The Cisco BGP switch must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-221104	CISC-RT-000500	SV-221104r622190_rule		Medium

Description
Accepting route advertisements belonging to the local AS can result in traffic looping or being black-holed, or at a minimum, using a non-optimized path.

STIG	Date
Cisco NX OS Switch RTR Security Technical Implementation Guide	2023-02-15

Details

Check Text ( C-22819r409801_chk )
Review the switch configuration to verify that it will reject routes belonging to the local AS. Step 1: Verify a prefix list has been configured containing prefixes belonging to the local AS. In the example below x.13.1.0/24 is the global address space allocated to the local AS. ip prefix-list PREFIX_FILTER seq 5 deny 0.0.0.0/8 le 32 … … … ip prefix-list PREFIX_FILTER seq 74 deny x.13.1.0/24 le 32 ip prefix-list PREFIX_FILTER seq 75 permit 0.0.0.0/0 ge 8 Step 2: Verify that the prefix list has been applied to all external BGP peers as shown in the example below: router bgp xx router-id 10.1.1.1 neighbor x.1.12.2 remote-as xx password 3 7b07d1b3023056a9 address-family ipv4 unicast prefix-list PREFIX_FILTER in neighbor x.2.44.4 remote-as xx password 3 f07a10cb41db8bb6f8f0a340049a9b02 address-family ipv4 unicast prefix-list PREFIX_FILTER in If the switch is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.

Check Text ( C-22819r409801_chk )

Review the switch configuration to verify that it will reject routes belonging to the local AS.

Step 1: Verify a prefix list has been configured containing prefixes belonging to the local AS. In the example below x.13.1.0/24 is the global address space allocated to the local AS.

ip prefix-list PREFIX_FILTER seq 5 deny 0.0.0.0/8 le 32
…
…
…
ip prefix-list PREFIX_FILTER seq 74 deny x.13.1.0/24 le 32
ip prefix-list PREFIX_FILTER seq 75 permit 0.0.0.0/0 ge 8

Step 2: Verify that the prefix list has been applied to all external BGP peers as shown in the example below:

router bgp xx
router-id 10.1.1.1
neighbor x.1.12.2 remote-as xx
password 3 7b07d1b3023056a9
address-family ipv4 unicast
prefix-list PREFIX_FILTER in
neighbor x.2.44.4 remote-as xx
password 3 f07a10cb41db8bb6f8f0a340049a9b02
address-family ipv4 unicast
prefix-list PREFIX_FILTER in

If the switch is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.

Fix Text (F-22808r409802_fix)
Configure the switch to reject inbound route advertisements for any prefixes belonging to the local AS. Step 1: Add to the prefix filter list those prefixes belonging to the local autonomous system. SW1(config)# ip prefix-list PREFIX_FILTER seq 74 deny x.13.1.0/24 le 32 Step 2: If not already completed to be compliant with previous requirement, apply the prefix list filter inbound to each external BGP neighbor as shown in the example below: SW1(config)# router bgp xx SW1(config-router)# neighbor x.1.12.2 SW1(config-router-neighbor)# address-family ipv4 unicast SW1(config-router-neighbor-af)# prefix-list PREFIX_FILTER in SW1(config-router-neighbor-af)# exit SW1(config-router-neighbor)# exit SW1(config-router)# neighbor x.2.44.4 SW1(config-router-neighbor)# address-family ipv4 unicast SW1(config-router-neighbor-af)# prefix-list PREFIX_FILTER in SW1(config-router-neighbor-af)# end

Fix Text (F-22808r409802_fix)

Configure the switch to reject inbound route advertisements for any prefixes belonging to the local AS.

Step 1: Add to the prefix filter list those prefixes belonging to the local autonomous system.

SW1(config)# ip prefix-list PREFIX_FILTER seq 74 deny x.13.1.0/24 le 32

Step 2: If not already completed to be compliant with previous requirement, apply the prefix list filter inbound to each external BGP neighbor as shown in the example below:

SW1(config)# router bgp xx
SW1(config-router)# neighbor x.1.12.2
SW1(config-router-neighbor)# address-family ipv4 unicast
SW1(config-router-neighbor-af)# prefix-list PREFIX_FILTER in
SW1(config-router-neighbor-af)# exit
SW1(config-router-neighbor)# exit
SW1(config-router)# neighbor x.2.44.4
SW1(config-router-neighbor)# address-family ipv4 unicast
SW1(config-router-neighbor-af)# prefix-list PREFIX_FILTER in
SW1(config-router-neighbor-af)# end