STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco BGP switch must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.

DISA Rule

SV-221110r622190_rule

Vulnerability Number

V-221110

Group Title

SRG-NET-000362-RTR-000117

Rule Version

CISC-RT-000560

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Configure the switch to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks as shown in the example below:

SW1(config)# router bgp xx
SW1(config-router)# neighbor x.1.12.2
SW1(config-router-neighbor)# address-family ipv4 unicast
SW1(config-router-neighbor-af)# maximum-prefix nnnnnnn
SW1(config-router-neighbor-af)# exit
SW1(config-router-neighbor)# exit
SW1(config-router)# neighbor x.2.44.4
SW1(config-router-neighbor)# address-family ipv4 unicast
SW1(config-router-neighbor-af)# maximum-prefix nnnnnnn
SW1(config-router-neighbor-af)# end

Check Contents

Review the switch configuration to verify that the number of received prefixes from each eBGP neighbor is controlled.

router bgp xx
router-id 10.1.1.1
neighbor x.1.12.2 remote-as xx
password 3 7b07d1b3023056a9
address-family ipv4 unicast
maximum-prefix nnnnnnn
neighbor x.2.44.4 remote-as xx
password 3 f07a10cb41db8bb6f8f0a340049a9b02
address-family ipv4 unicast
maximum-prefix nnnnnnn

If the switch is not configured to control the number of prefixes received from each peer to protect against route table flooding and prefix de-aggregation attacks, this is a finding.

Vulnerability Number

V-221110

Documentable

False

Rule Version

CISC-RT-000560

Severity Override Guidance

Review the switch configuration to verify that the number of received prefixes from each eBGP neighbor is controlled.

router bgp xx
router-id 10.1.1.1
neighbor x.1.12.2 remote-as xx
password 3 7b07d1b3023056a9
address-family ipv4 unicast
maximum-prefix nnnnnnn
neighbor x.2.44.4 remote-as xx
password 3 f07a10cb41db8bb6f8f0a340049a9b02
address-family ipv4 unicast
maximum-prefix nnnnnnn

If the switch is not configured to control the number of prefixes received from each peer to protect against route table flooding and prefix de-aggregation attacks, this is a finding.

Check Content Reference

M

Target Key

4075

Comments