STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cisco IOS Router RTR Security Technical Implementation Guide

V-216578

CAT III (Low)

The Cisco perimeter router must be configured to not redistribute static routes to an approved gateway service provider into BGP, an IGP peering with the NIPRNet, or other autonomous systems.

Rule ID

SV-216578r1117237_rule

STIG

Cisco IOS Router RTR Security Technical Implementation Guide

Version

V3R4

CCIs

CCI-001414

Discussion

If the static routes to the approved gateway are being redistributed into an Exterior Gateway Protocol or Interior Gateway Protocol to a NIPRNet gateway, this could make traffic on NIPRNet flow to that particular router and not to the internet access point routers. This could not only wreak havoc with traffic flows on NIPRNet but could overwhelm the connection from the router to the NIPRNet gateway(s) and cause traffic destined for outside of NIPRNet to bypass the defenses of the internet access points.

Check Content

This requirement is not applicable for the DODIN backbone.

Step 1: Review the IGP and BGP configurations. If there are redistribute static statements configured as shown in the examples below, proceed to step 2.

OSPF Example

router ospf 1
 log-adjacency-changes
 redistribute static subnets
 network 0.0.0.0 255.255.255.255 area 0

EIGRP example

router eigrp 1
 network 10.1.15.0 0.0.0.255
 redistribute static

RIP example

router rip
 version 2
 redistribute static
 network 10.0.0.0

BGP example

router bgp nn
 no synchronization
 bgp log-neighbor-changes
 redistribute static
 neighbor x.11.1.7 remote-as nn
 neighbor x.11.1.7 password xxxxxxx
 no auto-summary

Step 2: Review the static routes that have been configured to determine if any contain the next hop address of the approved gateway.

If the static routes to the approved gateway are being redistributed into BGP or any IGP peering to a NIPRNet gateway or any other autonomous system, this is a finding.

Fix Text

This requirement is not applicable for the DODIN backbone.

Configure the router so that static routes are not redistributed to an approved gateway into either a BGP or any IGP peering with the NIPRNet or to any other autonomous systems. This can be done by excluding that route in the route-map as shown in the example below.

Step 1: Configure a prefix list for any static routes with the approved gateway as the next-hop address.

R5(config)#ip prefix-list ISP_PREFIX permit x.x.x.0/24

Step 2: Configure a route map that will deny the state routes to the ISP.

R5(config)#route-map FILTER_ISP_STATIC deny 10
R5(config-route-map)#match ip address prefix-list ISP_PREFIX
R5(config-route-map)#exit
R5(config)#route-map FILTER_ISP_STATIC permit 20
R5(config-route-map)#exit

Step 3: Apply the route-map to the IGP and BGP redistribute static commands as shown in the EIGRP  example.

R5(config)#router eigrp 1
R5(config-router)#redistribute static route-map FILTER_ISP_STATIC