The Juniper BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

An XCCDF Rule

Description

Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a non-optimized path.

ID: SV-217054r604135_rule
Version: JUNI-RT-000490
Severity: Medium
References: CCI-001368
Updated: about 2 months ago

Remediation Templates

Configure the router to reject inbound route advertisements for any prefixes belonging to the local AS.

Configure a prefix list containing prefixes belonging to the local autonomous system.

[edit policy-options]
set prefix-list OUR_PREFIXES x.x.x.x/16
Configure a policy-statement to reject prefixes belonging to the local autonomous system. This can be done by adding a term to the existing policy to filter Bogons as shown in the example below.

[edit policy-options policy-statement FILTER_ROUTES]
set term REJECT_OUR_PREFIXES from prefix-list OUR_PREFIXES
set term REJECT_OUR_PREFIXES then reject
insert term REJECT_OUR_PREFIXES before term ACCEPT_OTHER

Note: There is no need change the BGP configuration assuming the import statement is already configured for all external neighbors.

The Juniper BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

Description

Remediation Templates

A Manual Procedure