STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-221111r622190_rule
V-221111
SRG-NET-000362-RTR-000118
CISC-RT-000570
CAT III
10
Configure the switch to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer.
Step 1: Configure a prefix list to reject any prefix that is longer than /24.
SW1(config)# ip prefix-list FILTER_PREFIX_LENGTH permit 0.0.0.0/0 ge 8 le 24
SW1(config)# ip prefix-list FILTER_PREFIX_LENGTH deny 0.0.0.0/0 le 32
Step 2: Apply the prefix list to all eBGP peers as shown in the example below:
SW1(config)# router bgp xx
SW1(config-router)# neighbor x.1.12.2
SW1(config-router-neighbor)# address-family ipv4 unicast
SW1(config-router-neighbor-af)# prefix-list FILTER_PREFIX_LENGTH in
SW1(config-router-neighbor-af)# exit
SW1(config-router-neighbor)# exit
SW1(config-router)# neighbor x.2.44.4
SW1(config-router-neighbor)# address-family ipv4 unicast
SW1(config-router-neighbor-af)# prefix-list FILTER_PREFIX_LENGTH in
SW1(config-router-neighbor-af)# end
Review the switch configuration to determine if it is compliant with this requirement.
Step 1: Verify that a route filter has been configured to reject prefixes longer than /24 or the least significant prefixes issued to the customers as shown in the example below:
ip prefix-list FILTER_PREFIX_LENGTH seq 5 permit 0.0.0.0/0 ge 8 le 24
ip prefix-list FILTER_PREFIX_LENGTH seq 10 deny 0.0.0.0/0 le 32
Step 2: Verify that prefix filtering has been applied to each eBGP peer as shown in the example below:
router bgp xx
router-id 10.1.1.1
neighbor x.1.12.2 remote-as xx
password 3 7b07d1b3023056a9
address-family ipv4 unicast
prefix-list FILTER_PREFIX_LENGTH in
neighbor x.2.44.4 remote-as xx
password 3 f07a10cb41db8bb6f8f0a340049a9b02
address-family ipv4 unicast
prefix-list FILTER_PREFIX_LENGTH in
If the switch is not configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer, this is a finding.
V-221111
False
CISC-RT-000570
Review the switch configuration to determine if it is compliant with this requirement.
Step 1: Verify that a route filter has been configured to reject prefixes longer than /24 or the least significant prefixes issued to the customers as shown in the example below:
ip prefix-list FILTER_PREFIX_LENGTH seq 5 permit 0.0.0.0/0 ge 8 le 24
ip prefix-list FILTER_PREFIX_LENGTH seq 10 deny 0.0.0.0/0 le 32
Step 2: Verify that prefix filtering has been applied to each eBGP peer as shown in the example below:
router bgp xx
router-id 10.1.1.1
neighbor x.1.12.2 remote-as xx
password 3 7b07d1b3023056a9
address-family ipv4 unicast
prefix-list FILTER_PREFIX_LENGTH in
neighbor x.2.44.4 remote-as xx
password 3 f07a10cb41db8bb6f8f0a340049a9b02
address-family ipv4 unicast
prefix-list FILTER_PREFIX_LENGTH in
If the switch is not configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer, this is a finding.
M
4075