STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cisco ACI Router Security Technical Implementation Guide

V-272063

CAT II (Medium)

The BGP Cisco ACI must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).

Rule ID

SV-272063r1168094_rule

STIG

Cisco ACI Router Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-001368

Discussion

Advertisement of routes by an autonomous system for networks that do not belong to any of its customers pulls traffic away from the authorized network. This causes a denial of service (DoS) on the network that allocated the block of addresses and may cause a DoS on the network that is inadvertently advertising it as the originator. It is also possible that a misconfigured or compromised router within the GIG IP core could redistribute IGP routes into BGP, thereby leaking internal routes. An alternative to route maps is to use subnets under the External EPG with the correct route Controls assigned as discussed in vendor documentation (Reference the L3 out white paper).

Check Content

Review the ACI configuration to verify it will reject routes belonging to the local AS.

1. Verify a prefix list has been configured containing prefixes belonging to the local AS. Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_L3Outs}} >> Route Map for import and export route control.
2. Verify the prefix list has been applied to all external BGP peers. Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_L3Outs}} >> External EPGs >> Policy >> General >> Route Control Profile. 

If the ACI is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.

Fix Text

Configure the router to reject outbound route advertisements for any prefixes belonging to the local AS. Use a prefix list containing the local AS prefixes and apply it as an outbound filter on the BGP neighbor configuration.

1. Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_L3Outs}} >> Route Map for import and export route control. 
2. Then apply that route MAP to the external EPG in the following location: Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_L3Outs}} >> External EPGs >> Policy >> General >> Route Control Profile. 

Note: An alternative to route maps is to use subnets under the External EPG with the correct route Controls assigned as discussed in vendor documentation (Reference the L3 out white paper).