An error occurred:

Cisco ACI Router STIG Version Comparison

Cisco ACI Router Security Technical Implementation Guide

Comparison

There are 11 differences between versions v1 r0.1 (Feb. 7, 2025) (the "left" version) and v1 r1 (May 27, 2025) (the "right" version).

Check CACI-RT-000002 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Text Differences

Title

The BGP Cisco ACI must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

Check Content

Review the switch configuration to verify it will reject routes belonging to the local AS. 1. AS. Step 1: Verify a prefix list has been configured containing prefixes belonging to the local AS. route-map LOCAL_AS_FILTER permit 10 match ip address prefix <local-AS-prefix> set community no-advertise Step no-advertise 2. 2: Review the route-map to the inbound BGP policy. bgp neighbor <peer-IP> address-family ipv4 unicast inbound route-map LOCAL_AS_FILTER If the switch is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.

Discussion

Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a nonoptimized path. For Cisco APIC, the default setting to prevent route loops from occurring. Sites must use different AS numbers. If this occurs, routing updates from one site is dropped when the other site receives them by default. To prevent such a situation from occurring, sites must not enable the "BGP Autonomous System override" feature to override the default setting. They must also not enable the "Disable Peer AS Check".

Fix

Configure the router to reject inbound route advertisements for any prefixes belonging to the local AS. 1. AS. Step 1: From the relevant BGP peer configuration, create a route-map to filter local AS prefixes. Route-map LOCAL_AS_FILTER permit 10 match ip address prefix <local-AS-prefix> set community no-advertise Step no-advertise 2. 2: Apply the route-map to the inbound BGP policy. Within the inbound policy, add a prefix filter rule that explicitly rejects any routes with a prefix matching the local AS number. bgp neighbor <peer-IP> address-family ipv4 unicast inbound route-map MY_LOCAL_AS_FILTER