CISC-RT-000300 - The Cisco perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.

Information

If the static routes to the alternate gateway are being redistributed into an Exterior Gateway Protocol or Interior Gateway Protocol to a NIPRNet gateway, this could make traffic on NIPRNet flow to that particular router and not to the Internet Access Point routers. This could not only wreak havoc with traffic flows on NIPRNet, but it could overwhelm the connection from the router to the NIPRNet gateway(s) and also cause traffic destined for outside of NIPRNet to bypass the defenses of the Internet Access Points.

Solution

This requirement is not applicable for the DODIN Backbone.

Configure the router so that static routes are not redistributed to an alternate gateway into either a BGP or any IGP peering with the NIPRNet or to any other autonomous systems. This can be done by excluding that route in the route policy as shown in the example below.

Step 1: Configure a prefix list for any static routes with the alternate gateway as the next-hop address

RP/0/0/CPU0:R3(config)#prefix-set ISP_PREFIX
RP/0/0/CPU0:R3(config-pfx)#x.x.0.0/24 ge 8 le 32
RP/0/0/CPU0:R3(config-pfx)#end-set

Step 2: Configure a route policy

RP/0/0/CPU0:R3(config)#route-policy FILTER_ISP_ROUTES
RP/0/0/CPU0:R3(config-rpl)#if destination in ISP_PREFIX then
RP/0/0/CPU0:R3(config-rpl-if)#drop
RP/0/0/CPU0:R3(config-rpl-if)#else
RP/0/0/CPU0:R3(config-rpl-else)#pass
RP/0/0/CPU0:R3(config-rpl-else)#endif
RP/0/0/CPU0:R3(config-rpl)#end-pol

Step 3: Apply the route policy to the IGP and BGP redistribute static commands as shown in the OSPF example.

RP/0/0/CPU0:R3(config-ospf)#redistribute static route-policy FILTER_ISP_ROUTES

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_NX-OS_Switch_Y24M10_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|III, CCI|CCI-001414, Rule-ID|SV-216758r531087_rule, STIG-ID|CISC-RT-000300, STIG-Legacy|SV-105861, STIG-Legacy|V-96723, Vuln-ID|V-216758

Plugin: Cisco

Control ID: 06f15ddf27dad95f0c0e1e8fb390583ddabeb14fa7f57f05a0dbe504ead413b9