The Arista BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-256020	SRG-NET-000205-RTR-000006	ARST-RT-000390	SV-256020r882402_rule	2025-02-20	2

Description
Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a non-optimized path.

ℹ️ Check
Review the Arista router configuration to verify a filter is defined to block route advertisements for prefixes that belong to the IP core. The prefix filter must be referenced outbound on the appropriate BGP neighbor statements. Step 1: The following example creates an outbound route advertise filter and configures CE Arista MLS to advertise the filter to IP Core PE (100.1.0.128). An IP prefix list named FILTER_OUT is created to specify the 172.16.1.0/24 subnet for outbound route advertisements filtering. ip prefix-list FILTER_OUT seq 10 permit 172.16.1.0/24 Step 2: Verify the outbound prefix list is applied to the appropriate BGP neighbor in the BGP process. Execute the command "sh run section router bgp". router bgp 65001 neighbor 100.1.0.128 remote-as 65200 neighbor 100.1.0.128 prefix-list FILTER_OUT out exit If the Arista router is not configured to reject outbound route advertisements that belong to the IP core, this is a finding.

ℹ️ Check

Review the Arista router configuration to verify a filter is defined to block route advertisements for prefixes that belong to the IP core. The prefix filter must be referenced outbound on the appropriate BGP neighbor statements. Step 1: The following example creates an outbound route advertise filter and configures CE Arista MLS to advertise the filter to IP Core PE (100.1.0.128). An IP prefix list named FILTER_OUT is created to specify the 172.16.1.0/24 subnet for outbound route advertisements filtering. ip prefix-list FILTER_OUT seq 10 permit 172.16.1.0/24 Step 2: Verify the outbound prefix list is applied to the appropriate BGP neighbor in the BGP process. Execute the command "sh run section router bgp". router bgp 65001 neighbor 100.1.0.128 remote-as 65200 neighbor 100.1.0.128 prefix-list FILTER_OUT out exit If the Arista router is not configured to reject outbound route advertisements that belong to the IP core, this is a finding.

✔️ Fix
Configure all eBGP Arista routers to filter outbound route advertisements belonging to the IP core. Step 1: Configure an outbound route advertise filter and configure CE Arista MLS to advertise the filter to IP Core PE (100.1.0.128). Also configure an IP prefix list named FILTER_OUT to specify the 172.16.1.0/24 subnet for outbound route advertisements filtering. LEAF-1A(config)#ip prefix-list FILTER_OUT seq 10 permit 172.16.1.0/24 Step 2: Apply the prefix-list outbound with the BGP neighbor in BGP process. LEAF-1A(config)#router bgp 65001 LEAF-1A(config-router-bgp)#neighbor 100.1.0.128 remote-as 65200 LEAF-1A(config-router-bgp)#neighbor 100.1.0.128 prefix-list FILTER_OUT out LEAF-1A(config-router-bgp)# exit

✔️ Fix

Configure all eBGP Arista routers to filter outbound route advertisements belonging to the IP core. Step 1: Configure an outbound route advertise filter and configure CE Arista MLS to advertise the filter to IP Core PE (100.1.0.128). Also configure an IP prefix list named FILTER_OUT to specify the 172.16.1.0/24 subnet for outbound route advertisements filtering. LEAF-1A(config)#ip prefix-list FILTER_OUT seq 10 permit 172.16.1.0/24 Step 2: Apply the prefix-list outbound with the BGP neighbor in BGP process. LEAF-1A(config)#router bgp 65001 LEAF-1A(config-router-bgp)#neighbor 100.1.0.128 remote-as 65200 LEAF-1A(config-router-bgp)#neighbor 100.1.0.128 prefix-list FILTER_OUT out LEAF-1A(config-router-bgp)# exit