STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-216798r531087_rule
V-216798
SRG-NET-000193-RTR-000002
CISC-RT-000700
CAT II
10
Configure storm control for each CE-facing interface as shown in the example below.
RP/0/0/CPU0:R3(config)#l2vpn
RP/0/0/CPU0:R3(config-l2vpn)#bridge group L2GROUP
RP/0/0/CPU0:R3(config-l2vpn-bg)# bridge-domain L2_BRIDGE_COI1
RP/0/0/CPU0:R3(config-l2vpn-bg-bd)#interface GigabitEthernet0/0/0/2
RP/0/0/CPU0:R3(config-l2vpn-bg-bd-ac)#storm-control broadcast kbps 1200
RP/0/0/CPU0:R3(config-l2vpn-bg-bd-ac)#storm-control multicast kbps 1200
RP/0/0/CPU0:R3(config-l2vpn-bg-bd-ac)#storm-control unknown-unicast kbps 1200
RP/0/0/CPU0:R3(config-l2vpn-bg-bd-ac)#end
Note: The acceptable range is 10000000 -1000000000 for a gigabit ethernet interface, and 100000000-10000000000 for a ten gigabit interface. Storm control is not supported on most FastEthernet interfaces.
Review the router configuration to verify that storm control is enabled on CE-facing interfaces deploying VPLS as shown in the example below.
bridge group L2GROUP
bridge-domain L2_BRIDGE_COI1
interface GigabitEthernet0/0/0/2
storm-control unknown-unicast kbps 1200
storm-control multicast kbps 1200
storm-control broadcast kbps 1200
split-horizon group
!
If storm control is not enabled at a minimum for broadcast traffic, this is a finding.
V-216798
False
CISC-RT-000700
Review the router configuration to verify that storm control is enabled on CE-facing interfaces deploying VPLS as shown in the example below.
bridge group L2GROUP
bridge-domain L2_BRIDGE_COI1
interface GigabitEthernet0/0/0/2
storm-control unknown-unicast kbps 1200
storm-control multicast kbps 1200
storm-control broadcast kbps 1200
split-horizon group
!
If storm control is not enabled at a minimum for broadcast traffic, this is a finding.
M
4029