STIGQter: STIG Summary: Cisco IOS-XE Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco PE switch must be configured to enforce the split-horizon rule for all pseudowires within a Virtual Private LAN Services (VPLS) bridge domain.

DISA Rule

SV-221043r622190_rule

Vulnerability Number

V-221043

Group Title

SRG-NET-000512-RTR-000010

Rule Version

CISC-RT-000690

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Enable split horizon on all PE switches deploying VPLS in a full-mesh configuration.

SW1(config)#l2 vfi VPLS_A manual
SW1(config-vfi)#neighbor 10.3.3.3 encapsulation mpls

Check Contents

Review the PE switch configuration to verify that split horizon is enabled. By default, split horizon is enabled; hence, the attribute no-split-horizon should not be seen on the neighbor command as shown in the example below:

l2 vfi VPLS_A manual
vpn id 110
bridge-domain 100
neighbor 10.3.3.3 encapsulation mpls no-split-horizon

If split horizon is not enabled, this is a finding.

Note: This requirement is only applicable to a mesh VPLS topology. VPLS solves the loop problem by using a split-horizon rule which states that member PE switches of a VPLS must forward VPLS traffic only to the local attachment circuits when they receive the traffic from the other PE switches. In a ring VPLS, split horizon must be disabled so that a PE switch can forward a packet received from one pseudowire to another pseudowire. To prevent the consequential loop, at least one span in the ring would not have a pseudowire for any given VPLS instance.

Vulnerability Number

V-221043

Documentable

False

Rule Version

CISC-RT-000690

Severity Override Guidance

Review the PE switch configuration to verify that split horizon is enabled. By default, split horizon is enabled; hence, the attribute no-split-horizon should not be seen on the neighbor command as shown in the example below:

l2 vfi VPLS_A manual
vpn id 110
bridge-domain 100
neighbor 10.3.3.3 encapsulation mpls no-split-horizon

If split horizon is not enabled, this is a finding.

Note: This requirement is only applicable to a mesh VPLS topology. VPLS solves the loop problem by using a split-horizon rule which states that member PE switches of a VPLS must forward VPLS traffic only to the local attachment circuits when they receive the traffic from the other PE switches. In a ring VPLS, split horizon must be disabled so that a PE switch can forward a packet received from one pseudowire to another pseudowire. To prevent the consequential loop, at least one span in the ring would not have a pseudowire for any given VPLS instance.

Check Content Reference

M

Target Key

4074

Comments