Documentation - V-272062

Title

The BGP Cisco ACI must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

Description

<VulnDiscussion>Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a nonoptimized path. For Cisco APIC, the default setting is to prevent route loops from occurring. Sites are required to use different AS numbers when configuring. To prevent such a situation from occurring, sites must not enable the "BGP Autonomous System override" feature to override the default setting, and must not enable the "Disable Peer AS Che...

Fix Text (Documentation Requirement)

Configure the router to reject inbound route advertisements for any prefixes belonging to the local AS. From the relevant BGP peer configuration, create a route-map to filter local AS prefixes. Apply the route-map to the inbound BGP policy. Within the inbound policy, add a prefix filter rule that explicitly rejects any routes with a prefix matching the local AS number. 1. Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_L3Outs}} >> Route Map for import and export route control. 2. Apply that route MAP to the external EPG in the following location: Tenants >> {{your_Tenant}} >> Networking >> L3Outs >> {{your_L3Outs}} >> External EPGs >> Policy >> General >> Route Control Profile. Note: An alternative to route maps is to use subnets under the External EPG with the...