STIGQter STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco BGP router must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.

DISA Rule

SV-216782r531087_rule

Vulnerability Number

V-216782

Group Title

SRG-NET-000018-RTR-000006

Rule Version

CISC-RT-000540

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure the router to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute.

RP/0/0/CPU0:R2(config)#router bgp 2
RP/0/0/CPU0:R2(config-bgp)#no bgp enforce-first-as disable

Check Contents

Review the router configuration to verify the router is configured to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute.

By default Cisco IOS enforces the first AS in the AS_PATH attribute for all route advertisements. Review the router configuration to verify that the command bgp enforce-first-as disable is not configured as shown in the example below.

router bgp nn
bgp enforce-first-as disable

If the router is not configured to reject updates from peers that do not list their AS number as the first AS in the AS_PATH attribute, this is a finding.

Vulnerability Number

V-216782

Documentable

False

Rule Version

CISC-RT-000540

Severity Override Guidance

Review the router configuration to verify the router is configured to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute.

By default Cisco IOS enforces the first AS in the AS_PATH attribute for all route advertisements. Review the router configuration to verify that the command bgp enforce-first-as disable is not configured as shown in the example below.

router bgp nn
bgp enforce-first-as disable

If the router is not configured to reject updates from peers that do not list their AS number as the first AS in the AS_PATH attribute, this is a finding.

Check Content Reference

M

Target Key

4029

Comments