The Juniper BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

An XCCDF Rule

Description

<VulnDiscussion>Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a nonoptimized path.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-254015r844078_rule
Severity: Medium
References: CCI-001097
Updated: 17 days ago

Configure all eBGP routers to filter outbound route advertisements belonging to the IP core.

For example:
set policy-options prefix-list ip-core-ipv4 192.0.2.0/24
set policy-options prefix-list ip-core-ipv6 2001:db8:2::/64
set policy-options policy-statement advertise-bgp-prefix term exclude-ipv4-core from prefix-list ip-core-ipv4set policy-options policy-statement advertise-bgp-prefix term exclude-ipv4-core then reject
set policy-options policy-statement advertise-bgp-prefix term exclude-ipv6-core from prefix-list ip-core-ipv6
set policy-options policy-statement advertise-bgp-prefix term exclude-ipv6-core then reject
set policy-options policy-statement advertise-bgp-prefix term default then accept

set protocols bgp group eBGP type external
set protocols bgp group eBGP export advertise-bgp-prefix
set protocols bgp group eBGP neighbor 192.0.2.11 export advertise-bgp-prefix
set protocols bgp export advertise-bgp-prefix

The Juniper BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

Description

Remediation - Manual Procedure