CISC-RT-000490 - The Cisco BGP router must be configured to reject inbound route advertisements for any Bogon prefixes - show ip prefix-list

Information

Accepting route advertisements for Bogon prefixes can result in the local autonomous system (AS) becoming a transit for malicious traffic as it will in turn advertise these prefixes to neighbor autonomous systems.

Solution

Configure the router to reject inbound route advertisements for any Bogon prefixes.

Step 1: Configure a prefix set containing the current Bogon prefixes as shown below.

RP/0/0/CPU0:R2(config)#prefix-set BOGON_PREFIXES
RP/0/0/CPU0:R2(config-pfx)#0.0.0.0/8 le 32,
RP/0/0/CPU0:R2(config-pfx)#10.0.0.0/8 le 32,
RP/0/0/CPU0:R2(config-pfx)#100.64.0.0/10 le 32,
RP/0/0/CPU0:R2(config-pfx)#127.0.0.0/8 le 32,
RP/0/0/CPU0:R2(config-pfx)#169.254.0.0/16 le 32,
RP/0/0/CPU0:R2(config-pfx)#172.16.0.0/12 le 32,
RP/0/0/CPU0:R2(config-pfx)#192.0.2.0/24 le 32,
RP/0/0/CPU0:R2(config-pfx)#192.88.99.0/24 le 32,
RP/0/0/CPU0:R2(config-pfx)#192.168.0.0/16 le 32,
RP/0/0/CPU0:R2(config-pfx)#198.18.0.0/15 le 32,
RP/0/0/CPU0:R2(config-pfx)#198.51.100.0/24 le 32,
RP/0/0/CPU0:R2(config-pfx)#203.0.113.0/24 le 32,
RP/0/0/CPU0:R2(config-pfx)#240.0.0.0/4 le 32,
RP/0/0/CPU0:R2(config-pfx)#224.0.0.0/4 le 32
RP/0/0/CPU0:R2(config-pfx)#end-set

Step 2: Configure the route policy to drop routes with BOGON prefixes as shown in the example below.

RP/0/0/CPU0:R2(config)#route-policy BGP_FILTER
RP/0/0/CPU0:R2(config-rpl)#if destination in BOGON_PREFIXES then
RP/0/0/CPU0:R2(config-rpl-if)#drop
RP/0/0/CPU0:R2(config-rpl-if)#else pass endif
RRP/0/0/CPU0:R2(config-rpl)#end-policy
RP/0/0/CPU0:R2(config)#exit

Step 3: Apply the route policy to each external BGP neighbor as shown in the example.

RP/0/0/CPU0:R2(config)#router bgp xx
RP/0/0/CPU0:R2(config-bgp)#neighbor x.1.23.3
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy BGP_FILTER in
RP/0/0/CPU0:R2(config-bgp)#neighbor x.1.24.4
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy BGP_FILTER in

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XR_Router_Y24M07_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|II, CCI|CCI-001368, Rule-ID|SV-216777r531087_rule, STIG-ID|CISC-RT-000490, STIG-Legacy|SV-105899, STIG-Legacy|V-96761, Vuln-ID|V-216777

Plugin: Cisco

Control ID: f0fafefa27a992fba78cb5c412d12b2c963deccd3752e01915ffad8980682579