CISC-RT-000490 - The Cisco BGP switch must be configured to reject inbound route advertisements for any Bogon prefixes - 100.64.0.0

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Accepting route advertisements for Bogon prefixes can result in the local autonomous system (AS) becoming a transit for malicious traffic as it will in turn advertise these prefixes to neighbor autonomous systems.

Solution

Configure the switch to reject inbound route advertisements for any Bogon prefixes.

Step 1: Configure a prefix list containing the current Bogon prefixes as shown below:

SW1(config)# ip prefix-list PREFIX_FILTER seq 5 deny 0.0.0.0/8 le 32
SW1(config)# ip prefix-list PREFIX_FILTER seq 10 deny 10.0.0.0/8 le 32
SW1(config)# ip prefix-list PREFIX_FILTER seq 15 deny 100.64.0.0/10 le 32
SW1(config)# ip prefix-list PREFIX_FILTER seq 20 deny 127.0.0.0/8 le 32
SW1(config)# ip prefix-list PREFIX_FILTER seq 25 deny 169.254.0.0/16 le 32
SW1(config)# ip prefix-list PREFIX_FILTER seq 30 deny 172.16.0.0/12 le 32
SW1(config)# ip prefix-list PREFIX_FILTER seq 35 deny 192.0.2.0/24 le 32
SW1(config)# ip prefix-list PREFIX_FILTER seq 40 deny 192.88.99.0/24 le 32
SW1(config)# ip prefix-list PREFIX_FILTER seq 45 deny 192.168.0.0/16 le 32
SW1(config)# ip prefix-list PREFIX_FILTER seq 50 deny 198.18.0.0/15 le 32
SW1(config)# ip prefix-list PREFIX_FILTER seq 55 deny 198.51.100.0/24 le 32
SW1(config)# ip prefix-list PREFIX_FILTER seq 60 deny 203.0.113.0/24 le 32
SW1(config)# ip prefix-list PREFIX_FILTER seq 65 deny 224.0.0.0/4 le 32
SW1(config)# ip prefix-list PREFIX_FILTER seq 70 deny 240.0.0.0/4 le 32
SW1(config)# ip prefix-list PREFIX_FILTER seq 75 permit 0.0.0.0/0 ge 8

Step 2: Apply the prefix list filter inbound to each external BGP neighbor as shown in the example below:

SW1(config)# router bgp xx
SW1(config-router)# neighbor x.1.12.2
SW1(config-router-neighbor)# address-family ipv4 unicast
SW1(config-router-neighbor-af)# prefix-list PREFIX_FILTER in
SW1(config-router-neighbor-af)# exit
SW1(config-router-neighbor)# exit
SW1(config-router)# neighbor x.2.44.4
SW1(config-router-neighbor)# address-family ipv4 unicast
SW1(config-router-neighbor-af)# prefix-list PREFIX_FILTER in
SW1(config-router-neighbor-af)# end

Route Map Alternative

Step 1: Configure the route map referencing the configured prefix list above.

SW1(config)# route-map FILTER_PREFIX_MAP permit 10
SW1(config-route-map)# match ip address prefix-list PREFIX_FILTER
SW1(config-route-map)# exit

Step 2: Apply the route-map inbound to each external BGP neighbor as shown in the example below:

SW1(config)# router bgp xx
SW1(config-router)# neighbor x.1.12.2
SW1(config-router-neighbor)# address-family ipv4 unicast
SW1(config-router-neighbor-af)# route-map FILTER_PREFIX_MAP in
SW1(config-router-neighbor-af)# exit
SW1(config-router-neighbor)# exit
SW1(config-router)# neighbor x.2.44.4
SW1(config-router-neighbor)# address-family ipv4 unicast
SW1(config-router-neighbor-af)# route-map FILTER_PREFIX_MAP in
SW1(config-router-neighbor-af)# end

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_NX-OS_Switch_Y21M10_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|II, CCI|CCI-001368, Rule-ID|SV-221103r622190_rule, STIG-ID|CISC-RT-000490, STIG-Legacy|SV-111025, STIG-Legacy|V-101921, Vuln-ID|V-221103

Plugin: Cisco

Control ID: a7048199f81d4aaa7cfd3d12fdf2fd08a9a18182ba5558143208d04724c8ab34