STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

DISA Rule

SV-221107r622190_rule

Vulnerability Number

V-221107

Group Title

SRG-NET-000205-RTR-000006

Rule Version

CISC-RT-000530

Severity

CAT II

CCI(s)

• CCI-001097 - The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.

Weight

10

Fix Recommendation

Step 1: Configure a prefix list for containing all customer and local AS prefixes as shown in the example below:

SW1(config)# ip prefix-list FILTER_CORE_PREFIXES deny x.1.1.0/24 le 32
SW1(config)# ip prefix-list FILTER _CORE_PREFIXES deny x.1.2.0/24 le 32
SW1(config)# ip prefix-list FILTER _CORE_PREFIXES permit 0.0.0.0/0 ge 8

Step 2: Apply the prefix list filter outbound to each CE neighbor as shown in the example below:

SW1(config)# router bgp xx
SW1(config-router)# neighbor x.1.12.2
SW1(config-router-neighbor)# address-family ipv4 unicast
SW1(config-router-neighbor-af)# prefix-list FILTER _CORE_PREFIXES out
SW1(config-router-neighbor-af)# exit
SW1(config-router-neighbor)# exit
SW1(config-router)# neighbor x.2.44.4
SW1(config-router-neighbor)# address-family ipv4 unicast
SW1(config-router-neighbor-af)# prefix-list FILTER _CORE_PREFIXES out
SW1(config-router-neighbor-af)# end

Check Contents

Step 1: Verify that a prefix list has been configured containing prefixes belonging to the IP core.

ip prefix-list FILTER_CORE_PREFIXES seq 5 deny x.1.1.0/24 le 32
ip prefix-list FILTER _CORE_PREFIXES seq 10 deny x.1.2.0/24 le 32
ip prefix-list FILTER _CORE_PREFIXES seq 15 permit 0.0.0.0/0 ge 8

Step 2: Verify that the prefix lists has been applied to all external BGP peers as shown in the example below:

router bgp xx
router-id 10.1.1.1
neighbor x.1.12.2 remote-as xx
password 3 7b07d1b3023056a9
address-family ipv4 unicast
FILTER _CORE_PREFIXES out
neighbor x.2.44.4 remote-as xx
password 3 f07a10cb41db8bb6f8f0a340049a9b02
address-family ipv4 unicast
prefix-list FILTER _CORE_PREFIXES out

If the switch is not configured to reject outbound route advertisements for prefixes belonging to the IP core, this is a finding.

Vulnerability Number

V-221107

Documentable

False

Rule Version

CISC-RT-000530

Severity Override Guidance

Step 1: Verify that a prefix list has been configured containing prefixes belonging to the IP core.

ip prefix-list FILTER_CORE_PREFIXES seq 5 deny x.1.1.0/24 le 32
ip prefix-list FILTER _CORE_PREFIXES seq 10 deny x.1.2.0/24 le 32
ip prefix-list FILTER _CORE_PREFIXES seq 15 permit 0.0.0.0/0 ge 8

Step 2: Verify that the prefix lists has been applied to all external BGP peers as shown in the example below:

router bgp xx
router-id 10.1.1.1
neighbor x.1.12.2 remote-as xx
password 3 7b07d1b3023056a9
address-family ipv4 unicast
FILTER _CORE_PREFIXES out
neighbor x.2.44.4 remote-as xx
password 3 f07a10cb41db8bb6f8f0a340049a9b02
address-family ipv4 unicast
prefix-list FILTER _CORE_PREFIXES out

If the switch is not configured to reject outbound route advertisements for prefixes belonging to the IP core, this is a finding.

Check Content Reference

M

Target Key

4075

Comments