CISC-RT-000510 - The Cisco BGP switch must be configured to reject inbound route advertisements from a customer edge (CE) switch for prefixes that are not allocated to that customer.

Information

As a best practice, a service provider should only accept customer prefixes that have been assigned to that customer and any peering autonomous systems. A multi-homed customer with BGP speaking switches connected to the Internet or other external networks could be breached and used to launch a prefix de-aggregation attack. Without ingress route filtering of customers, the effectiveness of such an attack could impact the entire IP core and its customers.

Solution

Configure the switch to reject inbound route advertisements from each CE switch for prefixes that are not allocated to that customer.

Step 1: Configure a prefix list for each customer containing prefixes belonging to each.

SW1(config)#ip prefix-list PREFIX_FILTER_CUST1 permit x.13.1.0/24 le 32
SW1(config)#ip prefix-list PREFIX_FILTER_CUST1 deny 0.0.0.0/0 ge 8
SW1(config)#ip prefix-list PREFIX_FILTER_CUST2 permit x.13.2.0/24 le 32
SW1(config)#ip prefix-list PREFIX_FILTER_CUST2 deny 0.0.0.0/0 ge 8

Step 2: Apply the prefix list filter inbound to each CE neighbor as shown in the example.

SW1(config)#router bgp xx
SW1(config-switch)#neighbor x.12.4.14 prefix-list FILTER_PREFIXES_CUST1 in
SW1(config-switch)#neighbor x.12.4.16 prefix-list FILTER_PREFIXES_CUST2 in

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XE_Switch_Y24M07_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|II, CCI|CCI-001368, Rule-ID|SV-221025r622190_rule, STIG-ID|CISC-RT-000510, STIG-Legacy|SV-110871, STIG-Legacy|V-101767, Vuln-ID|V-221025

Plugin: Cisco

Control ID: 0b902b2183510aab80d4c07d2c6253b57ec6d8b1d5025151553f8d2b09cf94fc