STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).

DISA Rule

SV-221106r622190_rule

Vulnerability Number

V-221106

Group Title

SRG-NET-000018-RTR-000005

Rule Version

CISC-RT-000520

Severity

CAT II

CCI(s)

• CCI-001368 - The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Step 1: Configure a prefix list for containing all customer and local AS prefixes as shown in the example below:

SW1(config)#ip prefix-list CE_PREFIX_ADVERTISEMENTS permit x.13.1.0/24 le 32
SW1(config)#ip prefix-list CE_PREFIX_ADVERTISEMENTS permit x.13.2.0/24 le 32
SW1(config)#ip prefix-list CE_PREFIX_ADVERTISEMENTS permit x.13.3.0/24 le 32
SW1(config)#ip prefix-list CE_PREFIX_ADVERTISEMENTS permit x.13.4.0/24 le 32
…
…
…
SW1(config)#ip prefix-list CE_PREFIX_ADVERTISEMENTS deny 0.0.0.0/0 ge 8

Step 2: Apply the prefix list filter outbound to each CE neighbor as shown in the example below:

SW1(config)#switch bgp 64512
SW1(config-switch)# neighbor x.12.4.14 prefix-list CE_PREFIX_ADVERTISEMENTS out
SW1(config-switch)# neighbor x.12.4.16 prefix-list CE_PREFIX_ADVERTISEMENTS out

Check Contents

Step 1: Verify that a prefix list has been configured containing prefixes belonging to customers as well as the local AS as shown in the example below:

ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 5 permit x.13.1.0/24 le 32
ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 10 permit x.13.2.0/24 le 32
ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 15 permit x.13.3.0/24 le 32
ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 20 permit x.13.4.0/24 le 32
…
…
…
ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 80 deny 0.0.0.0/0 ge 8

Step 2: Verify that the prefix lists has been applied to all CE peers as shown in the example below:

router bgp xx
router-id 10.1.1.1
neighbor x.55.14.2 remote-as 64514
password 3 7b07d1b3023056a9
address-family ipv4 unicast
prefix-list CE_PREFIX_ADVERTISEMENTS out
neighbor x.55.14.4 remote-as 64516
password 3 f07a10cb41db8bb6f8f0a340049a9b02
address-family ipv4 unicast
prefix-list CE_PREFIX_ADVERTISEMENTS out

If the switch is not configured to reject outbound route advertisements that do not belong to any customers or the local AS, this is a finding.

Vulnerability Number

V-221106

Documentable

False

Rule Version

CISC-RT-000520

Severity Override Guidance

Step 1: Verify that a prefix list has been configured containing prefixes belonging to customers as well as the local AS as shown in the example below:

ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 5 permit x.13.1.0/24 le 32
ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 10 permit x.13.2.0/24 le 32
ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 15 permit x.13.3.0/24 le 32
ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 20 permit x.13.4.0/24 le 32
…
…
…
ip prefix-list CE_PREFIX_ADVERTISEMENTS seq 80 deny 0.0.0.0/0 ge 8

Step 2: Verify that the prefix lists has been applied to all CE peers as shown in the example below:

router bgp xx
router-id 10.1.1.1
neighbor x.55.14.2 remote-as 64514
password 3 7b07d1b3023056a9
address-family ipv4 unicast
prefix-list CE_PREFIX_ADVERTISEMENTS out
neighbor x.55.14.4 remote-as 64516
password 3 f07a10cb41db8bb6f8f0a340049a9b02
address-family ipv4 unicast
prefix-list CE_PREFIX_ADVERTISEMENTS out

If the switch is not configured to reject outbound route advertisements that do not belong to any customers or the local AS, this is a finding.

Check Content Reference

M

Target Key

4075

Comments