UCF STIG Viewer Logo

The PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.


Overview

Finding ID Version Rule ID IA Controls Severity
V-207176 SRG-NET-000512-RTR-000005 SV-207176r604135_rule High
Description
The primary security model for an MPLS L3VPN infrastructure is traffic separation. The service provider must guarantee the customer that traffic from one VPN does not leak into another VPN or into the core, and that core traffic must not leak into any VPN. Hence, it is imperative that each CE-facing interface can only be associated to one VRF—that alone is the fundamental framework for traffic separation.
STIG Date
Router Security Requirements Guide 2021-03-16

Details

Check Text ( C-7437r382616_chk )
Review the design plan for deploying L3VPN and VRF-lite.

Review all CE-facing interfaces and verify that the proper VRF is defined.

If any VRFs are not bound to the appropriate physical or logical interface, this is a finding.
Fix Text (F-7437r382617_fix)
Configure the PE router to have each VRF bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.