CISC-RT-000580 - The Cisco BGP switch must be configured to use its loopback address as the source address for iBGP peering sessions.

Information

Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of the BGP switches. It is easier to construct appropriate ingress filters for switch management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the switch's loopback address instead of the numerous physical interface addresses.

When the loopback address is used as the source for eBGP peering, the BGP session will be harder to hijack since the source address to be used is not known globally, making it more difficult for a hacker to spoof an eBGP neighbor. By using traceroute, a hacker can easily determine the addresses for an eBGP speaker when the IP address of an external interface is used as the source address. The switches within the iBGP domain should also use loopback addresses as the source address when establishing BGP sessions.

Solution

Configure the switch to use its loopback address as the source address for all iBGP peering.

SW1(config)# router bgp xx
SW1(config-router)# neighbor 10.1.12.2
SW1(config-router-neighbor)# update-source lo0
SW1(config-router-neighbor)# end

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_NX-OS_Switch_Y24M10_STIG.zip

Item Details

Category: CONTINGENCY PLANNING

References: 800-53|CP-8, CAT|III, CCI|CCI-004931, Rule-ID|SV-221112r999769_rule, STIG-ID|CISC-RT-000580, STIG-Legacy|SV-111043, STIG-Legacy|V-101939, Vuln-ID|V-221112

Plugin: Cisco

Control ID: de4add2d2dd84d0e37d708098045921f431c80fe87f784a98650298303c4e564