STIGQter STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco BGP switch must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

DISA Rule

SV-221104r622190_rule

Vulnerability Number

V-221104

Group Title

SRG-NET-000018-RTR-000003

Rule Version

CISC-RT-000500

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the switch to reject inbound route advertisements for any prefixes belonging to the local AS.

Step 1: Add to the prefix filter list those prefixes belonging to the local autonomous system.

SW1(config)# ip prefix-list PREFIX_FILTER seq 74 deny x.13.1.0/24 le 32

Step 2: If not already completed to be compliant with previous requirement, apply the prefix list filter inbound to each external BGP neighbor as shown in the example below:

SW1(config)# router bgp xx
SW1(config-router)# neighbor x.1.12.2
SW1(config-router-neighbor)# address-family ipv4 unicast
SW1(config-router-neighbor-af)# prefix-list PREFIX_FILTER in
SW1(config-router-neighbor-af)# exit
SW1(config-router-neighbor)# exit
SW1(config-router)# neighbor x.2.44.4
SW1(config-router-neighbor)# address-family ipv4 unicast
SW1(config-router-neighbor-af)# prefix-list PREFIX_FILTER in
SW1(config-router-neighbor-af)# end

Check Contents

Review the switch configuration to verify that it will reject routes belonging to the local AS.

Step 1: Verify a prefix list has been configured containing prefixes belonging to the local AS. In the example below x.13.1.0/24 is the global address space allocated to the local AS.

ip prefix-list PREFIX_FILTER seq 5 deny 0.0.0.0/8 le 32



ip prefix-list PREFIX_FILTER seq 74 deny x.13.1.0/24 le 32
ip prefix-list PREFIX_FILTER seq 75 permit 0.0.0.0/0 ge 8

Step 2: Verify that the prefix list has been applied to all external BGP peers as shown in the example below:

router bgp xx
router-id 10.1.1.1
neighbor x.1.12.2 remote-as xx
password 3 7b07d1b3023056a9
address-family ipv4 unicast
prefix-list PREFIX_FILTER in
neighbor x.2.44.4 remote-as xx
password 3 f07a10cb41db8bb6f8f0a340049a9b02
address-family ipv4 unicast
prefix-list PREFIX_FILTER in

If the switch is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.

Vulnerability Number

V-221104

Documentable

False

Rule Version

CISC-RT-000500

Severity Override Guidance

Review the switch configuration to verify that it will reject routes belonging to the local AS.

Step 1: Verify a prefix list has been configured containing prefixes belonging to the local AS. In the example below x.13.1.0/24 is the global address space allocated to the local AS.

ip prefix-list PREFIX_FILTER seq 5 deny 0.0.0.0/8 le 32



ip prefix-list PREFIX_FILTER seq 74 deny x.13.1.0/24 le 32
ip prefix-list PREFIX_FILTER seq 75 permit 0.0.0.0/0 ge 8

Step 2: Verify that the prefix list has been applied to all external BGP peers as shown in the example below:

router bgp xx
router-id 10.1.1.1
neighbor x.1.12.2 remote-as xx
password 3 7b07d1b3023056a9
address-family ipv4 unicast
prefix-list PREFIX_FILTER in
neighbor x.2.44.4 remote-as xx
password 3 f07a10cb41db8bb6f8f0a340049a9b02
address-family ipv4 unicast
prefix-list PREFIX_FILTER in

If the switch is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.

Check Content Reference

M

Target Key

4075

Comments