STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco PE switch must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.

DISA Rule

SV-221117r622190_rule

Vulnerability Number

V-221117

Group Title

SRG-NET-000512-RTR-000005

Rule Version

CISC-RT-000630

Severity

CAT I

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the PE switch to have each VRF bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.

Check Contents

Step 1: Review the design plan for deploying MPLS/L3VPN.

Step 2: Review all CE-facing interfaces and verify that the proper VRF is defined via the ip vrf forwarding command. In the example below, customer 1 is bound to interface Ethernet2/1, while customer 2 is bound to Ethernet2/2.

interface Ethernet2/1
no switchport
vrf member CUST1
ip address x.2.22.3/24

interface Ethernet2/2
no switchport
vrf member CUST2
ip address x.2.8.4/24

If any VRFs are not bound to the appropriate physical or logical interface, this is a finding.

Vulnerability Number

V-221117

Documentable

False

Rule Version

CISC-RT-000630

Severity Override Guidance

Step 1: Review the design plan for deploying MPLS/L3VPN.

Step 2: Review all CE-facing interfaces and verify that the proper VRF is defined via the ip vrf forwarding command. In the example below, customer 1 is bound to interface Ethernet2/1, while customer 2 is bound to Ethernet2/2.

interface Ethernet2/1
no switchport
vrf member CUST1
ip address x.2.22.3/24

interface Ethernet2/2
no switchport
vrf member CUST2
ip address x.2.8.4/24

If any VRFs are not bound to the appropriate physical or logical interface, this is a finding.

Check Content Reference

M

Target Key

4075

Comments