UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Cisco perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.


Overview

Finding ID Version Rule ID IA Controls Severity
V-96555 CISC-RT-000290 SV-105693r2_rule High
Description
ISPs use BGP to share route information with other autonomous systems (i.e. other ISPs and corporate networks). If the perimeter router was configured to BGP peer with an ISP, NIPRnet routes could be advertised to the ISP, thereby creating a backdoor connection from the Internet to the NIPRnet.
STIG Date
Cisco IOS Router RTR Security Technical Implementation Guide 2020-06-30

Details

Check Text ( C-95391r1_chk )
This requirement is not applicable for the DODIN Backbone.

Review the router configuration and verify that it is not BGP peering with an alternate gateway service provider.

Step 1: Determine the ip address of the ISP router

interface GigabitEthernet0/2
description Link to ISP
ip address x.22.1.15 255.255.255.240

Step 2: Verify that the router is not BGP peering with this router.

router bgp nn
no synchronization
bgp log-neighbor-changes
neighbor x.11.1.7 remote-as nn
neighbor x.11.1.7 password xxxxxxx
no auto-summary

In the example above, the router is not peering with the ISP.

If the router is BGP peering with an alternate gateway service provider, this is a finding.
Fix Text (F-102229r1_fix)
This requirement is not applicable for the DODIN Backbone.

Remove any BGP neighbors belonging to the alternate gateway service provider and configure a static route to forward Internet bound traffic to the alternate gateway as shown in the example below.

R5(config)#ip route 0.0.0.0 0.0.0.0 x.22.1.14