STIGQter STIGQter: STIG Summary: HP FlexFabric Switch RTR Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

If Border Gateway Protocol (BGP) is enabled on the HP FlexFabric Switch, the HP FlexFabric Switch must not be a BGP peer with a HP FlexFabric Switch from an Autonomous System belonging to any Alternate Gateway (AG).

DISA Rule

SV-80593r1_rule

Vulnerability Number

V-66103

Group Title

SRG-NET-000019-RTR-000010

Rule Version

HFFS-RT-000004

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure a static route on the perimeter HP FlexFabric Switch to reach the AS of a HP FlexFabric Switch connecting to an Alternate Gateway.

[HP] ip route-static 11.11.11.0 16 12.12.12.2

Check Contents

Review the configuration of the HP FlexFabric Switch connecting to the AG.

Verify there are no BGP neighbors configured to the remote AS that belongs to the AG service provider. There should be no BGP peers displayed.

If there are BGP neighbors configured that belong to the AG service provider, this is a finding.

[HP] display bgp peer ipv4

BGP local FlexFabric Switch ID: 2.2.2.0
Local AS number: 1472
Total number of peers: 1 Peers in established state: 0

* - Dynamically created peer
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State

Vulnerability Number

V-66103

Documentable

False

Rule Version

HFFS-RT-000004

Severity Override Guidance

Review the configuration of the HP FlexFabric Switch connecting to the AG.

Verify there are no BGP neighbors configured to the remote AS that belongs to the AG service provider. There should be no BGP peers displayed.

If there are BGP neighbors configured that belong to the AG service provider, this is a finding.

[HP] display bgp peer ipv4

BGP local FlexFabric Switch ID: 2.2.2.0
Local AS number: 1472
Total number of peers: 1 Peers in established state: 0

* - Dynamically created peer
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State

Check Content Reference

M

Target Key

2979

Comments