STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 1 hour ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Nokia Service Router OS 25.x Router Security Technical Implementation Guide

V-283844

CAT I (High)

The Nokia Provider Edge (PE) router must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT).

Rule ID

SV-283844r1203781_rule

STIG

Nokia Service Router OS 25.x Router Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000366

Discussion

The primary security model for a Multiprotocol Label Switching (MPLS) Layer 3 virtual private network (L3VPN), as well as a VRF-lite infrastructure, is traffic separation. Each interface can be associated to only one VRF, which is the fundamental framework for traffic separation. Forwarding decisions are made based on the routing table belonging to the VRF. Control of what routes are imported into or exported from a VRF is based on the RT. It is critical that traffic does not leak from one Community of Interest tenant or L3VPN to another; hence, it is imperative that the correct RT is configured for each VRF.

Check Content

Verify the correct RT is configured for each VRF.

Review the design plan for MPLS/L3VPN and VRF-lite to determine what RTs have been assigned for each VRF.

Use the command below to verify "Vrf Target" fields:

- show service id 30 base | match "Vrf Target"
Vrf Target        : target:65100:30

If any VRFs are configured with the wrong RT, this is a finding.

Fix Text

Configure all PE routers to have the correct VRF defined with the appropriate RT, as shown in the example below: 

- configure service vprn 30 customer 1 create
- config>service>vprn# bgp-ipvpn mpls vrf-target target:65100:30
- config>service>vprn# bgp-ipvpn mpls no shutdown