STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco BGP switch must be configured to use its loopback address as the source address for iBGP peering sessions.

DISA Rule

SV-221112r622190_rule

Vulnerability Number

V-221112

Group Title

SRG-NET-000512-RTR-000001

Rule Version

CISC-RT-000580

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the switch to use its loopback address as the source address for all iBGP peering.

SW1(config)# router bgp xx
SW1(config-router)# neighbor 10.1.12.2
SW1(config-router-neighbor)# update-source lo0
SW1(config-router-neighbor)# end

Check Contents

Step 1: Review the switch configuration to verify that a loopback address has been configured.

interface loopback0
ip address 10.1.1.1/32

Step 2: Verify that the loopback interface is used as the source address for all iBGP sessions.

router bgp xx
router-id 10.1.1.1
address-family ipv4 unicast
neighbor 10.1.12.2 remote-as xx
password 3 7b07d1b3023056a9
update-source loopback0

If the switch does not use its loopback address as the source address for all iBGP sessions, this is a finding.

Vulnerability Number

V-221112

Documentable

False

Rule Version

CISC-RT-000580

Severity Override Guidance

Step 1: Review the switch configuration to verify that a loopback address has been configured.

interface loopback0
ip address 10.1.1.1/32

Step 2: Verify that the loopback interface is used as the source address for all iBGP sessions.

router bgp xx
router-id 10.1.1.1
address-family ipv4 unicast
neighbor 10.1.12.2 remote-as xx
password 3 7b07d1b3023056a9
update-source loopback0

If the switch does not use its loopback address as the source address for all iBGP sessions, this is a finding.

Check Content Reference

M

Target Key

4075

Comments