The RUCKUS ICX BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-273610 | SRG-NET-000205-RTR-000006 | RCKS-RTR-000430 | SV-273610r1110922_rule | 2025-06-03 | 1 |
| Description |
|---|
| Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a nonoptimized path. |
| ℹ️ Check |
|---|
| Review the router configuration to verify there is a filter defined to block route advertisements for prefixes that belong to the IP core. 1. Verify a prefix-list has been configured containing prefixes belonging to the IP core. ip prefix-list FILTER_CORE_PREFIXES seq 10 deny x.1.1.0/24 le 32 ip prefix-list FILTER_CORE_PREFIXES seq 20 deny x.1.2.0/24 le 32 ip prefix-list FILTER_CORE_PREFIXES seq 30 permit 0.0.0.0/0 ge 8 2. Verify the prefix-list has been applied to all external BGP peers as shown in the example below: router bgp local-as xxxx neighbor x.0.0.1 remote-as yy neighbor x.0.0.1 ao mykeychain address-family ipv4 unicast neighbor x.0.0.1 prefix-list FILTER_CORE_PREFIXES out If the router is not configured to reject outbound route advertisements for prefixes belonging to the IP core, this is a finding. |
| ✔️ Fix |
|---|
| Configure all eBGP routers to filter outbound route advertisements belonging to the IP core. 1. Configure a prefix-list for containing all customer and local AS prefixes as shown in the example below: ICX(config)#ip prefix-list FILTER_CORE_PREFIXES seq 10 deny x.1.1.0/24 le 32 ICX(config)#ip prefix-list FILTER_CORE_PREFIXES seq 20 deny x.1.2.0/24 le 32 ICX(config)#ip prefix-list FILTER_CORE_PREFIXES seq 30 permit 0.0.0.0/0 ge 8 2. Apply the prefix-list filter outbound to each neighbor as shown in the following example: ICX(config)#router bgp ICX(config-bgp-router)#neighbor x.0.0.1 prefix-list FILTER_CORE_PREFIXES out |