Skip to main content
CUI

STIG Rule - V-272089

Back to STIG Browser

V-272089

SV-272089r1168408_rule

CAT III

The BGP Cisco ACI must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.

From: Cisco ACI Router Security Technical Implementation Guide (V1R2)

Description

<VulnDiscussion>The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix de-aggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Check Procedure

Review the configuration of the RP to verify it is rate limiting the number of PIM register messages. Verify the L3Out option for Route Control Enforcement Import is checked. Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Out >> {{your_l3out}} >> Policy >> Main >> Route Control Enforcement. If the router is not configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer, this is a finding.

Fix Text

Configure the router to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer. Create a "match rule" within a "route profile" by specifying a prefix list, to be applied to the desired L3Out (external routed network) to filter BGP routes based on the prefixes defined in the list. The route profile is applied to a specific L3Out (external routed network) to control which prefixes are advertised or accepted from external networks. Refer to the L3 out documentation on setting up route maps or using the import controls on the external EPG subnets on this connection. Ensure on the L3Out the option for Route Control Enforcement Import is checked. Tenants >> {{your_Tenant}} >> Networking >> L3Out >> {{your_l3out}} >> Policy >> Main >> Route Control Enforcement

CCI Reference

CCI-002385
Created
2026-04-07 20:08:13
Last Updated
2026-04-07 20:08:13
Back to Browse
CUI