attachment circuits to the appropriate VFI.

R1(config)#l2 vfi VPLS_A manual
R1(config-vfi)#vpn id 110
R1(config-vfi)#neighbor 10.3.3.3 encapsulation mpls
R1(config-vfi)#bridge-domain 100
R1(config-vfi)#exit
R1(config-if)#service instance 10 ethernet
R1(config-if-srv)#encapsulation untagged
R1(config-if-srv)#bridge-domain 100
R1(config-if-srv)#end

Check Contents

Review the implementation plan and the VPN IDs assigned to customer VLANs for the VPLS deployment.

Review the PE router configuration to verify that customer attachment circuits are associated to the appropriate VFI. In the example below, the attached circuit at interface GigabitEthernet3 is associated to VPN ID 110.

l2 vfi VPLS_A manual
vpn id 110
bridge-domain 100
neighbor 10.3.3.3 encapsulation mpls
neighbor 10.3.3.4 encapsulation mpls
…
…
…
interface GigabitEthernet3
no ip address
service instance 10 ethernet
encapsulation untagged
bridge-domain 100

If the attachment circuits have not been bound to VFI configured with the assigned VPN ID for each VLAN, this is a finding.

Vulnerability Number

V-216706

Documentable

False

Rule Version

CISC-RT-000680

Severity Override Guidance

Review the implementation plan and the VPN IDs assigned to customer VLANs for the VPLS deployment.

Review the PE router configuration to verify that customer attachment circuits are associated to the appropriate VFI. In the example below, the attached circuit at interface GigabitEthernet3 is associated to VPN ID 110.

l2 vfi VPLS_A manual
vpn id 110
bridge-domain 100
neighbor 10.3.3.3 encapsulation mpls
neighbor 10.3.3.4 encapsulation mpls
…
…
…
interface GigabitEthernet3
no ip address
service instance 10 ethernet
encapsulation untagged
bridge-domain 100

If the attachment circuits have not been bound to VFI configured with the assigned VPN ID for each VLAN, this is a finding.

Check Content Reference

M

Target Key

4028

Comments