The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-221027 | CISC-RT-000530 | SV-221027r622190_rule | Medium |
| Description |
|---|
| Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a non-optimized path. |
| STIG | Date |
|---|---|
| Cisco IOS-XE Switch RTR Security Technical Implementation Guide | 2022-09-13 |
Details
| Check Text ( C-22742r408875_chk ) |
|---|
| Step 1: Verify that a prefix list has been configured containing prefixes belonging to the IP core. ip prefix-list FILTER_CORE_PREFIXES seq 5 deny x.1.1.0/24 le 32 ip prefix-list FILTER _CORE_PREFIXES seq 10 deny x.1.2.0/24 le 32 ip prefix-list FILTER _CORE_PREFIXES seq 15 permit 0.0.0.0/0 ge 8 Step 2: Verify that the prefix lists has been applied to all external BGP peers as shown in the example below: router bgp xx no synchronization bgp log-neighbor-changes neighbor x.1.4.12 remote-as yy neighbor x.1.4.12 prefix-list FILTER _CORE_PREFIXES out If the switch is not configured to reject outbound route advertisements for prefixes belonging to the IP core, this is a finding. |
| Fix Text (F-22731r408876_fix) |
|---|
| Step 1: Configure a prefix list for containing all customer and local AS prefixes as shown in the example below: SW1(config)#ip prefix-list FILTER_CORE_PREFIXES deny x.1.1.0/24 le 32 SW1(config)#ip prefix-list FILTER _CORE_PREFIXES deny x.1.2.0/24 le 32 SW1(config)#ip prefix-list FILTER _CORE_PREFIXES permit 0.0.0.0/0 ge 8 Step 2: Apply the prefix list filter outbound to each CE neighbor as shown in the example. SW1(config)#router bgp xx SW1(config-switch)#neighbor x.1.4.12 prefix-list FILTER _CORE_PREFIXES out |