STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.

DISA Rule

SV-216791r531087_rule

Vulnerability Number

V-216791

Group Title

SRG-NET-000512-RTR-000005

Rule Version

CISC-RT-000630

Severity

CAT I

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Configure the PE router to have each VRF bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.

Check Contents

Step 1: Review the design plan for deploying L3VPN and VRF-lite.

Step 2: Review the design plan for deploying L3VPN and VRF-lite. Review all CE-facing interfaces and verify that the proper VRF is defined via the ip vrf forwarding command. In the example below, COI1 is bound to interface GigabitEthernet0/0/0/1, while COI2 is bound to GigabitEthernet0/0/0/2.

interface GigabitEthernet0/0/0/1
description link to COI1
vrf COI1
ipv4 address x.1.34.12 255.255.255.252
!
interface GigabitEthernet0/0/0/2
description link to COI2
vrf COI2
ipv4 address x.1.22.12 255.255.255.252

If any VRFs are not bound to the appropriate physical or logical interface, this is a finding.

The Cisco PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments