The Cisco BGP switch must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

An XCCDF Rule

Description

Accepting route advertisements belonging to the local AS can result in traffic looping or being black-holed, or at a minimum, using a non-optimized path.

ID: SV-221104r999713_rule
Version: CISC-RT-000500
Severity: Medium
References: CCI-001368
Updated: 6 days ago

Remediation Templates

Configure the switch to reject inbound route advertisements for any prefixes belonging to the local AS.

Step 1: Add to the prefix filter list those prefixes belonging to the local autonomous system.

SW1(config)# ip prefix-list PREFIX_FILTER seq 74 deny x.13.1.0/24 le 32
Step 2: If not already completed to be compliant with previous requirement, apply the prefix list filter inbound to each external BGP neighbor as shown in the example below:

SW1(config)# router bgp xx
SW1(config-router)# neighbor x.1.12.2
SW1(config-router-neighbor)# address-family ipv4 unicast
SW1(config-router-neighbor-af)# prefix-list PREFIX_FILTER in
SW1(config-router-neighbor-af)# exit
SW1(config-router-neighbor)# exit
SW1(config-router)# neighbor x.2.44.4
SW1(config-router-neighbor)# address-family ipv4 unicast
SW1(config-router-neighbor-af)# prefix-list PREFIX_FILTER in
SW1(config-router-neighbor-af)# end

The Cisco BGP switch must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

Description

Remediation Templates

A Manual Procedure