The Cisco BGP switch must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

An XCCDF Rule

Description

<VulnDiscussion>Accepting route advertisements belonging to the local AS can result in traffic looping or being black-holed, or at a minimum, using a non-optimized path.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-221024r622190_rule
Severity: Medium
References: CCI-001368
Updated: 17 days ago

Review the switch configuration to verify that it will reject routes belonging to the local AS.

Configure the router to reject inbound route advertisements for any prefixes belonging to the local AS.

Step 1: Add to the prefix filter list those prefixes belonging to the local autonomous system.
SW1(config)#ip prefix-list PREFIX_FILTER seq 74 deny x.13.1.0/24 le 32

Step 2: If not already completed to be compliant with previous requirement, apply the prefix list filter inbound to each external BGP neighbor as shown in the example.

SW1(config)#switch bgp xx
SW1(config-switch)#neighbor x.1.1.9 prefix-list PREFIX_FILTER in
SW1(config-switch)#neighbor x.2.1.7 prefix-list PREFIX_FILTER in
SW1(config-switch)#end

The Cisco BGP switch must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

Description

Remediation - Manual Procedure