The Arista BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.

An XCCDF Rule

Description

<VulnDiscussion>Accepting route advertisements for bogon prefixes can result in the local autonomous system (AS) becoming a transit for malicious traffic as it will in turn advertise these prefixes to neighbor autonomous systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-255988r882306_rule
Severity: Medium
References: CCI-001368
Updated: 20 days ago

Step 1: Configure the BGP Bogon Prefix List.

LEAF-1A(config)#ip prefix-list BOGON_v4
LEAF-1A(config-ip-pfx)#seq 1 deny 0.0.0.0/8 le 32
LEAF-1A(config-ip-pfx)#seq 2 deny 10.0.0.0/8 le 32
LEAF-1A(config-ip-pfx)#seq 3 deny 100.64.0.0/10 le 32LEAF-1A(config-ip-pfx)#seq 4 deny 127.0.0.0/8 le 32
LEAF-1A(config-ip-pfx)#seq 5 deny 169.254.0.0/16 le 32
LEAF-1A(config-ip-pfx)#seq 6 deny 172.16.0.0/12 le 32
LEAF-1A(config-ip-pfx)#seq 100 permit 0.0.0.0/0 ge 8

Step 2: Configure the prefix list inbound to the appropriate BGP neighbor.

LEAF-1A(config)#router bgp 65001     
LEAF-1A(config-router-bgp)#neighbor 100.2.1.1 prefix-list BOGON_v4 in

The Arista BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.

Description

Remediation - Manual Procedure