The Cisco BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

An XCCDF Rule

Description

Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a non-optimized path.

ID: SV-216781r531087_rule
Version: CISC-RT-000530
Severity: Medium
References: CCI-001097
Updated: 5 days ago

Remediation Templates

Step 1: Configure a prefix set containing the IP core prefix as shown below.

RP/0/0/CPU0:R2(config)#prefix-set 

Step 2: Configure a prefix set containing the current Bogon prefixes as shown below.
RP/0/0/CPU0:R2(config)#prefix-set CORE_PREFIX
RP/0/0/CPU0:R2(config-pfx)#10.1.1.0/24 le 32
RP/0/0/CPU0:R2(config-pfx)#end-set

Step 3: Configure the route policy to drop route advertisements for IP core prefixes as shown in the example below.

RP/0/0/CPU0:R2(config)#route-policy BGP_FILTER_OUTBOUND
RP/0/0/CPU0:R2(config-rpl)#if destination in CORE_PREFIX then
RP/0/0/CPU0:R2(config-rpl-if)#drop
RP/0/0/CPU0:R2(config-rpl-if)#else
RP/0/0/CPU0:R2(config-rpl-else)#pass
RP/0/0/CPU0:R2(config-rpl-else)#endif
RP/0/0/CPU0:R2(config-rpl)#end-policy

Step 4: Apply the route policy to each external BGP neighbor as shown in the example.

RP/0/0/CPU0:R2(config)#router bgp xx
RP/0/0/CPU0:R2(config-bgp)#neighbor x.1.23.3
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast 
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy BGP_FILTER_OUTBOUND out
RP/0/0/CPU0:R2(config-bgp)#neighbor x.1.24.4
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast 
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy BGP_FILTER_ OUTBOUND out

The Cisco BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

Description

Remediation Templates

A Manual Procedure