The Dell OS10 BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-269877 | OS10-RTR-000430 | SV-269877r1052016_rule | Medium |
| Description |
| Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a nonoptimized path. |
| STIG | Date |
| Dell OS10 Switch Router Security Technical Implementation Guide | 2024-12-11 |
Details
| Check Text (C-73910r1052014_chk) |
| Review the router configuration to verify that there is a filter defined to block route advertisements for prefixes that belong to the IP core. The prefix filter must be referenced outbound on the appropriate BGP neighbor statements. Step 1: Verify a prefix list has been configured containing the current IP core prefixes as shown in the example below. ip prefix-list CORE_PREFIX_FILTER seq 5 deny 20.0.0.0/24 ge 8 le 32 ip prefix-list CORE_PREFIX_FILTER seq 10 deny 30.0.0.0/24 ge 8 le 32 ip prefix-list CORE_PREFIX_FILTER seq 15 permit 0.0.0.0/0 ge 8 Step 2: Verify the route map applied to the external neighbors references the configured prefix list shown above. ! route-map CORE_PREFIX_FILTER_MAP permit 10 match ip address prefix-list CORE_PREFIX_FILTER ! router bgp 10 ! neighbor 40.1.1.10 ! address-family ipv4 unicast route-map CORE_PREFIX_FILTER_MAP OUT If the router is not configured to reject outbound route advertisements that belong to the IP core, this is a finding. |
| Fix Text (F-73811r1052015_fix) |
| Configure all eBGP routers to filter outbound route advertisements belonging to the IP core. Step 1: Add to the prefix filter list those prefixes belonging to the IP core. OS10(config)# ip prefix-list CORE_PREFIX_FILTER seq 5 deny 20.0.0.0/24 ge 8 le 32 OS10(config)# ip prefix-list CORE_PREFIX_FILTER seq 10 deny 30.0.0.0/24 ge 8 le 32 OS10(config)# ip prefix-list CORE_PREFIX_FILTER seq 15 permit 0.0.0.0/0 ge 8 Step 2: Configure the route map referencing the configured prefix list. OS10(config)# route-map CORE_PREFIX_FILTER_MAP 10 OS10(config-route-map)# match ip address prefix-list CORE_PREFIX_FILTER OS10(config-route-map)# exit Step 3: Apply the route-map inbound to each external BGP neighbor. OS10(config)# router bgp 10 OS10(config-router-bgp-10)# neighbor 40.1.1.10 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# route-map CORE_PREFIX_FILTER_MAP out OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# template ebgp OS10(config-router-template)# address-family ipv4 unicast OS10(config-router-bgp-template-af)# route-map CORE_PREFIX_FILTER_MAP out OS10(config-router-bgp-template-af)# exit OS10(config-router-template)# exit OS10(config-router-bgp-10)# exit |