STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.

DISA Rule

SV-217067r639663_rule

Vulnerability Number

V-217067

Group Title

SRG-NET-000512-RTR-000005

Rule Version

JUNI-RT-000610

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure the PE router to have each VRF bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs as shown in the example below.

[edit]
set routing-instances L3VPN_CUST1 instance-type vrf
set routing-instances L3VPN_CUST1 description "Between PE1 & PE2"
set routing-instances L3VPN_CUST1 interface ge-0/1/0.0
set routing-instances L3VPN_CUST1 protocols ospf interface area 1 ge-0/1/0.0
set routing-instances L3VPN_CUST1 route-distinguisher 33:33
set routing-instances L3VPN_CUST1 vrf-target target:33:33
set routing-instances L3VPN_CUST1 vrf-table-label

Check Contents

Review the design plan for deploying L3VPN and VRF-lite.

Review all CE-facing interfaces and verify that the proper VRF is defined. The example below depicts the CE-facing interface ge-0/1/0 bound to VRF titled L3VPN_CUST1. Notice that the PE router is peering OSPF with the CE router.

interfaces {



}
ge-0/1/0 {
description "link to Customer 1";
unit 0 {
family inet {
address 101.3.44.6/30;
}
}
}



}

routing-instances {
L3VPN_CUST1 {
description "Between PE1 & PE2";
instance-type vrf;
interface ge-0/1/0.0;
route-distinguisher 33:33;
vrf-target target:33:33;
vrf-table-label;
protocols {
ospf {
area 0.0.0.1 {
interface ge-0/1/0.0;
}
}
}
}
}

If any VRFs are not bound to the appropriate physical or logical interface, this is a finding.

Vulnerability Number

V-217067

Documentable

False

Rule Version

JUNI-RT-000610

Severity Override Guidance

Review the design plan for deploying L3VPN and VRF-lite.

Review all CE-facing interfaces and verify that the proper VRF is defined. The example below depicts the CE-facing interface ge-0/1/0 bound to VRF titled L3VPN_CUST1. Notice that the PE router is peering OSPF with the CE router.

interfaces {



}
ge-0/1/0 {
description "link to Customer 1";
unit 0 {
family inet {
address 101.3.44.6/30;
}
}
}



}

routing-instances {
L3VPN_CUST1 {
description "Between PE1 & PE2";
instance-type vrf;
interface ge-0/1/0.0;
route-distinguisher 33:33;
vrf-target target:33:33;
vrf-table-label;
protocols {
ospf {
area 0.0.0.1 {
interface ge-0/1/0.0;
}
}
}
}
}

If any VRFs are not bound to the appropriate physical or logical interface, this is a finding.

Check Content Reference

M

Target Key

4032

Comments