Navigate

Check: RCKS-RTR-000030

RUCKUS ICX Router STIG: RCKS-RTR-000030 (in version v1 r1)

Title

The RUCKUS ICX BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS). (Cat II impact)

Discussion

Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a nonoptimized path.

Check Content

Review BGP neighbor configuration using "show running-config | begin router bgp". If any BGP neighbor is configured for the "neighbor x.x.x. allowas-in" command, this is a finding.

Fix Text

Remove the command "neighbor x.x.x.x allowas-in" where found in the BGP neighbor configuration.

Additional Identifiers

Rule ID: SV-273571r1110907_rule

Vulnerability ID: V-273571

Group Title: SRG-NET-000018-RTR-000003

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-001368	Enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-4	Information Flow Enforcement