The BGP Cisco ACI must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-272062 | CACI-RT-000002 | SV-272062r1115716_rule | Medium |
| Description |
| Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a nonoptimized path. For Cisco APIC, the default setting to prevent route loops from occurring. Sites must use different AS numbers. If this occurs, routing updates from one site is dropped when the other site receives them by default. To prevent such a situation from occurring, sites must not enable the "BGP Autonomous System override" feature to override the default setting. They must also not enable the "Disable Peer AS Check". |
| STIG | Date |
| Cisco ACI Router Security Technical Implementation Guide | 2025-06-18 |
Details
| Check Text (C-76112r1115714_chk) |
| Review the switch configuration to verify it will reject routes belonging to the local AS. 1. Verify a prefix list has been configured containing prefixes belonging to the local AS. route-map LOCAL_AS_FILTER permit 10 match ip address prefix <local-AS-prefix> set community no-advertise 2. Review the route-map to the inbound BGP policy. bgp neighbor <peer-IP> address-family ipv4 unicast inbound route-map LOCAL_AS_FILTER If the switch is not configured to reject inbound route advertisements belonging to the local AS, this is a finding. |
| Fix Text (F-76019r1115715_fix) |
| Configure the router to reject inbound route advertisements for any prefixes belonging to the local AS. 1. From the relevant BGP peer configuration, create a route-map to filter local AS prefixes. Route-map LOCAL_AS_FILTER permit 10 match ip address prefix <local-AS-prefix> set community no-advertise 2. Apply the route-map to the inbound BGP policy. Within the inbound policy, add a prefix filter rule that explicitly rejects any routes with a prefix matching the local AS number. bgp neighbor <peer-IP> address-family ipv4 unicast inbound route-map MY_LOCAL_AS_FILTER |