An error occurred:

Check: CACI-RT-000002

Cisco ACI Router STIG: CACI-RT-000002 (in version v1 r0.1)

Title

The BGP Cisco ACI must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS). (Cat II impact)

Discussion

Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a nonoptimized path. For Cisco APIC, the default setting to prevent route loops from occurring. Sites must use different AS numbers. If this occurs, routing updates from one site is dropped when the other site receives them by default. To prevent such a situation from occurring, sites must not enable the "BGP Autonomous System override" feature to override the default setting. They must also not enable the "Disable Peer AS Check".

Check Content

Review the switch configuration to verify it will reject routes belonging to the local AS. Step 1: Verify a prefix list has been configured containing prefixes belonging to the local AS. route-map LOCAL_AS_FILTER permit 10 match ip address prefix <local-AS-prefix> set community no-advertise Step 2: Review the route-map to the inbound BGP policy. bgp neighbor <peer-IP> address-family ipv4 unicast inbound route-map LOCAL_AS_FILTER If the switch is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.

Fix Text

Configure the router to reject inbound route advertisements for any prefixes belonging to the local AS. Step 1: From the relevant BGP peer configuration, create a route-map to filter local AS prefixes. Route-map LOCAL_AS_FILTER permit 10 match ip address prefix <local-AS-prefix> set community no-advertise Step 2: Apply the route-map to the inbound BGP policy. Within the inbound policy, add a prefix filter rule that explicitly rejects any routes with a prefix matching the local AS number. bgp neighbor <peer-IP> address-family ipv4 unicast inbound route-map MY_LOCAL_AS_FILTER

Additional Identifiers

Rule ID: SV-272062r1064465_rule

Vulnerability ID: V-272062

Group Title: SRG-NET-000018-RTR-000003

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001368

Enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4

Information Flow Enforcement