The Arista BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256036	ARST-RT-000570	SV-256036r882450_rule		Low

Description
The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix de-aggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.

STIG	Date
Arista MLS EOS 4.2x Router Security Technical Implementation Guide	2023-01-17

Details

Check Text ( C-59712r882448_chk )
This requirement is not applicable for the DODIN backbone. Review the Arista router configuration to verify there is a filter to reject inbound route advertisements that are greater than /24 or the least significant prefixes issued to the customer, whichever is larger. Step 1: To verify there is a filter to reject inbound route advertisements that are greater than /24 or the least significant prefixes issued to the customer, whichever is larger, execute the command "sh ip prefix-list". ip prefix-list ADVERTISE_ROUTES deny 0.0.0.0/0 ge 25 ip prefix-list ADVERTISE_ROUTES permit 0.0.0.0/0 le 32 Step 2: Verify the prefix-list is applied in BGP process. Execute the command "sh run section router bgp". router bgp 65000 neighbor 10.1.12.2 prefix-list ADVERTISE_ROUTES in If the Arista router is not configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer, this is a finding.

Check Text ( C-59712r882448_chk )

This requirement is not applicable for the DODIN backbone.

Review the Arista router configuration to verify there is a filter to reject inbound route advertisements that are greater than /24 or the least significant prefixes issued to the customer, whichever is larger.

Step 1: To verify there is a filter to reject inbound route advertisements that are greater than /24 or the least significant prefixes issued to the customer, whichever is larger, execute the command "sh ip prefix-list".

ip prefix-list ADVERTISE_ROUTES deny 0.0.0.0/0 ge 25
ip prefix-list ADVERTISE_ROUTES permit 0.0.0.0/0 le 32

Step 2: Verify the prefix-list is applied in BGP process. Execute the command "sh run section router bgp".

router bgp 65000
neighbor 10.1.12.2 prefix-list ADVERTISE_ROUTES in

If the Arista router is not configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer, this is a finding.

Fix Text (F-59655r882449_fix)
This requirement is not applicable for the DODIN backbone. Ensure all eBGP Arista routers are configured to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer. Step 1: Configure the prefix-list. ip prefix-list ADVERTISE_ROUTES deny 0.0.0.0/0 ge 25 ip prefix-list ADVERTISE_ROUTES permit 0.0.0.0/0 le 32 Step 2: Apply the prefix-list in the BGP process inbound. LEAF-1A(config)#router bgp 65000 LEAF-1A(config)# neighbor 10.1.12.2 prefix-list ADVERTISE_ROUTES in

Fix Text (F-59655r882449_fix)

This requirement is not applicable for the DODIN backbone.

Ensure all eBGP Arista routers are configured to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer.

Step 1: Configure the prefix-list.

ip prefix-list ADVERTISE_ROUTES deny 0.0.0.0/0 ge 25
ip prefix-list ADVERTISE_ROUTES permit 0.0.0.0/0 le 32

Step 2: Apply the prefix-list in the BGP process inbound.

LEAF-1A(config)#router bgp 65000
LEAF-1A(config)# neighbor 10.1.12.2 prefix-list ADVERTISE_ROUTES in