The Arista BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-256020 | ARST-RT-000390 | SV-256020r882402_rule | CCI-001097 | medium |
| Description | ||||
| Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a non-optimized path. | ||||
| STIG | Date | |||
| Arista MLS EOS 4.X Router Security Technical Implementation Guide | 2025-02-20 | |||
Related Frameworks
5 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
SC-7
1.00
- DISA · V2R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1713 mappings
3.13.1
1.00
- DISA · V2R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.13.2
1.00
- DISA · V2R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.13.5
1.00
- DISA · V2R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-001097
1.00
- DISA · V2R2 · disa_xccdf · related
Details
Check Text (C-256020r882402_chk)
Review the Arista router configuration to verify a filter is defined to block route advertisements for prefixes that belong to the IP core.
The prefix filter must be referenced outbound on the appropriate BGP neighbor statements.
Step 1: The following example creates an outbound route advertise filter and configures CE Arista MLS to advertise the filter to IP Core PE (100.1.0.128). An IP prefix list named FILTER_OUT is created to specify the 172.16.1.0/24 subnet for outbound route advertisements filtering.
ip prefix-list FILTER_OUT seq 10 permit 172.16.1.0/24
Step 2: Verify the outbound prefix list is applied to the appropriate BGP neighbor in the BGP process. Execute the command "sh run section router bgp".
router bgp 65001
neighbor 100.1.0.128 remote-as 65200
neighbor 100.1.0.128 prefix-list FILTER_OUT out
exit
If the Arista router is not configured to reject outbound route advertisements that belong to the IP core, this is a finding.
Fix Text (F-59639r882401_fix)
Configure all eBGP Arista routers to filter outbound route advertisements belonging to the IP core.
Step 1: Configure an outbound route advertise filter and configure CE Arista MLS to advertise the filter to IP Core PE (100.1.0.128). Also configure an IP prefix list named FILTER_OUT to specify the 172.16.1.0/24 subnet for outbound route advertisements filtering.
LEAF-1A(config)#ip prefix-list FILTER_OUT seq 10 permit 172.16.1.0/24
Step 2: Apply the prefix-list outbound with the BGP neighbor in BGP process.
LEAF-1A(config)#router bgp 65001
LEAF-1A(config-router-bgp)#neighbor 100.1.0.128 remote-as 65200
LEAF-1A(config-router-bgp)#neighbor 100.1.0.128 prefix-list FILTER_OUT out
LEAF-1A(config-router-bgp)# exit