STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper PE router must be configured to implement Protocol Independent Multicast (PIM) snooping for each Virtual Private LAN Services (VPLS) bridge domain.

DISA Rule

SV-217074r639663_rule

Vulnerability Number

V-217074

Group Title

SRG-NET-000362-RTR-000119

Rule Version

JUNI-RT-000690

Severity

CAT III

CCI(s)

CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

Fix Recommendation

Configure PIM snooping for each VPLS bridge domain as shown in the example below.

[edit routing-instances VPLS_CUST2]
set routing-instances VPLS_CUST2 protocols pim-snooping

Check Contents

Review the router configuration to verify that PIM snooping has been configured under the routing instance protocols hierarchy for each VPLS bridge domain as shown in the example.

routing-instances {
VPLS_CUST2 {
instance-type vpls;
interface ge-0/1/0.0;
route-distinguisher 22:22;
vrf-target target:22:22;
}
protocols {
vpls {
site-range 9;
no-tunnel-services;
site R8 {
site-identifier 8;
interface ge-0/1/0.0;
}
vpls-id 102;
neighbor 8.8.8.8;
}
pim-snooping;
}
}
}
}

If the router is not configured to implement PIM snooping for each VPLS bridge domain, this is a finding.

The Juniper PE router must be configured to implement Protocol Independent Multicast (PIM) snooping for each Virtual Private LAN Services (VPLS) bridge domain.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments