The Cisco BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-216781	SRG-NET-000205-RTR-000006	CISC-RT-000530	SV-216781r531087_rule	2024-08-22	3

Description
Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a non-optimized path.

ℹ️ Check
Step 1: verify that an outbound route policy has been configured for each external neighbor as shown in the example below. router bgp xx address-family ipv4 unicast ! neighbor x.1.23.3 remote-as yy address-family ipv4 unicast route-policy BGP_FILTER_OUTBOUND out ! ! neighbor x.1.24.4 remote-as zz address-family ipv4 unicast route-policy BGP_FILTER_OUTBOUND out ! ! Step 2: Review the route policy to determine if it is filtering at a minimum IP core prefixes as shown in the example below. route-policy BGP_FILTER_OUTBOUND if destination in CORE_PREFIX then drop else pass endif end-policy Step 3: Review the prefix set referenced in the route policy above to determine if it includes the IP core prefix as shown in the example below. prefix-set CORE_PREFIX 10.1.1.0/24 le 32 end-set If the router is not configured to reject outbound route advertisements for prefixes belonging to the IP core, this is a finding.

ℹ️ Check

Step 1: verify that an outbound route policy has been configured for each external neighbor as shown in the example below. router bgp xx address-family ipv4 unicast ! neighbor x.1.23.3 remote-as yy address-family ipv4 unicast route-policy BGP_FILTER_OUTBOUND out ! ! neighbor x.1.24.4 remote-as zz address-family ipv4 unicast route-policy BGP_FILTER_OUTBOUND out ! ! Step 2: Review the route policy to determine if it is filtering at a minimum IP core prefixes as shown in the example below. route-policy BGP_FILTER_OUTBOUND if destination in CORE_PREFIX then drop else pass endif end-policy Step 3: Review the prefix set referenced in the route policy above to determine if it includes the IP core prefix as shown in the example below. prefix-set CORE_PREFIX 10.1.1.0/24 le 32 end-set If the router is not configured to reject outbound route advertisements for prefixes belonging to the IP core, this is a finding.

✔️ Fix
Step 1: Configure a prefix set containing the IP core prefix as shown below. RP/0/0/CPU0:R2(config)#prefix-set Step 2: Configure a prefix set containing the current Bogon prefixes as shown below. RP/0/0/CPU0:R2(config)#prefix-set CORE_PREFIX RP/0/0/CPU0:R2(config-pfx)#10.1.1.0/24 le 32 RP/0/0/CPU0:R2(config-pfx)#end-set Step 3: Configure the route policy to drop route advertisements for IP core prefixes as shown in the example below. RP/0/0/CPU0:R2(config)#route-policy BGP_FILTER_OUTBOUND RP/0/0/CPU0:R2(config-rpl)#if destination in CORE_PREFIX then RP/0/0/CPU0:R2(config-rpl-if)#drop RP/0/0/CPU0:R2(config-rpl-if)#else RP/0/0/CPU0:R2(config-rpl-else)#pass RP/0/0/CPU0:R2(config-rpl-else)#endif RP/0/0/CPU0:R2(config-rpl)#end-policy Step 4: Apply the route policy to each external BGP neighbor as shown in the example. RP/0/0/CPU0:R2(config)#router bgp xx RP/0/0/CPU0:R2(config-bgp)#neighbor x.1.23.3 RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy BGP_FILTER_OUTBOUND out RP/0/0/CPU0:R2(config-bgp)#neighbor x.1.24.4 RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy BGP_FILTER_ OUTBOUND out

✔️ Fix

Step 1: Configure a prefix set containing the IP core prefix as shown below. RP/0/0/CPU0:R2(config)#prefix-set Step 2: Configure a prefix set containing the current Bogon prefixes as shown below. RP/0/0/CPU0:R2(config)#prefix-set CORE_PREFIX RP/0/0/CPU0:R2(config-pfx)#10.1.1.0/24 le 32 RP/0/0/CPU0:R2(config-pfx)#end-set Step 3: Configure the route policy to drop route advertisements for IP core prefixes as shown in the example below. RP/0/0/CPU0:R2(config)#route-policy BGP_FILTER_OUTBOUND RP/0/0/CPU0:R2(config-rpl)#if destination in CORE_PREFIX then RP/0/0/CPU0:R2(config-rpl-if)#drop RP/0/0/CPU0:R2(config-rpl-if)#else RP/0/0/CPU0:R2(config-rpl-else)#pass RP/0/0/CPU0:R2(config-rpl-else)#endif RP/0/0/CPU0:R2(config-rpl)#end-policy Step 4: Apply the route policy to each external BGP neighbor as shown in the example. RP/0/0/CPU0:R2(config)#router bgp xx RP/0/0/CPU0:R2(config-bgp)#neighbor x.1.23.3 RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy BGP_FILTER_OUTBOUND out RP/0/0/CPU0:R2(config-bgp)#neighbor x.1.24.4 RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy BGP_FILTER_ OUTBOUND out