OpenControls Logo

STIG Viewer

The Arista BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-256020ARST-RT-000390SV-256020r882402_ruleCCI-001097medium
Description
Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a non-optimized path.
STIGDate
Arista MLS EOS 4.X Router Security Technical Implementation Guide2025-02-20

Details

Check Text (C-256020r882402_chk)

Review the Arista router configuration to verify a filter is defined to block route advertisements for prefixes that belong to the IP core. The prefix filter must be referenced outbound on the appropriate BGP neighbor statements. Step 1: The following example creates an outbound route advertise filter and configures CE Arista MLS to advertise the filter to IP Core PE (100.1.0.128). An IP prefix list named FILTER_OUT is created to specify the 172.16.1.0/24 subnet for outbound route advertisements filtering. ip prefix-list FILTER_OUT seq 10 permit 172.16.1.0/24 Step 2: Verify the outbound prefix list is applied to the appropriate BGP neighbor in the BGP process. Execute the command "sh run section router bgp". router bgp 65001 neighbor 100.1.0.128 remote-as 65200 neighbor 100.1.0.128 prefix-list FILTER_OUT out exit If the Arista router is not configured to reject outbound route advertisements that belong to the IP core, this is a finding.

Fix Text (F-59639r882401_fix)

Configure all eBGP Arista routers to filter outbound route advertisements belonging to the IP core. Step 1: Configure an outbound route advertise filter and configure CE Arista MLS to advertise the filter to IP Core PE (100.1.0.128). Also configure an IP prefix list named FILTER_OUT to specify the 172.16.1.0/24 subnet for outbound route advertisements filtering. LEAF-1A(config)#ip prefix-list FILTER_OUT seq 10 permit 172.16.1.0/24 Step 2: Apply the prefix-list outbound with the BGP neighbor in BGP process. LEAF-1A(config)#router bgp 65001 LEAF-1A(config-router-bgp)#neighbor 100.1.0.128 remote-as 65200 LEAF-1A(config-router-bgp)#neighbor 100.1.0.128 prefix-list FILTER_OUT out LEAF-1A(config-router-bgp)# exit