STIGQter STIGQter: STIG Summary: Cisco IOS-XE Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.

DISA Rule

SV-221040r622190_rule

Vulnerability Number

V-221040

Group Title

SRG-NET-000343-RTR-000001

Rule Version

CISC-RT-000660

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The severity level can be downgraded to a category 3 if the switch is configured to authenticate targeted LDP sessions using MD5 as shown in the example below:

SW1(config)#mpls ldp neighbor 10.1.1.2 password xxxxxxxx

Check Contents

The Cisco switch is not compliant with this requirement; hence, it is a finding. However, the severity level can be downgraded to a category 3 if the switch is configured to authenticate targeted LDP sessions using MD5 as shown in the configuration example below:

mpls ldp neighbor 10.1.1.2 password xxxxxxx
mpls label protocol ldp

If the switch is not configured to authenticate targeted LDP sessions using MD5, the finding will remain as a CAT II.

Vulnerability Number

V-221040

Documentable

False

Rule Version

CISC-RT-000660

Severity Override Guidance

The Cisco switch is not compliant with this requirement; hence, it is a finding. However, the severity level can be downgraded to a category 3 if the switch is configured to authenticate targeted LDP sessions using MD5 as shown in the configuration example below:

mpls ldp neighbor 10.1.1.2 password xxxxxxx
mpls label protocol ldp

If the switch is not configured to authenticate targeted LDP sessions using MD5, the finding will remain as a CAT II.

Check Content Reference

M

Target Key

4074

Comments