STIGQter: STIG Summary: Cisco IOS-XE Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Cisco IOS-XE Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-221028r622190_rule
V-221028
SRG-NET-000018-RTR-000006
CISC-RT-000540
CAT III
10
Configure the switch to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute.
SW1(config)#router bgp xx
SW1(config-switch)#bgp enforce-first-as
Review the switch configuration to verify the switch is configured to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute.
By default, Cisco IOS enforces the first AS in the AS_PATH attribute for all route advertisements. Review the switch configuration to verify that the command no bgp enforce-first-as is not configured.
router bgp xx
no synchronization
no bgp enforce-first-as
If the switch is not configured to reject updates from peers that do not list their AS number as the first AS in the AS_PATH attribute, this is a finding.
V-221028
False
CISC-RT-000540
Review the switch configuration to verify the switch is configured to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute.
By default, Cisco IOS enforces the first AS in the AS_PATH attribute for all route advertisements. Review the switch configuration to verify that the command no bgp enforce-first-as is not configured.
router bgp xx
no synchronization
no bgp enforce-first-as
If the switch is not configured to reject updates from peers that do not list their AS number as the first AS in the AS_PATH attribute, this is a finding.
M
4074