The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes.
An XCCDF Rule
Description
<VulnDiscussion>Packets with Bogon IP source addresses should never be allowed to traverse the IP core. Bogon IP networks are RFC1918 addresses or address blocks that have never been assigned by the IANA or have been reserved.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-220443r863240_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure the perimeter to block inbound packets with Bogon source addresses.
Step 1: Configure an ACL containing the current Bogon prefixes as shown below:
SW1(config)#ip access-list extended FILTER_PERIMETER
SW1(config-ext-nacl)#deny ip 0.0.0.0 0.255.255.255 any log-input