The Juniper BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

An XCCDF Rule

Description

Accepting route advertisements belonging to the local AS can result in traffic looping, being black holed, or at a minimum using a nonoptimized path.

ID: SV-253975r843958_rule
Version: JUEX-RT-000030
Severity: Medium
References: CCI-001368
Updated: 4 days ago

Remediation Templates

Ensure all eBGP routers are configured to reject inbound route advertisements for any prefixes belonging to the local AS.

set policy-options route-filter-list local-routes 192.0.2.0/24 orlonger
set policy-options route-filter-list local-routes 192.0.3.0/24 orlonger
set policy-options route-filter-list local-routes-ipv6 2001:db8:2::/64 orlonger
set policy-options route-filter-list local-routes-ipv6 2001:db8:3::/64 orlonger
set policy-options policy-statement bgp-discard term 1 from route-filter-list bogon
set policy-options policy-statement bgp-discard term 1 from route-filter-list bogon-ipv6
set policy-options policy-statement bgp-discard term 1 then reject
set policy-options policy-statement bgp-discard term 2 from route-filter-list local-routes
set policy-options policy-statement bgp-discard term 2 from route-filter-list local-routes-ipv6
set policy-options policy-statement bgp-discard term 2 then reject
set policy-options policy-statement bgp-discard term 3 from protocol ospf
set policy-options policy-statement bgp-discard term 3 from protocol direct
set policy-options policy-statement bgp-discard term 3 then reject

set protocols bgp group eBGP import bgp-discard
set protocols bgp group eBGP neighbor 192.0.2.2 import bgp-discard
set protocols bgp import bgp-discard

The Juniper BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

Description

Remediation Templates

A Manual Procedure