STIGQter: STIG Summary: Cisco IOS-XE Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco BGP switch must be configured to reject route advertisements from CE switches with an originating AS in the AS_PATH attribute that does not belong to that customer.

DISA Rule

SV-221029r622190_rule

Vulnerability Number

V-221029

Group Title

SRG-NET-000018-RTR-000010

Rule Version

CISC-RT-000550

Severity

CAT III

CCI(s)

• CCI-000032 - The information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.

Weight

10

Fix Recommendation

Configure the switch to reject updates from CE switches with an originating AS in the AS_PATH attribute that does not belong to that customer.

Step 1: Configure the as-path ACL as shown in the example below:

SW1(config)#ip as-path access-list 10 permit ^yy$
SW1(config)#ip as-path access-list 10 deny .*

Step 2: Apply the as-path filter inbound as shown in the example below:

SW1(config)#router bgp xx
SW1(config-switch)#neighbor x.1.4.12 filter-list 10 in

Check Contents

Review the switch configuration to verify the switch is configured to deny updates received from CE switches with an originating AS in the AS_PATH attribute that does not belong to that customer.

Step 1: Review switch configuration and verify that there is an as-path access-list statement defined to only accept routes from a CE switch whose AS did not originate the route. The configuration should look similar to the following:

ip as-path access-list 10 permit ^yy$
ip as-path access-list 10 deny .*

Note: The characters “^” and “$” representing the beginning and the end of the expression respectively are optional and are implicitly defined if omitted.

Step 2: Verify that the as-path access-list is referenced by the filter-list inbound for the appropriate BGP neighbors as shown in the example below:

router bgp xx
neighbor x.1.4.12 remote-as yy
neighbor x.1.4.12 filter-list 10 in

If the switch is not configured to reject updates from CE switches with an originating AS in the AS_PATH attribute that does not belong to that customer, this is a finding.

Vulnerability Number

V-221029

Documentable

False

Rule Version

CISC-RT-000550

Severity Override Guidance

Review the switch configuration to verify the switch is configured to deny updates received from CE switches with an originating AS in the AS_PATH attribute that does not belong to that customer.

Step 1: Review switch configuration and verify that there is an as-path access-list statement defined to only accept routes from a CE switch whose AS did not originate the route. The configuration should look similar to the following:

ip as-path access-list 10 permit ^yy$
ip as-path access-list 10 deny .*

Note: The characters “^” and “$” representing the beginning and the end of the expression respectively are optional and are implicitly defined if omitted.

Step 2: Verify that the as-path access-list is referenced by the filter-list inbound for the appropriate BGP neighbors as shown in the example below:

router bgp xx
neighbor x.1.4.12 remote-as yy
neighbor x.1.4.12 filter-list 10 in

If the switch is not configured to reject updates from CE switches with an originating AS in the AS_PATH attribute that does not belong to that customer, this is a finding.

Check Content Reference

M

Target Key

4074

Comments