The BGP Cisco ACI must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-272064 | CACI-RT-000004 | SV-272064r1113970_rule | CCI-001368 | low |
| Description | ||||
| Verifying the path a route has traversed will ensure the IP core is not used as a transit network for unauthorized or possibly even internet traffic. All autonomous system boundary routers (ASBRs) must ensure updates received from eBGP peers list their AS number as the first AS in the AS_PATH attribute. Cisco ACI BGP usually enforces the "first-as" rule by default. | ||||
| STIG | Date | |||
| Cisco ACI Router Security Technical Implementation Guide | 2025-06-18 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-4
1.00
- DISA · 1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.3
1.00
- DISA · 1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-001368
1.00
- DISA · 1 · disa_xccdf · related
Details
Check Text (C-272064r1113970_chk)
By default, Cisco ACI enforces the first AS in the AS_PATH attribute for all route advertisements. Review the configuration to verify the default BGP configuration on the ACI fabric is does not explicitly state:
no enforce first-as
If the device is not configured to reject updates from peers that do not list their AS number as the first AS in the AS_PATH attribute, this is a finding.
Fix Text (F-76021r1063588_fix)
Configure the device to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute.
Remove the configuration item "no enforce first-as".