Detections
Analytics
CISC-RT-000500 - The Cisco BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).
Information
Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a non-optimized path.Solution
Step 1: Configure a prefix set containing the current Bogon prefixes as shown below.RP/0/0/CPU0:R2(config)#prefix-set Step 1: Configure a prefix set containing the current Bogon prefixes as shown below.
RP/0/0/CPU0:R2(config)#prefix-set LOCAL_PREFIX
RP/0/0/CPU0:R2(config-pfx)#x.13.1.0/24 le 32
RP/0/0/CPU0:R2(config-pfx)#end-set
Step 2: Configure the route policy to drop routes with BOGON prefixes as shown in the example below.
RP/0/0/CPU0:R2(config)#route-policy BGP_FILTER_INBOUND
RP/0/0/CPU0:R2(config-rpl)#if destination in LOCAL_PREFIX then
RP/0/0/CPU0:R2(config-rpl-if)#drop
RP/0/0/CPU0:R2(config-rpl-if)#else pass endif
RRP/0/0/CPU0:R2(config-rpl)#end-policy
RP/0/0/CPU0:R2(config)#exit
Step 3: Apply the route policy to each external BGP neighbor as shown in the example.
RP/0/0/CPU0:R2(config)#router bgp xx
RP/0/0/CPU0:R2(config-bgp)#neighbor x.1.23.3
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy BGP_FILTER_INBOUND in
RP/0/0/CPU0:R2(config-bgp)#neighbor x.1.24.4
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy BGP_FILTER_INBOUND in
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XR_Router_Y26M04_STIG.zip
Item Details
Audit Name: DISA Cisco IOS XR Router RTR STIG v3r3
Category: ACCESS CONTROL
References: 800-53|AC-4, CAT|II, CCI|CCI-001368, Rule-ID|SV-216778r1117236_rule, STIG-ID|CISC-RT-000500, STIG-Legacy|SV-105901, STIG-Legacy|V-96763, Vuln-ID|V-216778
Plugin: Cisco
Control ID: 0e7d8a9c120cbdee928598a6e6a12bacdaabe68446f5f9c5388ba7717ed98300