Detections
Analytics

3.1.2.2 If Possible, Limit the BGP Routes Accepted from Peers

Information

Once a BGP relationship is established, the BGP process will accept routes from any connected peers and consider those routes to be valid. For this reason, especially in ISP or other carrier situations, it is important that only routes that are valid for any particular peer are accepted for that peer.

Rationale:

Impact:

Without configuring route filtering, any route advertised by any BGP peer is considered valid. For this reason, especially in carrier or ISP situations it is important that route filtering be configured. Without filtering, a misconfigured or compromised peer can easily advertise entire subnets that should be routed elsewhere, either routing them to nul or receiving traffic to the compromised subnet for for interception or modification, then forwarding it on to it's final destination.

Solution

First, define the subnets that will be permitted from the peer PEERNAME (use descriptive, self documenting names in NX-OS constructions where possible). Note that any subnets not listed as permitted are by default denied (there is an implicit 'deny all' at the bottom of the list)

switch(config)# ip prefix-list PL_PEERNAME_PERMIT_SUBNETS description Permitted Subnets from Peer PEERNAME
switch(config)# ip prefix-list PL_PEERNAME_PERMIT_SUBNETS permit 10.11.11.0/24
switch(config)# ip prefix-list PL_PEERNAME_PERMIT_SUBNETS permit 10.11.12.0/24

In this example above, only 'permits' are defined. Deny lines are also allowed - refusing routes that are not accepted (for instance 'bogon' or 'martian' subnets), and may be more important in some situations, for example if this switch is accepting routes from the public internet. (note that this is not typical deployment scenario for an NX-OS switch)
Next, create the route-map, will will apply that list:

switch(config)# route-map RM_BGP_PEERNAME_IN permit 10
switch(config-route-map)# match ip address prefix-list PL_PEERNAME_PERMIT_SUBNETS

Finally, within the BGP configuration, apply that route-map to the BGP peer definition. Note that the 'in' keyword denotes inbound (accepted) information.:

switch(config)# router bgp 65520
switch(config-router)# router-id 10.10.10.10
switch(config-router)# address-family ipv4 unicast
switch(config-router-af)# network 10.10.10.0/24
switch(config-router-af)# neighbor 10.10.10.11
switch(config-router-neighbor)# remote-as 65521
switch(config-router-neighbor)# address-family ipv4 unicast
switch(config-router-neighbor-af)# route-map RM_BGP_PEERNAME_IN in

Default Value:

BGP filtering is not enabled by default. By default, all routes received from defined peers are accepted as valid.

See Also

https://workbench.cisecurity.org/benchmarks/6524

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, CSCv7|11.1

Plugin: Cisco

Control ID: 1d40667eee858d3da332c930370a705bc176887716f92f6c5b5422a8eb7b28e3