An error occurred:

Check: CACI-RT-000004

Cisco ACI Router STIG: CACI-RT-000004 (in version v1 r2)

Title

The BGP Cisco ACI must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute. (Cat III impact)

Discussion

Verifying the path a route has traversed will ensure the IP core is not used as a transit network for unauthorized or possibly even internet traffic. All autonomous system boundary routers (ASBRs) must ensure updates received from eBGP peers list their AS number as the first AS in the AS_PATH attribute. An alternative to route maps is to use subnets under the External EPG with the correct route Controls assigned as discussed in vendor documentation (Reference the L3 out white paper).

Check Content

By default, Cisco ACI enforces the first AS in the AS_PATH attribute for all route advertisements. Review the configuration to verify the default BGP configuration on the ACI fabric. 1. Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_L3Outs}} >> Route Map for import and export route control. 2. Apply that route MAP to the external EPG in the following location: Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_L3Outs}} >> External EPGs >> Policy >> General >> Route Control Profile. If the device is not configured to reject updates from peers that do not list their AS number as the first AS in the AS_PATH attribute, this is a finding.

Fix Text

Configure the device to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute. 1. Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_L3Outs}} >> Route Map for import and export route control. 2. Apply that route MAP to the external EPG in the following location: Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_L3Outs}} >> External EPGs >> Policy >> General >> Route Control Profile. Note: An alternative to route maps is to use subnets under the External EPG with the correct route Controls assigned discussed in vendor documentation (Reference the L3 out white paper).

Additional Identifiers

Rule ID: SV-272064r1168097_rule

Vulnerability ID: V-272064

Group Title: SRG-NET-000018-RTR-000006

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001368

Enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4

Information Flow Enforcement