STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-221101r622190_rule
V-221101
SRG-NET-000362-RTR-000124
CISC-RT-000470
CAT III
10
Remove the command that disables checking whether a single-hop eBGP peer is directly connected for all external BGP neighbors as shown in the example below:
SW1(config)# router bgp xx
SW1(config-router)# neighbor x.1.12.2
SW1(config-router-neighbor)# no disable-connected-check
SW1(config-router-neighbor)# end
Review the BGP configuration to verify that checking whether a single-hop eBGP peer is directly connected. The example below disables this mechanism.
router bgp xx
router-id 10.1.1.1
neighbor x.1.12.2 remote-as xx
disable-connected-check
address-family ipv4 unicast
Note: BGP triggers a connection check automatically for all eBGP peers that are known to be a single hop away, unless this check is disabled with the disable-connected-check command. BGP does not bring up sessions if the check fails.
If the switch is configured to disable checking whether a single-hop eBGP peer is directly connected, this is a finding.
V-221101
False
CISC-RT-000470
Review the BGP configuration to verify that checking whether a single-hop eBGP peer is directly connected. The example below disables this mechanism.
router bgp xx
router-id 10.1.1.1
neighbor x.1.12.2 remote-as xx
disable-connected-check
address-family ipv4 unicast
Note: BGP triggers a connection check automatically for all eBGP peers that are known to be a single hop away, unless this check is disabled with the disable-connected-check command. BGP does not bring up sessions if the check fails.
If the switch is configured to disable checking whether a single-hop eBGP peer is directly connected, this is a finding.
M
4075