STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-216782r531087_rule
V-216782
SRG-NET-000018-RTR-000006
CISC-RT-000540
CAT III
10
Configure the router to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute.
RP/0/0/CPU0:R2(config)#router bgp 2
RP/0/0/CPU0:R2(config-bgp)#no bgp enforce-first-as disable
Review the router configuration to verify the router is configured to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute.
By default Cisco IOS enforces the first AS in the AS_PATH attribute for all route advertisements. Review the router configuration to verify that the command bgp enforce-first-as disable is not configured as shown in the example below.
router bgp nn
bgp enforce-first-as disable
If the router is not configured to reject updates from peers that do not list their AS number as the first AS in the AS_PATH attribute, this is a finding.
V-216782
False
CISC-RT-000540
Review the router configuration to verify the router is configured to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute.
By default Cisco IOS enforces the first AS in the AS_PATH attribute for all route advertisements. Review the router configuration to verify that the command bgp enforce-first-as disable is not configured as shown in the example below.
router bgp nn
bgp enforce-first-as disable
If the router is not configured to reject updates from peers that do not list their AS number as the first AS in the AS_PATH attribute, this is a finding.
M
4029