SV-216598r531085_rule
V-216598
SRG-NET-000018-RTR-000003
CISC-RT-000500
CAT II
10
Configure the router to reject inbound route advertisements for any prefixes belonging to the local AS.
Step 1: Add to the prefix filter list those prefixes belonging to the local autonomous system.
R1(config)#ip prefix-list PREFIX_FILTER seq 74 deny x.13.1.0/24 le 32
Step 2: If not already completed to be compliant with previous requirement, apply the prefix list filter inbound to each external BGP neighbor as shown in the example.
R1(config)#router bgp xx
R1(config-router)#neighbor x.1.1.9 prefix-list PREFIX_FILTER in
R1(config-router)#neighbor x.2.1.7 prefix-list PREFIX_FILTER in
Review the router configuration to verify that it will reject routes belonging to the local AS.
Step 1: Verify a prefix list has been configured containing prefixes belonging to the local AS. In the example below x.13.1.0/24 is the global address space allocated to the local AS.
ip prefix-list PREFIX_FILTER seq 5 deny 0.0.0.0/8 le 32
…
…
…
ip prefix-list PREFIX_FILTER seq 74 deny x.13.1.0/24 le 32
ip prefix-list PREFIX_FILTER seq 75 permit 0.0.0.0/0 ge 8
Step 2: Verify that the prefix list has been applied to all external BGP peers as shown in the example below.
router bgp xx
no synchronization
bgp log-neighbor-changes
neighbor x.1.1.9 remote-as yy
neighbor x.1.1.9 prefix-list PREFIX_FILTER in
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 prefix-list PREFIX_FILTER in
If the router is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.
V-216598
False
CISC-RT-000500
Review the router configuration to verify that it will reject routes belonging to the local AS.
Step 1: Verify a prefix list has been configured containing prefixes belonging to the local AS. In the example below x.13.1.0/24 is the global address space allocated to the local AS.
ip prefix-list PREFIX_FILTER seq 5 deny 0.0.0.0/8 le 32
…
…
…
ip prefix-list PREFIX_FILTER seq 74 deny x.13.1.0/24 le 32
ip prefix-list PREFIX_FILTER seq 75 permit 0.0.0.0/0 ge 8
Step 2: Verify that the prefix list has been applied to all external BGP peers as shown in the example below.
router bgp xx
no synchronization
bgp log-neighbor-changes
neighbor x.1.1.9 remote-as yy
neighbor x.1.1.9 prefix-list PREFIX_FILTER in
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 prefix-list PREFIX_FILTER in
If the router is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.
M
4027