The Cisco BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

An XCCDF Rule

Description

<VulnDiscussion>Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a non-optimized path.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-216781r531087_rule
Severity: Medium
References: CCI-001097
Updated: 17 days ago

Step 1: Configure a prefix set containing the IP core prefix as shown below.

RP/0/0/CPU0:R2(config)#prefix-set 

Step 2: Configure a prefix set containing the current Bogon prefixes as shown below.
RP/0/0/CPU0:R2(config)#prefix-set CORE_PREFIX
RP/0/0/CPU0:R2(config-pfx)#10.1.1.0/24 le 32
RP/0/0/CPU0:R2(config-pfx)#end-set

Step 3: Configure the route policy to drop route advertisements for IP core prefixes as shown in the example below.

RP/0/0/CPU0:R2(config)#route-policy BGP_FILTER_OUTBOUND
RP/0/0/CPU0:R2(config-rpl)#if destination in CORE_PREFIX then
RP/0/0/CPU0:R2(config-rpl-if)#drop
RP/0/0/CPU0:R2(config-rpl-if)#else
RP/0/0/CPU0:R2(config-rpl-else)#pass
RP/0/0/CPU0:R2(config-rpl-else)#endif
RP/0/0/CPU0:R2(config-rpl)#end-policy

Step 4: Apply the route policy to each external BGP neighbor as shown in the example.

RP/0/0/CPU0:R2(config)#router bgp xx
RP/0/0/CPU0:R2(config-bgp)#neighbor x.1.23.3
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast 
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy BGP_FILTER_OUTBOUND out
RP/0/0/CPU0:R2(config-bgp)#neighbor x.1.24.4
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast 
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy BGP_FILTER_ OUTBOUND out

The Cisco BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

Description

Remediation - Manual Procedure