STIGQter STIGQter: STIG Summary: Cisco IOS-XE Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco BGP switch must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.

DISA Rule

SV-221030r622190_rule

Vulnerability Number

V-221030

Group Title

SRG-NET-000362-RTR-000117

Rule Version

CISC-RT-000560

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the switch to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks as shown in the example below:

SW1(config)#router bgp xx
SW1(config-switch)#neighbor x.1.1.9 maximum-prefix nnnnnnn
SW1(config-switch)#neighbor x.2.1.7 maximum-prefix nnnnnnn

Check Contents

Review the switch configuration to verify that the number of received prefixes from each eBGP neighbor is controlled.

router bgp xx
neighbor x.1.1.9 remote-as yy
neighbor x.1.1.9 maximum-prefix nnnnnnn
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 maximum-prefix nnnnnnn

If the switch is not configured to control the number of prefixes received from each peer to protect against route table flooding and prefix de-aggregation attacks, this is a finding.

Vulnerability Number

V-221030

Documentable

False

Rule Version

CISC-RT-000560

Severity Override Guidance

Review the switch configuration to verify that the number of received prefixes from each eBGP neighbor is controlled.

router bgp xx
neighbor x.1.1.9 remote-as yy
neighbor x.1.1.9 maximum-prefix nnnnnnn
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 maximum-prefix nnnnnnn

If the switch is not configured to control the number of prefixes received from each peer to protect against route table flooding and prefix de-aggregation attacks, this is a finding.

Check Content Reference

M

Target Key

4074

Comments