The BGP Cisco ACI must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-272088 | CACI-RT-000028 | SV-272088r1114096_rule | CCI-002385 | medium |
| Description | ||||
| The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix de-aggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements. Maximum prefix limits on peer connections combined with aggressive prefix-size filtering of customers' reachability advertisements will effectively mitigate the de-aggregation risk. BGP maximum prefix must be used on all eBGP routers to limit the number of prefixes that it should receive from a particular neighbor, whether customer or peering AS. Consider each neighbor and how many routes they should be advertising and set a threshold slightly higher than the number expected. | ||||
| STIG | Date | |||
| Cisco ACI Router Security Technical Implementation Guide | 2025-06-18 | |||
Details
Check Text (C-272088r1114096_chk)
Verify the BGP configuration for each tenant:
ip route protocol BGP
View the BGP peer configuration maximum prefix value:
neighbor 10.0.0.1 maximum-prefix nnnnnnn
If the router is not configured to control the number of prefixes received from each peer to protect against route table flooding and prefix de-aggregation attacks, this is a finding.
Fix Text (F-76045r1114095_fix)
Configure the router to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks as shown in the example below:
For each BGP peer, use the command "neighbor <peer-ip> maximum-prefix <number of prefixes>" within the BGP configuration section, where <peer-ip> is the IP address of the BGP peer and <number of prefixes> is the desired maximum prefix limit to be set; the default maximum prefix limit is typically 20,000 prefixes.