V-220443

Discussion

Packets with Bogon IP source addresses should never be allowed to traverse the IP core. Bogon IP networks are RFC1918 addresses or address blocks that have never been assigned by the IANA or have been reserved.

Check Content

Review the switch configuration to verify that an ingress access control list (ACL) applied to all external interfaces is blocking packets with Bogon source addresses. 

Step 1: Verify that an ACL has been configured containing the current Bogon prefixes as shown in the example below: 

ip access-list extended FILTER_PERIMETER 
 deny ip 0.0.0.0 0.255.255.255 any log-input 
 deny ip 10.0.0.0 0.255.255.255 any log-input 
 deny ip 100.64.0.0 0.63.255.255 any log-input 
 deny ip 127.0.0.0 0.255.255.255 any log-input 
 deny ip 169.254.0.0 0.0.255.255 any log-input 
 deny ip 172.16.0.0 0.15.255.255 any log-input 
 deny ip 192.0.0.0 0.0.0.255 any log-input 
 deny ip 192.0.2.0 0.0.0.255 any log-input 
 deny ip 192.168.0.0 0.0.255.255 any log-input 
 deny ip 198.18.0.0 0.1.255.255 any log-input 
 deny ip 198.51.100.0 0.0.0.255 any log-input 
 deny ip 203.0.113.0 0.0.0.255 any log-input 
 deny ip 224.0.0.0 31.255.255.255 any log-input 
 deny ip 240.0.0.0 15.255.255.255 any log-input
 permit tcp any any established 
 permit icmp host x.12.1.9 host x.12.1.10 echo 
 permit icmp host x.12.1.9 host x.12.1.10 echo-reply 
… 
 … 
 … 
deny ip any any log-input 

Step 2: Verify that the inbound ACL applied to all external interfaces will block all traffic from Bogon source addresses. 

interface GigabitEthernet0/1 
 description Link to DISN 
 ip address x.12.1.10 255.255.255.254 
 ip access-group FILTER_PERIMETER in 

If the switch is not configured to block inbound packets with source Bogon IP address prefixes, this is a finding.