V-221090

Discussion

Packets with Bogon IP source addresses should never be allowed to traverse the IP core. Bogon IP networks are RFC1918 addresses or address blocks that have never been assigned by the IANA or have been reserved.

Check Content

Review the switch configuration to verify that an ingress ACL applied to all external interfaces is blocking packets with Bogon source addresses.

Step 1: Verify an ACL has been configured containing the current Bogon prefixes as shown in the example below:

ip access-list EXTERNAL_ACL
 10 deny ip 0.0.0.0/8 any log 
 20 deny ip 10.0.0.0/8 any log 
 30 deny ip 100.64.0.0/10 any log 
 40 deny ip 127.0.0.0/8 any log 
 50 deny ip 169.254.0.0/16 any log 
 60 deny ip 172.16.0.0/12 any log 
 70 deny ip 192.0.0.0/24 any log 
 80 deny ip 192.0.2.0/24 any log 
 90 deny ip 192.168.0.0/16 any log 
 100 deny ip 198.18.0.0/15 any log 
 110 deny ip 198.51.100.0/24 any log 
 120 deny ip 203.0.113.0/24 any log 
 130 deny ip 224.0.0.0/3 any log 
 140 permit tcp any any established 
 150 permit …
 …
 …
 …
210 deny ip any any log

Step 2: Verify that the inbound ACL applied to all external interfaces will block all traffic from Bogon source addresses.

interface Ethernet2/2
 description link to DISN
 no switchport
 ip access-group EXTERNAL_ACL in

If the switch is not configured to block inbound packets with source Bogon IP address prefixes, this is a finding.