Rule ID
SV-273610r1110922_rule
Version
V1R1
CCIs
Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a nonoptimized path.
Review the router configuration to verify there is a filter defined to block route advertisements for prefixes that belong to the IP core. 1. Verify a prefix-list has been configured containing prefixes belonging to the IP core. ip prefix-list FILTER_CORE_PREFIXES seq 10 deny x.1.1.0/24 le 32 ip prefix-list FILTER_CORE_PREFIXES seq 20 deny x.1.2.0/24 le 32 ip prefix-list FILTER_CORE_PREFIXES seq 30 permit 0.0.0.0/0 ge 8 2. Verify the prefix-list has been applied to all external BGP peers as shown in the example below: router bgp local-as xxxx neighbor x.0.0.1 remote-as yy neighbor x.0.0.1 ao mykeychain address-family ipv4 unicast neighbor x.0.0.1 prefix-list FILTER_CORE_PREFIXES out If the router is not configured to reject outbound route advertisements for prefixes belonging to the IP core, this is a finding.
Configure all eBGP routers to filter outbound route advertisements belonging to the IP core. 1. Configure a prefix-list for containing all customer and local AS prefixes as shown in the example below: ICX(config)#ip prefix-list FILTER_CORE_PREFIXES seq 10 deny x.1.1.0/24 le 32 ICX(config)#ip prefix-list FILTER_CORE_PREFIXES seq 20 deny x.1.2.0/24 le 32 ICX(config)#ip prefix-list FILTER_CORE_PREFIXES seq 30 permit 0.0.0.0/0 ge 8 2. Apply the prefix-list filter outbound to each neighbor as shown in the following example: ICX(config)#router bgp ICX(config-bgp-router)#neighbor x.0.0.1 prefix-list FILTER_CORE_PREFIXES out