STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT).

DISA Rule

SV-217068r639663_rule

Vulnerability Number

V-217068

Group Title

SRG-NET-000512-RTR-000006

Rule Version

JUNI-RT-000620

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure the router to have each VRF instance defined with the correct RT.

[edit]
set routing-instances L3VPN_CUST1 vrf-target target:33:33

Check Contents

Review the design plan for MPLS/L3VPN and VRF-lite to determine what RTs have been assigned for each VRF.

Review the router configuration and verify that the correct RT is configured for each VRF. In the example below, route target 33:33 has been configured for customer 1.

routing-instances {
L3VPN_CUST1 {
description "Between PE1 & PE2";
instance-type vrf;
interface ge-0/1/0.0;
route-distinguisher 33:33;
vrf-target target:33:33;
vrf-table-label;
protocols {
ospf {
area 0.0.0.1 {
interface ge-0/1/0.0;
}
}
}
}

If there are VRFs configured with the wrong RT, this is a finding.

Vulnerability Number

V-217068

Documentable

False

Rule Version

JUNI-RT-000620

Severity Override Guidance

Review the design plan for MPLS/L3VPN and VRF-lite to determine what RTs have been assigned for each VRF.

Review the router configuration and verify that the correct RT is configured for each VRF. In the example below, route target 33:33 has been configured for customer 1.

routing-instances {
L3VPN_CUST1 {
description "Between PE1 & PE2";
instance-type vrf;
interface ge-0/1/0.0;
route-distinguisher 33:33;
vrf-target target:33:33;
vrf-table-label;
protocols {
ospf {
area 0.0.0.1 {
interface ge-0/1/0.0;
}
}
}
}

If there are VRFs configured with the wrong RT, this is a finding.

Check Content Reference

M

Target Key

4032

Comments