The Arista BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

An XCCDF Rule

Description

Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a non-optimized path.

ID: SV-255989r882309_rule
Version: ARST-RT-000030
Severity: Medium
References: CCI-001368
Updated: 15 days ago

Remediation Templates

Configure Arista eBGP routers to reject inbound route advertisements for prefixes that are not allocated to that specific customer.

Step 1: Configure the prefix-list to reject inbound route advertisements belonging to the local AS.

router(config)#ip prefix-list LOCAL_SCOPE_BOUNDARY
router(config-ip-pfx)#seq 10 deny 10.12.0.0/16router(config-ip-pfx)#seq 100 permit 0.0.0.0/0 le32
 
Step 2: Configure a route-map to match the prefix-list.

router(config)#route-map LOCAL_AS deny
router(config-route-map-LOCAL_AS)#match IP address prefix-list LOCAL_SCOPE_BOUNDARY
router(config-route-map-LOCAL_AS)#exit

Step 3: Configure the route-map to be applied inbound to the appropriate BGP neighbor.

router(config)#router bgp 65000
router(config-router-bgp)#neighbor 10.12.0.0 prefix-list LOCAL_SCOPE_BOUNDARY in

The Arista BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

Description

Remediation Templates

A Manual Procedure