The Juniper BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

An XCCDF Rule

Description

Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a nonoptimized path.

ID: SV-254015r844078_rule
Version: JUEX-RT-000430
Severity: Medium
References: CCI-001097
Updated: 5 days ago

Remediation Templates

Configure all eBGP routers to filter outbound route advertisements belonging to the IP core.

For example:
set policy-options prefix-list ip-core-ipv4 192.0.2.0/24
set policy-options prefix-list ip-core-ipv6 2001:db8:2::/64
set policy-options policy-statement advertise-bgp-prefix term exclude-ipv4-core from prefix-list ip-core-ipv4set policy-options policy-statement advertise-bgp-prefix term exclude-ipv4-core then reject
set policy-options policy-statement advertise-bgp-prefix term exclude-ipv6-core from prefix-list ip-core-ipv6
set policy-options policy-statement advertise-bgp-prefix term exclude-ipv6-core then reject
set policy-options policy-statement advertise-bgp-prefix term default then accept

set protocols bgp group eBGP type external
set protocols bgp group eBGP export advertise-bgp-prefix
set protocols bgp group eBGP neighbor 192.0.2.11 export advertise-bgp-prefix
set protocols bgp export advertise-bgp-prefix

The Juniper BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

Description

Remediation Templates

A Manual Procedure