The Dell OS10 BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-269877	SRG-NET-000205-RTR-000006	OS10-RTR-000430	SV-269877r1052016_rule	2024-12-11	1

Description
Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a nonoptimized path.

ℹ️ Check
Review the router configuration to verify that there is a filter defined to block route advertisements for prefixes that belong to the IP core. The prefix filter must be referenced outbound on the appropriate BGP neighbor statements. Step 1: Verify a prefix list has been configured containing the current IP core prefixes as shown in the example below. ip prefix-list CORE_PREFIX_FILTER seq 5 deny 20.0.0.0/24 ge 8 le 32 ip prefix-list CORE_PREFIX_FILTER seq 10 deny 30.0.0.0/24 ge 8 le 32 ip prefix-list CORE_PREFIX_FILTER seq 15 permit 0.0.0.0/0 ge 8 Step 2: Verify the route map applied to the external neighbors references the configured prefix list shown above. ! route-map CORE_PREFIX_FILTER_MAP permit 10 match ip address prefix-list CORE_PREFIX_FILTER ! router bgp 10 ! neighbor 40.1.1.10 ! address-family ipv4 unicast route-map CORE_PREFIX_FILTER_MAP OUT If the router is not configured to reject outbound route advertisements that belong to the IP core, this is a finding.

ℹ️ Check

Review the router configuration to verify that there is a filter defined to block route advertisements for prefixes that belong to the IP core. The prefix filter must be referenced outbound on the appropriate BGP neighbor statements. Step 1: Verify a prefix list has been configured containing the current IP core prefixes as shown in the example below. ip prefix-list CORE_PREFIX_FILTER seq 5 deny 20.0.0.0/24 ge 8 le 32 ip prefix-list CORE_PREFIX_FILTER seq 10 deny 30.0.0.0/24 ge 8 le 32 ip prefix-list CORE_PREFIX_FILTER seq 15 permit 0.0.0.0/0 ge 8 Step 2: Verify the route map applied to the external neighbors references the configured prefix list shown above. ! route-map CORE_PREFIX_FILTER_MAP permit 10 match ip address prefix-list CORE_PREFIX_FILTER ! router bgp 10 ! neighbor 40.1.1.10 ! address-family ipv4 unicast route-map CORE_PREFIX_FILTER_MAP OUT If the router is not configured to reject outbound route advertisements that belong to the IP core, this is a finding.

✔️ Fix
Configure all eBGP routers to filter outbound route advertisements belonging to the IP core. Step 1: Add to the prefix filter list those prefixes belonging to the IP core. OS10(config)# ip prefix-list CORE_PREFIX_FILTER seq 5 deny 20.0.0.0/24 ge 8 le 32 OS10(config)# ip prefix-list CORE_PREFIX_FILTER seq 10 deny 30.0.0.0/24 ge 8 le 32 OS10(config)# ip prefix-list CORE_PREFIX_FILTER seq 15 permit 0.0.0.0/0 ge 8 Step 2: Configure the route map referencing the configured prefix list. OS10(config)# route-map CORE_PREFIX_FILTER_MAP 10 OS10(config-route-map)# match ip address prefix-list CORE_PREFIX_FILTER OS10(config-route-map)# exit Step 3: Apply the route-map inbound to each external BGP neighbor. OS10(config)# router bgp 10 OS10(config-router-bgp-10)# neighbor 40.1.1.10 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# route-map CORE_PREFIX_FILTER_MAP out OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# template ebgp OS10(config-router-template)# address-family ipv4 unicast OS10(config-router-bgp-template-af)# route-map CORE_PREFIX_FILTER_MAP out OS10(config-router-bgp-template-af)# exit OS10(config-router-template)# exit OS10(config-router-bgp-10)# exit

✔️ Fix

Configure all eBGP routers to filter outbound route advertisements belonging to the IP core. Step 1: Add to the prefix filter list those prefixes belonging to the IP core. OS10(config)# ip prefix-list CORE_PREFIX_FILTER seq 5 deny 20.0.0.0/24 ge 8 le 32 OS10(config)# ip prefix-list CORE_PREFIX_FILTER seq 10 deny 30.0.0.0/24 ge 8 le 32 OS10(config)# ip prefix-list CORE_PREFIX_FILTER seq 15 permit 0.0.0.0/0 ge 8 Step 2: Configure the route map referencing the configured prefix list. OS10(config)# route-map CORE_PREFIX_FILTER_MAP 10 OS10(config-route-map)# match ip address prefix-list CORE_PREFIX_FILTER OS10(config-route-map)# exit Step 3: Apply the route-map inbound to each external BGP neighbor. OS10(config)# router bgp 10 OS10(config-router-bgp-10)# neighbor 40.1.1.10 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# route-map CORE_PREFIX_FILTER_MAP out OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# template ebgp OS10(config-router-template)# address-family ipv4 unicast OS10(config-router-bgp-template-af)# route-map CORE_PREFIX_FILTER_MAP out OS10(config-router-bgp-template-af)# exit OS10(config-router-template)# exit OS10(config-router-bgp-10)# exit