STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-221108r622190_rule
V-221108
SRG-NET-000018-RTR-000006
CISC-RT-000540
CAT III
10
Configure the switch to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute.
SW1(config)# router bgp xx
SW1(config-router)# enforce-first-as
SW1(config-router)# end
Review the switch configuration to verify the switch is configured to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute.
By default Cisco IOS enforces the first AS in the AS_PATH attribute for all route advertisements. Review the switch configuration to verify that the command no enforce-first-as is not configured.
router bgp xx
router-id 10.1.1.1
no enforce-first-as
If the switch is not configured to reject updates from peers that do not list their AS number as the first AS in the AS_PATH attribute, this is a finding.
V-221108
False
CISC-RT-000540
Review the switch configuration to verify the switch is configured to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute.
By default Cisco IOS enforces the first AS in the AS_PATH attribute for all route advertisements. Review the switch configuration to verify that the command no enforce-first-as is not configured.
router bgp xx
router-id 10.1.1.1
no enforce-first-as
If the switch is not configured to reject updates from peers that do not list their AS number as the first AS in the AS_PATH attribute, this is a finding.
M
4075