The Arista BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.

An XCCDF Rule

Description

Accepting route advertisements for bogon prefixes can result in the local autonomous system (AS) becoming a transit for malicious traffic as it will in turn advertise these prefixes to neighbor autonomous systems.

ID: SV-255988r882306_rule
Version: ARST-RT-000020
Severity: Medium
References: CCI-001368
Updated: 5 days ago

Remediation Templates

Step 1: Configure the BGP Bogon Prefix List.

LEAF-1A(config)#ip prefix-list BOGON_v4
LEAF-1A(config-ip-pfx)#seq 1 deny 0.0.0.0/8 le 32
LEAF-1A(config-ip-pfx)#seq 2 deny 10.0.0.0/8 le 32
LEAF-1A(config-ip-pfx)#seq 3 deny 100.64.0.0/10 le 32LEAF-1A(config-ip-pfx)#seq 4 deny 127.0.0.0/8 le 32
LEAF-1A(config-ip-pfx)#seq 5 deny 169.254.0.0/16 le 32
LEAF-1A(config-ip-pfx)#seq 6 deny 172.16.0.0/12 le 32
LEAF-1A(config-ip-pfx)#seq 100 permit 0.0.0.0/0 ge 8

Step 2: Configure the prefix list inbound to the appropriate BGP neighbor.

LEAF-1A(config)#router bgp 65001     
LEAF-1A(config-router-bgp)#neighbor 100.2.1.1 prefix-list BOGON_v4 in

The Arista BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.

Description

Remediation Templates

A Manual Procedure