STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Dell OS10 Switch Router Security Technical Implementation Guide

V-269877

CAT II (Medium)

The Dell OS10 BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

Rule ID

SV-269877r1052016_rule

STIG

Dell OS10 Switch Router Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-001097

Discussion

Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a nonoptimized path.

Check Content

Review the router configuration to verify that there is a filter defined to block route advertisements for prefixes that belong to the IP core. 

The prefix filter must be referenced outbound on the appropriate BGP neighbor statements.

Step 1: Verify a prefix list has been configured containing the current IP core prefixes as shown in the example below.

ip prefix-list CORE_PREFIX_FILTER seq  5 deny 20.0.0.0/24 ge 8 le 32
ip prefix-list CORE_PREFIX_FILTER seq 10 deny 30.0.0.0/24 ge 8 le 32
ip prefix-list CORE_PREFIX_FILTER seq 15 permit 0.0.0.0/0 ge 8

Step 2: Verify the route map applied to the external neighbors references the configured prefix list shown above.

!
route-map CORE_PREFIX_FILTER_MAP permit 10
 match ip address prefix-list CORE_PREFIX_FILTER
 
!
router bgp 10
 !
 neighbor 40.1.1.10
  !
  address-family ipv4 unicast
   route-map CORE_PREFIX_FILTER_MAP OUT

If the router is not configured to reject outbound route advertisements that belong to the IP core, this is a finding.

Fix Text

Configure all eBGP routers to filter outbound route advertisements belonging to the IP core.

Step 1: Add to the prefix filter list those prefixes belonging to the IP core.

OS10(config)# ip prefix-list CORE_PREFIX_FILTER seq  5 deny 20.0.0.0/24 ge 8 le 32
OS10(config)# ip prefix-list CORE_PREFIX_FILTER seq 10 deny 30.0.0.0/24 ge 8 le 32
OS10(config)# ip prefix-list CORE_PREFIX_FILTER seq 15 permit 0.0.0.0/0 ge 8

Step 2: Configure the route map referencing the configured prefix list.

OS10(config)# route-map CORE_PREFIX_FILTER_MAP 10
OS10(config-route-map)# match ip address prefix-list CORE_PREFIX_FILTER
OS10(config-route-map)# exit

Step 3: Apply the route-map inbound to each external BGP neighbor.

OS10(config)# router bgp 10
OS10(config-router-bgp-10)# neighbor 40.1.1.10
OS10(config-router-neighbor)# address-family ipv4 unicast
OS10(config-router-bgp-neighbor-af)# route-map CORE_PREFIX_FILTER_MAP out
OS10(config-router-bgp-neighbor-af)# exit
OS10(config-router-neighbor)# exit
OS10(config-router-bgp-10)# template ebgp
OS10(config-router-template)# address-family ipv4 unicast
OS10(config-router-bgp-template-af)# route-map CORE_PREFIX_FILTER_MAP out
OS10(config-router-bgp-template-af)# exit
OS10(config-router-template)# exit
OS10(config-router-bgp-10)# exit