The Arista BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

An XCCDF Rule

Description

Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a non-optimized path.

ID: SV-256020r882402_rule
Version: ARST-RT-000390
Severity: Medium
References: CCI-001097
Updated: 5 days ago

Remediation Templates

Configure all eBGP Arista routers to filter outbound route advertisements belonging to the IP core.

Step 1: Configure an outbound route advertise filter and configure CE Arista MLS to advertise the filter to IP Core PE (100.1.0.128). Also configure an IP prefix list named FILTER_OUT to specify the 172.16.1.0/24 subnet for outbound route advertisements filtering.

LEAF-1A(config)#ip prefix-list FILTER_OUT seq 10 permit 172.16.1.0/24 
Step 2: Apply the prefix-list outbound with the BGP neighbor in BGP process.

LEAF-1A(config)#router bgp 65001
LEAF-1A(config-router-bgp)#neighbor 100.1.0.128 remote-as 65200
LEAF-1A(config-router-bgp)#neighbor 100.1.0.128 prefix-list FILTER_OUT out
LEAF-1A(config-router-bgp)# exit

The Arista BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

Description

Remediation Templates

A Manual Procedure