STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cisco NX OS Switch RTR Security Technical Implementation Guide

V-221117

CAT I (High)

The Cisco PE switch must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.

Rule ID

SV-221117r999771_rule

STIG

Cisco NX OS Switch RTR Security Technical Implementation Guide

Version

V3R4

CCIs

CCI-004931

Discussion

The primary security model for an MPLS L3VPN infrastructure is traffic separation. The service provider must guarantee the customer that traffic from one VPN does not leak into another VPN or into the core, and that core traffic must not leak into any VPN. Hence, it is imperative that each CE-facing interface can only be associated to one VRF—that alone is the fundamental framework for traffic separation.

Check Content

Step 1: Review the design plan for deploying MPLS/L3VPN. 

Step 2: Review all CE-facing interfaces and verify that the proper VRF is defined via the ip vrf forwarding command. In the example below, customer 1 is bound to interface Ethernet2/1, while customer 2 is bound to Ethernet2/2.

interface Ethernet2/1
 no switchport
 vrf member CUST1
 ip address x.2.22.3/24

interface Ethernet2/2
 no switchport
 vrf member CUST2
 ip address x.2.8.4/24

If any VRFs are not bound to the appropriate physical or logical interface, this is a finding.

Fix Text

Configure the PE switch to have each VRF bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.