The Cisco PE switch must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-101791	CISC-RT-000630	SV-110895r1_rule		High

Description
The primary security model for an MPLS L3VPN infrastructure is traffic separation. The service provider must guarantee the customer that traffic from one VPN does not leak into another VPN or into the core, and that core traffic must not leak into any VPN. Hence, it is imperative that each CE-facing interface can only be associated to one VRF—that alone is the fundamental framework for traffic separation.

Description

The primary security model for an MPLS L3VPN infrastructure is traffic separation. The service provider must guarantee the customer that traffic from one VPN does not leak into another VPN or into the core, and that core traffic must not leak into any VPN. Hence, it is imperative that each CE-facing interface can only be associated to one VRF—that alone is the fundamental framework for traffic separation.

STIG	Date
Cisco IOS-XE Switch RTR Security Technical Implementation Guide	2020-05-20

Details

Check Text ( C-100679r1_chk )
Step 1: Review the design plan for deploying L3VPN and VRF-lite. Step 2: Review the design plan for deploying L3VPN and VRF-lite. Review all CE-facing interfaces and verify that the proper VRF is defined via the "ip vrf forwarding" command. In the example below, COI1 is bound to interface GigabitEthernet0/1, while COI2 is bound to GigabitEthernet0/2. interface GigabitEthernet0/1 description link to COI1 no switchport ip vrf forwarding COI1 ip address x.1.0.1 255.255.255.0 ! interface GigabitEthernet0/2 description link to COI2 no switchport ip vrf forwarding COI2 ip address x.2.0.2 255.255.255.0 If any VRFs are not bound to the appropriate physical or logical interface, this is a finding.

Check Text ( C-100679r1_chk )

Step 1: Review the design plan for deploying L3VPN and VRF-lite.

Step 2: Review the design plan for deploying L3VPN and VRF-lite. Review all CE-facing interfaces and verify that the proper VRF is defined via the "ip vrf forwarding" command. In the example below, COI1 is bound to interface GigabitEthernet0/1, while COI2 is bound to GigabitEthernet0/2.

interface GigabitEthernet0/1
description link to COI1
no switchport
ip vrf forwarding COI1
ip address x.1.0.1 255.255.255.0
!
interface GigabitEthernet0/2
description link to COI2
no switchport
ip vrf forwarding COI2
ip address x.2.0.2 255.255.255.0

If any VRFs are not bound to the appropriate physical or logical interface, this is a finding.

Fix Text (F-107475r1_fix)
Configure the PE switch to have each VRF bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.