An error occurred:

Check: CACI-RT-000029

Cisco ACI Router STIG: CACI-RT-000029 (in version v1 r0.1)

Title

The BGP Cisco ACI must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer. (Cat III impact)

Discussion

The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix de-aggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.

Check Content

Review the configuration of the RP to verify it is rate limiting the number of PIM register messages. tenant <tenant_name> prefix-list ALLOW_SUBNET ip prefix 10.0.0.0/24 permit match-rule filter_rule match prefix allow_subnet tenant <tenant_name> l3extInstP <l3extInstP_name> route-profile FILTER_PROFILE If the router is not configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer, this is a finding.

Fix Text

Configure the router to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer. Create a "match rule" within a "route profile" by specifying a prefix list, which is then applied to the desired L3Out (external routed network) to filter BGP routes based on the prefixes defined in the list. The route profile is applied to a specific L3Out (external routed network) to control which prefixes are advertised or accepted from external networks. Step 1: Configure a prefix list to reject any prefix that is longer than /24. tenant <tenant_name> prefix-list ALLOW_SUBNET ip prefix 10.0.0.0/24 permit Step 2: Create a route profile named "filter_profile". tenant <tenant_name> route-profile FILTER_PROFILE match-rule filter_rule match prefix allow_subnet Step 3: Apply the route profile to an L3Out. tenant <tenant_name> l3extInstP <l3extInstP_name> route-profile FILTER_PROFILE

Additional Identifiers

Rule ID: SV-272089r1064595_rule

Vulnerability ID: V-272089

Group Title: SRG-NET-000362-RTR-000118

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002385

Protect against or limit the effects of organization-defined types of denial-of-service events.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-5

Denial of Service Protection