OpenControls Logo

STIG Viewer

The Dell OS10 BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-269851OS10-RTR-000030SV-269851r1051938_ruleCCI-001368medium
Description
Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a nonoptimized path.
STIGDate
Dell OS10 Switch Router Security Technical Implementation Guide2024-12-11

Details

Check Text (C-269851r1051938_chk)

Review the router configuration to verify that it will reject routes belonging to the local AS. The prefix filter must be referenced inbound on the appropriate BGP neighbor statements. Step 1: Verify a prefix list has been configured containing the local AS prefixes. ip prefix-list PREFIX_FILTER seq 5 deny 0.0.0.0/8 le 32 ... ... ip prefix-list PREFIX_FILTER seq 73 deny 20.10.10.0/24 le 32 ip prefix-list PREFIX_FILTER seq 74 deny 40.10.10.0/24 le 32 ip prefix-list PREFIX_FILTER seq 75 permit 0.0.0.0/0 ge 8 Step 2: Verify the route map applied to the external neighbors references the configured prefix list shown above. ! route-map PREFIX_FILTER_MAP permit 10 match ip address prefix-list PREFIX_FILTER ! router bgp 10 ! template ebgp ! address-family ipv4 unicast route-map PREFIX_FILTER_MAP in ! neighbor 123.1.1.10 ! address-family ipv4 unicast route-map PREFIX_FILTER_MAP in If the router is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.

Fix Text (F-73785r1051937_fix)

Ensure all eBGP routers are configured to reject inbound route advertisements for any prefixes belonging to the local AS. Step 1: Add to the prefix filter list those prefixes belonging to the local autonomous system. OS10(config)# ip prefix-list PREFIX_FILTER seq 73 deny 20.10.10.0/24 le 32 OS10(config)# ip prefix-list PREFIX_FILTER seq 74 deny 40.10.10.0/24 le 32 Step 2: Configure the route map referencing the configured prefix list. OS10(config)# route-map PREFIX_FILTER_MAP 10 OS10(config-route-map)# match ip address prefix-list PREFIX_FILTER OS10(config-route-map)# exit Step 3: Apply the route-map inbound to each external BGP neighbor. OS10(config)# router bgp 10 OS10(config-router-bgp-10)# neighbor 123.1.1.10 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# route-map PREFIX_FILTER_MAP in OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# template ebgp OS10(config-router-template)# address-family ipv4 unicast OS10(config-router-bgp-template-af)# route-map PREFIX_FILTER_MAP in OS10(config-router-bgp-template-af)# exit OS10(config-router-template)# exit OS10(config-router-bgp-10)# exit