The Arista BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

An XCCDF Rule

Description

<VulnDiscussion>Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a non-optimized path.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-256020r882402_rule
Severity: Medium
References: CCI-001097
Updated: 17 days ago

Configure all eBGP Arista routers to filter outbound route advertisements belonging to the IP core.

Step 1: Configure an outbound route advertise filter and configure CE Arista MLS to advertise the filter to IP Core PE (100.1.0.128). Also configure an IP prefix list named FILTER_OUT to specify the 172.16.1.0/24 subnet for outbound route advertisements filtering.

LEAF-1A(config)#ip prefix-list FILTER_OUT seq 10 permit 172.16.1.0/24 
Step 2: Apply the prefix-list outbound with the BGP neighbor in BGP process.

LEAF-1A(config)#router bgp 65001
LEAF-1A(config-router-bgp)#neighbor 100.1.0.128 remote-as 65200
LEAF-1A(config-router-bgp)#neighbor 100.1.0.128 prefix-list FILTER_OUT out
LEAF-1A(config-router-bgp)# exit

The Arista BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

Description

Remediation - Manual Procedure