The BGP Cisco ACI must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-272062	SRG-NET-000018-RTR-000003	CACI-RT-000002	SV-272062r1168387_rule	2025-12-11	1

Description
Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a nonoptimized path. For Cisco APIC, the default setting is to prevent route loops from occurring. Sites are required to use different AS numbers when configuring. To prevent such a situation from occurring, sites must not enable the "BGP Autonomous System override" feature to override the default setting, and must not enable the "Disable Peer AS Check". An alternative to route maps is to use subnets under the External EPG with the correct route Controls assigned discussed in vendor documentation (Reference the L3 out white paper).

Description

Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a nonoptimized path. For Cisco APIC, the default setting is to prevent route loops from occurring. Sites are required to use different AS numbers when configuring. To prevent such a situation from occurring, sites must not enable the "BGP Autonomous System override" feature to override the default setting, and must not enable the "Disable Peer AS Check". An alternative to route maps is to use subnets under the External EPG with the correct route Controls assigned discussed in vendor documentation (Reference the L3 out white paper).

ℹ️ Check
Review the switch configuration to verify it will reject routes belonging to the local AS. 1. Verify a prefix list has been configured containing prefixes belonging to the local AS. Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_L3Outs}} >> Route Map for import and export route control. 2. Review the route-map to the inbound BGP policy. Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_L3Outs}} >> External EPGs >> Policy >> General >> Route Control Profile. If the switch is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.

ℹ️ Check

Review the switch configuration to verify it will reject routes belonging to the local AS. 1. Verify a prefix list has been configured containing prefixes belonging to the local AS. Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_L3Outs}} >> Route Map for import and export route control. 2. Review the route-map to the inbound BGP policy. Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_L3Outs}} >> External EPGs >> Policy >> General >> Route Control Profile. If the switch is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.

✔️ Fix
Configure the router to reject inbound route advertisements for any prefixes belonging to the local AS. From the relevant BGP peer configuration, create a route-map to filter local AS prefixes. Apply the route-map to the inbound BGP policy. Within the inbound policy, add a prefix filter rule that explicitly rejects any routes with a prefix matching the local AS number. 1. Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_L3Outs}} >> Route Map for import and export route control. 2. Apply that route MAP to the external EPG in the following location: Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_L3Outs}} >> External EPGs >> Policy >> General >> Route Control Profile. Note: An alternative to route maps is to use subnets under the External EPG with the correct route controls assigned as discussed in vendor documentation (Reference the L3 out white paper).

✔️ Fix

Configure the router to reject inbound route advertisements for any prefixes belonging to the local AS. From the relevant BGP peer configuration, create a route-map to filter local AS prefixes. Apply the route-map to the inbound BGP policy. Within the inbound policy, add a prefix filter rule that explicitly rejects any routes with a prefix matching the local AS number. 1. Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_L3Outs}} >> Route Map for import and export route control. 2. Apply that route MAP to the external EPG in the following location: Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_L3Outs}} >> External EPGs >> Policy >> General >> Route Control Profile. Note: An alternative to route maps is to use subnets under the External EPG with the correct route controls assigned as discussed in vendor documentation (Reference the L3 out white paper).