The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

An XCCDF Rule

Description

Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a non-optimized path.

ID: SV-221107r999716_rule
Version: CISC-RT-000530
Severity: Medium
References: CCI-001097
Updated: 6 days ago

Remediation Templates

Step 1: Configure a prefix list for containing all customer and local AS prefixes as shown in the example below:

SW1(config)# ip prefix-list FILTER_CORE_PREFIXES deny x.1.1.0/24 le 32
SW1(config)# ip prefix-list FILTER _CORE_PREFIXES deny x.1.2.0/24 le 32
SW1(config)# ip prefix-list FILTER _CORE_PREFIXES permit 0.0.0.0/0 ge 8
Step 2: Apply the prefix list filter outbound to each CE neighbor as shown in the example below:

SW1(config)# router bgp xx
SW1(config-router)# neighbor x.1.12.2
SW1(config-router-neighbor)# address-family ipv4 unicast
SW1(config-router-neighbor-af)# prefix-list FILTER _CORE_PREFIXES out
SW1(config-router-neighbor-af)# exit
SW1(config-router-neighbor)# exit
SW1(config-router)# neighbor x.2.44.4
SW1(config-router-neighbor)# address-family ipv4 unicast
SW1(config-router-neighbor-af)# prefix-list FILTER _CORE_PREFIXES out 
SW1(config-router-neighbor-af)# end

The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

Description

Remediation Templates

A Manual Procedure