Detections
Analytics
CISC-RT-000470 - The Cisco BGP switch must be configured to check whether a single-hop eBGP peer is directly connected.
Information
As described in RFC 3682, GTSM is designed to protect a switch's IP-based control plane from DoS attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol-speaking switches.GTSM is based on the fact that the vast majority of control plane peering is established between adjacent switches; that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.
Solution
Remove the command that disables checking whether a single-hop eBGP peer is directly connected for all external BGP neighbors as shown in the example below:SW1(config)# router bgp xx
SW1(config-router)# neighbor x.1.12.2
SW1(config-router-neighbor)# no disable-connected-check
SW1(config-router-neighbor)# end
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_NX-OS_Switch_Y26M01_STIG.zip
Item Details
Audit Name: DISA Cisco NX OS Switch RTR STIG v3r3
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-5, CAT|III, CCI|CCI-002385, Rule-ID|SV-221101r999710_rule, STIG-ID|CISC-RT-000470, STIG-Legacy|SV-111021, STIG-Legacy|V-101917, Vuln-ID|V-221101
Plugin: Cisco
Control ID: 740e0eddb3e58563e41528b5ff903ed7c0b7b8be756a5841bb1d1be0c2836d14