OpenControls Logo

STIG Viewer

The RUCKUS ICX BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-273610RCKS-RTR-000430SV-273610r1110922_ruleCCI-001097medium
Description
Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a nonoptimized path.
STIGDate
RUCKUS ICX Router Security Technical Implementation Guide2025-06-03

Details

Check Text (C-273610r1110922_chk)

Review the router configuration to verify there is a filter defined to block route advertisements for prefixes that belong to the IP core. 1. Verify a prefix-list has been configured containing prefixes belonging to the IP core. ip prefix-list FILTER_CORE_PREFIXES seq 10 deny x.1.1.0/24 le 32 ip prefix-list FILTER_CORE_PREFIXES seq 20 deny x.1.2.0/24 le 32 ip prefix-list FILTER_CORE_PREFIXES seq 30 permit 0.0.0.0/0 ge 8 2. Verify the prefix-list has been applied to all external BGP peers as shown in the example below: router bgp local-as xxxx neighbor x.0.0.1 remote-as yy neighbor x.0.0.1 ao mykeychain address-family ipv4 unicast neighbor x.0.0.1 prefix-list FILTER_CORE_PREFIXES out If the router is not configured to reject outbound route advertisements for prefixes belonging to the IP core, this is a finding.

Fix Text (F-77606r1109851_fix)

Configure all eBGP routers to filter outbound route advertisements belonging to the IP core. 1. Configure a prefix-list for containing all customer and local AS prefixes as shown in the example below: ICX(config)#ip prefix-list FILTER_CORE_PREFIXES seq 10 deny x.1.1.0/24 le 32 ICX(config)#ip prefix-list FILTER_CORE_PREFIXES seq 20 deny x.1.2.0/24 le 32 ICX(config)#ip prefix-list FILTER_CORE_PREFIXES seq 30 permit 0.0.0.0/0 ge 8 2. Apply the prefix-list filter outbound to each neighbor as shown in the following example: ICX(config)#router bgp ICX(config-bgp-router)#neighbor x.0.0.1 prefix-list FILTER_CORE_PREFIXES out