The Dell OS10 BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

An XCCDF Rule

Description

Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a nonoptimized path.

ID: SV-269877r1052016_rule
Version: OS10-RTR-000430
Severity: Medium
References: CCI-001097
Updated: about 2 months ago

Remediation Templates

Configure all eBGP routers to filter outbound route advertisements belonging to the IP core.

Step 1: Add to the prefix filter list those prefixes belonging to the IP core.

OS10(config)# ip prefix-list CORE_PREFIX_FILTER seq  5 deny 20.0.0.0/24 ge 8 le 32
OS10(config)# ip prefix-list CORE_PREFIX_FILTER seq 10 deny 30.0.0.0/24 ge 8 le 32OS10(config)# ip prefix-list CORE_PREFIX_FILTER seq 15 permit 0.0.0.0/0 ge 8

Step 2: Configure the route map referencing the configured prefix list.

OS10(config)# route-map CORE_PREFIX_FILTER_MAP 10
OS10(config-route-map)# match ip address prefix-list CORE_PREFIX_FILTER
OS10(config-route-map)# exit

Step 3: Apply the route-map inbound to each external BGP neighbor.

OS10(config)# router bgp 10
OS10(config-router-bgp-10)# neighbor 40.1.1.10
OS10(config-router-neighbor)# address-family ipv4 unicast
OS10(config-router-bgp-neighbor-af)# route-map CORE_PREFIX_FILTER_MAP out
OS10(config-router-bgp-neighbor-af)# exit
OS10(config-router-neighbor)# exit
OS10(config-router-bgp-10)# template ebgp
OS10(config-router-template)# address-family ipv4 unicast
OS10(config-router-bgp-template-af)# route-map CORE_PREFIX_FILTER_MAP out
OS10(config-router-bgp-template-af)# exit
OS10(config-router-template)# exit
OS10(config-router-bgp-10)# exit

The Dell OS10 BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

Description

Remediation Templates

A Manual Procedure