CISC-RT-000500 - The Cisco BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

Information

Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a non-optimized path.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Step 1: Configure a prefix set containing the current Bogon prefixes as shown below.

RP/0/0/CPU0:R2(config)#prefix-set Step 1: Configure a prefix set containing the current Bogon prefixes as shown below.

RP/0/0/CPU0:R2(config)#prefix-set LOCAL_PREFIX
RP/0/0/CPU0:R2(config-pfx)#x.13.1.0/24 le 32
RP/0/0/CPU0:R2(config-pfx)#end-set

Step 2: Configure the route policy to drop routes with BOGON prefixes as shown in the example below.

RP/0/0/CPU0:R2(config)#route-policy BGP_FILTER_INBOUND
RP/0/0/CPU0:R2(config-rpl)#if destination in LOCAL_PREFIX then
RP/0/0/CPU0:R2(config-rpl-if)#drop
RP/0/0/CPU0:R2(config-rpl-if)#else pass endif
RRP/0/0/CPU0:R2(config-rpl)#end-policy
RP/0/0/CPU0:R2(config)#exit

Step 3: Apply the route policy to each external BGP neighbor as shown in the example.

RP/0/0/CPU0:R2(config)#router bgp xx
RP/0/0/CPU0:R2(config-bgp)#neighbor x.1.23.3
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy BGP_FILTER_INBOUND in
RP/0/0/CPU0:R2(config-bgp)#neighbor x.1.24.4
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy BGP_FILTER_INBOUND in

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_NX-OS_Switch_Y24M10_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|II, CCI|CCI-001368, Rule-ID|SV-216778r531087_rule, STIG-ID|CISC-RT-000500, STIG-Legacy|SV-105901, STIG-Legacy|V-96763, Vuln-ID|V-216778

Plugin: Cisco

Control ID: 2c3543cb40a540e395e4b8302ad4a485b17734a135f329850487ded74e5716ba