The NSX-T Tier-0 Gateway must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).
An XCCDF Rule
Description
Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a non-optimized path.
- ID
- SV-251744r810116_rule
- Version
- T0RT-3X-000003
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
To configure a route filter do the following:
From the NSX-T Manager web interface, go to Networking >> Tier-0 Gateways >> edit the target Tier-0 gateway.
Expand Routing and open the IP Prefix List dialog. Edit an existing, or add a new prefix list that contains the prefixes belonging to the local AS to deny them. Click "Save".