The Arista BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

An XCCDF Rule

Description

<VulnDiscussion>Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a non-optimized path.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-255989r882309_rule
Severity: Medium
References: CCI-001368
Updated: 17 days ago

Configure Arista eBGP routers to reject inbound route advertisements for prefixes that are not allocated to that specific customer.

Step 1: Configure the prefix-list to reject inbound route advertisements belonging to the local AS.

router(config)#ip prefix-list LOCAL_SCOPE_BOUNDARY
router(config-ip-pfx)#seq 10 deny 10.12.0.0/16router(config-ip-pfx)#seq 100 permit 0.0.0.0/0 le32
 
Step 2: Configure a route-map to match the prefix-list.

router(config)#route-map LOCAL_AS deny
router(config-route-map-LOCAL_AS)#match IP address prefix-list LOCAL_SCOPE_BOUNDARY
router(config-route-map-LOCAL_AS)#exit

Step 3: Configure the route-map to be applied inbound to the appropriate BGP neighbor.

router(config)#router bgp 65000
router(config-router-bgp)#neighbor 10.12.0.0 prefix-list LOCAL_SCOPE_BOUNDARY in

The Arista BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

Description

Remediation - Manual Procedure