Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the complianz-gdpr domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /mnt/web216/a3/47/510846147/htdocs/STRATO-apps/wordpress_01/app/wp-includes/functions.php on line 6114 Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the memberpress domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /mnt/web216/a3/47/510846147/htdocs/STRATO-apps/wordpress_01/app/wp-includes/functions.php on line 6114 Cisco IOS MPLS VPN May Leak Information – Devnet Community

Cisco IOS MPLS VPN May Leak Information

Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs.

Workarounds are available to help mitigate this vulnerability.

This issue is triggered by a logic error when processing extended communities on the PE device.

This issue cannot be deterministically exploited by an attacker.

Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

Workarounds

Customers running versions of Cisco IOS that support filtering of extended communities can prevent the corruption of the route target (RT) by applying a BGP route-map that removes RT entries on inbound BGP sessions.

The following configuration example applied in the ipv4 address family of a PE device removes extended communities from the CE router:

router bgp
address-family ipv4 vrf one
neighbor
remote-as
neighbor
activate neighbor
route-map FILTER in exit-address-family
!
ip extcommunity-list 100 permit _RT.*_
!
!
route-map FILTER permit 10
set extcomm-list 100 delete
!
The following configuration example applied in the ipv6 address family of a PE device removes extended communities from the CE router:

router bgp
address-family ipv6 vrf one
neighbor
remote-as
neighbor
activate neighbor
route-map FILTER in exit-address-family
!
ip extcommunity-list 100 permit _RT.*_
!
!
route-map FILTER permit 10
set extcomm-list 100 delete
!
Note: The capability of filtering extended communities is only available in certain 12.0S and 12.2S based Cisco IOS releases.

BGP session between the PE and the CE needs to cleared to make this configuration change effective.

Share:

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *