The BGP Cisco ACI must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-272088	SRG-NET-000362-RTR-000117	CACI-RT-000028	SV-272088r1168406_rule	2025-12-11	1

Description
The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix de-aggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements. Maximum prefix limits on peer connections combined with aggressive prefix-size filtering of customers' reachability advertisements will effectively mitigate the de-aggregation risk. BGP maximum prefix must be used on all eBGP routers to limit the number of prefixes it should receive from a particular neighbor, whether customer or peering AS. Consider each neighbor and how many routes that will be advertised and set a threshold slightly higher than the number expected.

Description

The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix de-aggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements. Maximum prefix limits on peer connections combined with aggressive prefix-size filtering of customers' reachability advertisements will effectively mitigate the de-aggregation risk. BGP maximum prefix must be used on all eBGP routers to limit the number of prefixes it should receive from a particular neighbor, whether customer or peering AS. Consider each neighbor and how many routes that will be advertised and set a threshold slightly higher than the number expected.

ℹ️ Check
Verify the BGP configuration for each tenant: Tenants >> {{your_Tenant}} >> Networking >> L3Out >> {{your_l3out}} >> Logical Node Profiles >> {{your_Logical_node_Profile}} >> Logical Interface Profiles >> {{your_logical_interface_profile}} >> BGP peer x.x.x.x >> Policy >> BGP Peer Prefix Policy. If the router is not configured to control the number of prefixes received from each peer to protect against route table flooding and prefix de-aggregation attacks, this is a finding.

ℹ️ Check

Verify the BGP configuration for each tenant: Tenants >> {{your_Tenant}} >> Networking >> L3Out >> {{your_l3out}} >> Logical Node Profiles >> {{your_Logical_node_Profile}} >> Logical Interface Profiles >> {{your_logical_interface_profile}} >> BGP peer x.x.x.x >> Policy >> BGP Peer Prefix Policy. If the router is not configured to control the number of prefixes received from each peer to protect against route table flooding and prefix de-aggregation attacks, this is a finding.

✔️ Fix
Configure the router to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks as shown in the example below: For each BGP peer, navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Out >> {{your_l3out}} >> Logical Node Profiles >> {{your_Logical_node_Profile}} >> Logical Interface Profiles >> {{your_logical_interface_profile}} >> BGP peer x.x.x.x >> Policy >> BGP Peer Prefix. Create a policy within the BGP configuration section, where <peer-ip> is the IP address of the BGP peer and <number of prefixes> is the desired maximum prefix limit to be set; the default maximum prefix limit is typically 20,000 prefixes.

✔️ Fix

Configure the router to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks as shown in the example below: For each BGP peer, navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Out >> {{your_l3out}} >> Logical Node Profiles >> {{your_Logical_node_Profile}} >> Logical Interface Profiles >> {{your_logical_interface_profile}} >> BGP peer x.x.x.x >> Policy >> BGP Peer Prefix. Create a policy within the BGP configuration section, where <peer-ip> is the IP address of the BGP peer and <number of prefixes> is the desired maximum prefix limit to be set; the default maximum prefix limit is typically 20,000 prefixes.