STIGQter STIGQter: STIG Summary: Cisco IOS-XE Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco BGP switch must be configured to use its loopback address as the source address for iBGP peering sessions.

DISA Rule

SV-221032r622190_rule

Vulnerability Number

V-221032

Group Title

SRG-NET-000512-RTR-000001

Rule Version

CISC-RT-000580

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure the switch to use its loopback address as the source address for all iBGP peering.

SW1(config)#router bgp xx
SW1(config-switch)#neighbor 10.1.1.1 update-source Loopback0

Check Contents

Step 1: Review the switch configuration to verify that a loopback address has been configured.

interface Loopback0
ip address 10.1.1.1 255.255.255.255

Step 2: Verify that the loopback interface is used as the source address for all iBGP sessions.

router bgp xx
no synchronization
no bgp enforce-first-as
bgp log-neighbor-changes
redistribute static
neighbor 10.1.1.1 remote-as xx
neighbor 10.1.1.1 password xxxxxxxx
neighbor 10.1.1.1 update-source Loopback0

If the switch does not use its loopback address as the source address for all iBGP sessions, this is a finding.

Vulnerability Number

V-221032

Documentable

False

Rule Version

CISC-RT-000580

Severity Override Guidance

Step 1: Review the switch configuration to verify that a loopback address has been configured.

interface Loopback0
ip address 10.1.1.1 255.255.255.255

Step 2: Verify that the loopback interface is used as the source address for all iBGP sessions.

router bgp xx
no synchronization
no bgp enforce-first-as
bgp log-neighbor-changes
redistribute static
neighbor 10.1.1.1 remote-as xx
neighbor 10.1.1.1 password xxxxxxxx
neighbor 10.1.1.1 update-source Loopback0

If the switch does not use its loopback address as the source address for all iBGP sessions, this is a finding.

Check Content Reference

M

Target Key

4074

Comments