Check: CISC-RT-000570
Cisco NX OS Switch RTR STIG:
CISC-RT-000570
(in versions v2 r3 through v1 r0.1)
Title
The Cisco BGP switch must be configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer. (Cat III impact)
Discussion
The effects of prefix de-aggregation can degrade switch performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured switch, prefix de-aggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.
Check Content
Review the switch configuration to determine if it is compliant with this requirement. Step 1: Verify that a route filter has been configured to reject prefixes longer than /24 or the least significant prefixes issued to the customers as shown in the example below: ip prefix-list FILTER_PREFIX_LENGTH seq 5 permit 0.0.0.0/0 ge 8 le 24 ip prefix-list FILTER_PREFIX_LENGTH seq 10 deny 0.0.0.0/0 le 32 Step 2: Verify that prefix filtering has been applied to each eBGP peer as shown in the example below: router bgp xx router-id 10.1.1.1 neighbor x.1.12.2 remote-as xx password 3 7b07d1b3023056a9 address-family ipv4 unicast prefix-list FILTER_PREFIX_LENGTH in neighbor x.2.44.4 remote-as xx password 3 f07a10cb41db8bb6f8f0a340049a9b02 address-family ipv4 unicast prefix-list FILTER_PREFIX_LENGTH in If the switch is not configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer, this is a finding.
Fix Text
Configure the switch to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer. Step 1: Configure a prefix list to reject any prefix that is longer than /24. SW1(config)# ip prefix-list FILTER_PREFIX_LENGTH permit 0.0.0.0/0 ge 8 le 24 SW1(config)# ip prefix-list FILTER_PREFIX_LENGTH deny 0.0.0.0/0 le 32 Step 2: Apply the prefix list to all eBGP peers as shown in the example below: SW1(config)# router bgp xx SW1(config-router)# neighbor x.1.12.2 SW1(config-router-neighbor)# address-family ipv4 unicast SW1(config-router-neighbor-af)# prefix-list FILTER_PREFIX_LENGTH in SW1(config-router-neighbor-af)# exit SW1(config-router-neighbor)# exit SW1(config-router)# neighbor x.2.44.4 SW1(config-router-neighbor)# address-family ipv4 unicast SW1(config-router-neighbor-af)# prefix-list FILTER_PREFIX_LENGTH in SW1(config-router-neighbor-af)# end
Additional Identifiers
Rule ID: SV-221111r856641_rule
Vulnerability ID: V-221111
Group Title: SRG-NET-000362-RTR-000118
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |
Controls
Number | Title |
---|---|
SC-5 |
Denial Of Service Protection |