UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN.


Overview

Finding ID Version Rule ID IA Controls Severity
V-221042 CISC-RT-000680 SV-221042r622190_rule High
Description
VPLS defines an architecture that delivers Ethernet multipoint services over an MPLS network. Customer Layer 2 frames are forwarded across the MPLS core via pseudowires using IEEE 802.1q Ethernet bridging principles. A pseudowire is a virtual bidirectional connection between two attachment circuits (virtual connections between PE and CE switches). A pseudowire contains two unidirectional label-switched paths (LSP) between two PE switches. Each MAC virtual forwarding table instance (VFI) is interconnected using pseudowires provisioned for the bridge domain, thereby maintaining privacy and logical separation between each VPLS bridge domain. The VFI specifies the pseudowires associated with connecting PE switches and the customer-facing attachment circuits belonging to a given VLAN. Resembling a Layer 2 switch, the VFI is responsible for learning MAC addresses and providing loop-free forwarding of customer traffic to the appropriate end nodes. Each VPLS domain is identified by a globally unique VPN ID; hence, VFIs of the same VPLS domain must be configured with the same VPN ID on all participating PE switches. To guarantee traffic separation for all customer VLANs and that all packets are forwarded to the correct destination, it is imperative that the correct attachment circuits are associated with the appropriate VFI and that each VFI is associated to the unique VPN ID assigned to the customer VLAN.
STIG Date
Cisco IOS-XE Switch RTR Security Technical Implementation Guide 2022-09-13

Details

Check Text ( C-22757r408920_chk )
Step 1: Review the implementation plan and the VPN IDs assigned to customer VLANs for the VPLS deployment.

Step 2: Review the PE switch configuration to verify that customer attachment circuits are associated to the appropriate VFI. In the example below, the attached circuit at interface GigabitEthernet0/1 is associated to VPN ID 110.

l2 vfi VPLS_A manual
vpn id 110
bridge-domain 100
neighbor 10.3.3.3 encapsulation mpls
neighbor 10.3.3.4 encapsulation mpls



interface GigabitEthernet0/1
no switchport
no ip address
service instance 10 ethernet
encapsulation untagged
bridge-domain 100

If the attachment circuits have not been bound to the VFI configured with the assigned VPN ID for each VLAN, this is a finding.
Fix Text (F-22746r408921_fix)
Assign globally unique VPN IDs for each customer bridge domain using VPLS for carrier Ethernet services between multiple sites, and configure the attachment circuits to the appropriate VFI.

SW1(config)#l2 vfi VPLS_A manual
SW1(config-vfi)#vpn id 110
SW1(config-vfi)#neighbor 10.3.3.3 encapsulation mpls
SW1(config-vfi)#bridge-domain 100
SW1(config-vfi)#exit
SW1(config)#int g0/1
SW1(config-if)#service instance 10 ethernet
SW1(config-if-srv)#encapsulation untagged
SW1(config-if-srv)#bridge-domain 100
SW1(config-if-srv)#end