Check: JUNI-RT-000690
Juniper Router RTR STIG:
JUNI-RT-000690
(in versions v3 r1 through v1 r0.1)
Title
The Juniper PE router must be configured to implement Protocol Independent Multicast (PIM) snooping for each Virtual Private LAN Services (VPLS) bridge domain. (Cat III impact)
Discussion
PIM snooping provides a way to constrain multicast traffic at Layer 2. By monitoring PIM join and prune packets on each interface, the PE router is able to determine interested multicast receivers and hence will populate the layer 2 multicast-forwarding table. This enables the PE router to deliver traffic only to ports with at least one interested member within the VPLS bridge, thereby significantly reducing the volume of multicast traffic that would otherwise flood an entire VPLS bridge domain. The PIM snooping operation applies to both access circuits and pseudowires within a VPLS bridge domain.
Check Content
Review the router configuration to verify that PIM snooping has been configured under the routing instance protocols hierarchy for each VPLS bridge domain as shown in the example. routing-instances { VPLS_CUST2 { instance-type vpls; interface ge-0/1/0.0; route-distinguisher 22:22; vrf-target target:22:22; } protocols { vpls { site-range 9; no-tunnel-services; site R8 { site-identifier 8; interface ge-0/1/0.0; } vpls-id 102; neighbor 8.8.8.8; } pim-snooping; } } } } If the router is not configured to implement PIM snooping for each VPLS bridge domain, this is a finding.
Fix Text
Configure PIM snooping for each VPLS bridge domain as shown in the example below. [edit routing-instances VPLS_CUST2] set routing-instances VPLS_CUST2 protocols pim-snooping
Additional Identifiers
Rule ID: SV-217074r855903_rule
Vulnerability ID: V-217074
Group Title: SRG-NET-000362-RTR-000119
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002385 |
Protect against or limit the effects of organization-defined types of denial-of-service events. |
Controls
Number | Title |
---|---|
SC-5 |
Denial of Service Protection |