Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-221027 | CISC-RT-000530 | SV-221027r622190_rule | Medium |
Description |
---|
Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a non-optimized path. |
STIG | Date |
---|---|
Cisco IOS-XE Switch RTR Security Technical Implementation Guide | 2022-09-13 |
Check Text ( C-22742r408875_chk ) |
---|
Step 1: Verify that a prefix list has been configured containing prefixes belonging to the IP core. ip prefix-list FILTER_CORE_PREFIXES seq 5 deny x.1.1.0/24 le 32 ip prefix-list FILTER _CORE_PREFIXES seq 10 deny x.1.2.0/24 le 32 ip prefix-list FILTER _CORE_PREFIXES seq 15 permit 0.0.0.0/0 ge 8 Step 2: Verify that the prefix lists has been applied to all external BGP peers as shown in the example below: router bgp xx no synchronization bgp log-neighbor-changes neighbor x.1.4.12 remote-as yy neighbor x.1.4.12 prefix-list FILTER _CORE_PREFIXES out If the switch is not configured to reject outbound route advertisements for prefixes belonging to the IP core, this is a finding. |
Fix Text (F-22731r408876_fix) |
---|
Step 1: Configure a prefix list for containing all customer and local AS prefixes as shown in the example below: SW1(config)#ip prefix-list FILTER_CORE_PREFIXES deny x.1.1.0/24 le 32 SW1(config)#ip prefix-list FILTER _CORE_PREFIXES deny x.1.2.0/24 le 32 SW1(config)#ip prefix-list FILTER _CORE_PREFIXES permit 0.0.0.0/0 ge 8 Step 2: Apply the prefix list filter outbound to each CE neighbor as shown in the example. SW1(config)#router bgp xx SW1(config-switch)#neighbor x.1.4.12 prefix-list FILTER _CORE_PREFIXES out |