STIGQter STIGQter: STIG Summary: Cisco IOS Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).

DISA Rule

SV-216600r531085_rule

Vulnerability Number

V-216600

Group Title

SRG-NET-000018-RTR-000005

Rule Version

CISC-RT-000520

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

This requirement is not applicable for the DODIN Backbone.

Step 1: Configure a prefix list for containing all customer and local AS prefixes as shown in the example below.

R1(config)#ip prefix-list CE_PREFIX_ADVERTISEMENTS permit x.13.1.0/24 le 32
R1(config)#ip prefix-list CE_PREFIX_ADVERTISEMENTS permit x.13.2.0/24 le 32
R1(config)#ip prefix-list CE_PREFIX_ADVERTISEMENTS permit x.13.3.0/24 le 32
R1(config)#ip prefix-list CE_PREFIX_ADVERTISEMENTS permit x.13.4.0/24 le 32



R1(config)#ip prefix-list CE_PREFIX_ADVERTISEMENTS deny 0.0.0.0/0 ge 8

Check Contents

This requirement is not applicable for the DODIN Backbone.

Step 1: Verify that a prefix list has been configured containing prefixes belonging to customers as well as the local AS as shown in the example below.

ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 5 permit x.13.1.0/24 le 32
ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 10 permit x.13.2.0/24 le 32
ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 15 permit x.13.3.0/24 le 32
ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 20 permit x.13.4.0/24 le 32



ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 80 deny 0.0.0.0/0 ge 8

Step 2: Verify that the prefix lists has been applied to all CE peers as shown in the example below.

router bgp 64512
no synchronization
bgp log-neighbor-changes
neighbor x.12.4.14 remote-as 64514
neighbor x.12.4.14 prefix-list CE_PREFIX_ADVERTISEMENTS out
neighbor x.12.4.16 remote-as 64516
neighbor x.12.4.16 prefix-list CE_PREFIX_ADVERTISEMENTS out

If the router is not configured to reject outbound route advertisements that do not belong to any customers or the local AS, this is a finding.

Vulnerability Number

V-216600

Documentable

False

Rule Version

CISC-RT-000520

Severity Override Guidance

This requirement is not applicable for the DODIN Backbone.

Step 1: Verify that a prefix list has been configured containing prefixes belonging to customers as well as the local AS as shown in the example below.

ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 5 permit x.13.1.0/24 le 32
ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 10 permit x.13.2.0/24 le 32
ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 15 permit x.13.3.0/24 le 32
ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 20 permit x.13.4.0/24 le 32



ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 80 deny 0.0.0.0/0 ge 8

Step 2: Verify that the prefix lists has been applied to all CE peers as shown in the example below.

router bgp 64512
no synchronization
bgp log-neighbor-changes
neighbor x.12.4.14 remote-as 64514
neighbor x.12.4.14 prefix-list CE_PREFIX_ADVERTISEMENTS out
neighbor x.12.4.16 remote-as 64516
neighbor x.12.4.16 prefix-list CE_PREFIX_ADVERTISEMENTS out

If the router is not configured to reject outbound route advertisements that do not belong to any customers or the local AS, this is a finding.

Check Content Reference

M

Target Key

4027

Comments