STIGQter: STIG Summary: Cisco IOS-XE Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco BGP switch must be configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer.

DISA Rule

SV-221031r622190_rule

Vulnerability Number

V-221031

Group Title

SRG-NET-000362-RTR-000118

Rule Version

CISC-RT-000570

Severity

CAT III

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Configure the switch to limit the prefix size on any route advertisement to /24, or the least significant prefixes issued to the customer.

Step 1: Configure a prefix list to reject any prefix that is longer than /24.

SW1(config)#ip prefix-list FILTER_PREFIX_LENGTH permit 0.0.0.0/0 ge 8 le 24
SW1(config)#ip prefix-list FILTER_PREFIX_LENGTH deny 0.0.0.0/0 le 32

Step 2: Apply the prefix list to all eBGP peers as shown in the example below:

SW1(config)#router bgp xx
SW1(config-switch)#neighbor x.1.1.9 prefix-list FILTER_PREFIX_LENGTH in
SW1(config-switch)#neighbor x.2.1.7 prefix-list FILTER_PREFIX_LENGTH in

Check Contents

Review the switch configuration to determine if it is compliant with this requirement.

Step 1: Verify that a route filter has been configured to reject prefixes longer than /24, or the least significant prefixes issued to the customers as shown in the example below:

ip prefix-list FILTER_PREFIX_LENGTH seq 5 permit 0.0.0.0/0 ge 8 le 24
ip prefix-list FILTER_PREFIX_LENGTH seq 10 deny 0.0.0.0/0 le 32

Step 2: Verify that prefix filtering has been applied to each eBGP peer as shown in the example:

router bgp xx
neighbor x.1.1.9 remote-as yy
neighbor x.1.1.9 prefix-list FILTER_PREFIX_LENGTH in
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 prefix-list FILTER_PREFIX_LENGTH in

If the switch is not configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer, this is a finding.

Vulnerability Number

V-221031

Documentable

False

Rule Version

CISC-RT-000570

Severity Override Guidance

Review the switch configuration to determine if it is compliant with this requirement.

Step 1: Verify that a route filter has been configured to reject prefixes longer than /24, or the least significant prefixes issued to the customers as shown in the example below:

ip prefix-list FILTER_PREFIX_LENGTH seq 5 permit 0.0.0.0/0 ge 8 le 24
ip prefix-list FILTER_PREFIX_LENGTH seq 10 deny 0.0.0.0/0 le 32

Step 2: Verify that prefix filtering has been applied to each eBGP peer as shown in the example:

router bgp xx
neighbor x.1.1.9 remote-as yy
neighbor x.1.1.9 prefix-list FILTER_PREFIX_LENGTH in
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 prefix-list FILTER_PREFIX_LENGTH in

If the switch is not configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer, this is a finding.

Check Content Reference

M

Target Key

4074

Comments