V-216783

Discussion

Verifying the path a route has traversed will ensure that the local AS is not used as a transit network for unauthorized traffic. To ensure that the local AS does not carry any prefixes that do not belong to any customers, all PE routers must be configured to reject routes with an originating AS other than that belonging to the customer.

Check Content

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to verify the router is configured to deny updates received from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer.

Step 1: verify that an inbound route policy has been configured for each customer neighbor as shown in the example below.

router bgp xx
 address-family ipv4 unicast
 !
 neighbor x.12.4.14
  remote-as 64514
    address-family ipv4 unicast
     route-policy FILTER _64514_ROUTES in
  !
 !
 neighbor x.12.4.16
  remote-as 64516
  address-family ipv4 unicast
   route-policy FILTER_64516_ROUTES in
 !

Step 2: Verify that the route policy permits only routes from each CE router with an originating AS that does not belong to that customer.

route-policy FILTER_64514_ROUTES
  if as-path originates-from 64514'  then
    pass
  else
    drop
  endif
end-policy
!
route-policy FILTER_64516_ROUTES
  if as-path originates-from 64516'  then
    pass
  else
    drop
  endif
end-policy

Note: The inbound route policy to filter customer prefixes can be nested with the above route policy as shown in the example below.

route-policy CUST1_INBOUND_FILTER
  apply CUST1_FILTER
  apply FILTER_64514_ROUTES
end-policy

If the router is not configured to reject updates from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer, this is a finding.