The Dell OS10 BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.

An XCCDF Rule

Description

The effects of prefix deaggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix deaggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.

ID: SV-269891r1052058_rule
Version: OS10-RTR-000680
Severity: Low
References: CCI-002385
Updated: about 2 months ago

Remediation Templates

Ensure all eBGP routers are configured to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer.

Step 1: Configure a prefix list for each customer containing prefixes belonging to each.

OS10(config)# ip prefix-list LONG_PREFIX_FILTER permit 0.0.0.0/0 ge 8 le 24
OS10(config)# ip prefix-list LONG_PREFIX_FILTER deny 0.0.0.0/0
Step 2: Configure the route map referencing the configured prefix list.

OS10(config)# route-map LONG_PREFIX_FILTER_MAP 50
OS10(config-route-map)# match ip address prefix-list LONG_PREFIX_FILTER
OS10(config-route-map)# exit

Step 3: Apply the route-map outbound to each external BGP neighbor.

OS10(config)# router bgp 10
OS10(config-router-bgp-10)# neighbor 50.1.1.1
OS10(config-router-neighbor)# address-family ipv4 unicast
OS10(config-router-bgp-neighbor-af)# route-map LONG_PREFIX_FILTER_MAP in
OS10(config-router-bgp-neighbor-af)# exit
OS10(config-router-neighbor)# exit
OS10(config-router-bgp-10)# exit

The Dell OS10 BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.

Description

Remediation Templates

A Manual Procedure