The RUCKUS ICX BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-273610	RCKS-RTR-000430	SV-273610r1110922_rule		Medium

Description

Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a nonoptimized path.

STIG	Date
RUCKUS ICX Router Security Technical Implementation Guide	2025-06-03

Details

Check Text (C-77701r1109850_chk)

Review the router configuration to verify there is a filter defined to block route advertisements for prefixes that belong to the IP core.

1. Verify a prefix-list has been configured containing prefixes belonging to the IP core.
ip prefix-list FILTER_CORE_PREFIXES seq 10 deny x.1.1.0/24 le 32
ip prefix-list FILTER_CORE_PREFIXES seq 20 deny x.1.2.0/24 le 32
ip prefix-list FILTER_CORE_PREFIXES seq 30 permit 0.0.0.0/0 ge 8

2. Verify the prefix-list has been applied to all external BGP peers as shown in the example below:
router bgp
local-as xxxx
neighbor x.0.0.1 remote-as yy
neighbor x.0.0.1 ao mykeychain

address-family ipv4 unicast
neighbor x.0.0.1 prefix-list FILTER_CORE_PREFIXES out

If the router is not configured to reject outbound route advertisements for prefixes belonging to the IP core, this is a finding.

Fix Text (F-77606r1109851_fix)

Configure all eBGP routers to filter outbound route advertisements belonging to the IP core.

1. Configure a prefix-list for containing all customer and local AS prefixes as shown in the example below:
ICX(config)#ip prefix-list FILTER_CORE_PREFIXES seq 10 deny x.1.1.0/24 le 32
ICX(config)#ip prefix-list FILTER_CORE_PREFIXES seq 20 deny x.1.2.0/24 le 32
ICX(config)#ip prefix-list FILTER_CORE_PREFIXES seq 30 permit 0.0.0.0/0 ge 8

2. Apply the prefix-list filter outbound to each neighbor as shown in the following example:
ICX(config)#router bgp
ICX(config-bgp-router)#neighbor x.0.0.1 prefix-list FILTER_CORE_PREFIXES out