The Juniper BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

An XCCDF Rule

Description

Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a non-optimized path.

ID: SV-217057r604135_rule
Version: JUNI-RT-000520
Severity: Medium
References: CCI-001097
Updated: about 2 months ago

Remediation Templates

Configure the router to filter outbound route advertisements belonging to the IP core.

Configure a prefix list containing prefixes belonging to the IP core.

[edit policy-options]
set prefix-list CORE_PREFIX x.x.x.x/16
Configure a policy-statement to filter BGP route advertisements that will exclude core prefixes.

[edit policy-options]
set policy-statement BGP_ADVERTISE_POLICY term EXCLUDE_CORE from prefix-list CORE_PREFIX
set policy-statement BGP_ADVERTISE_POLICY term EXCLUDE_CORE then reject
set policy-statement BGP_ADVERTISE_POLICY term INCLUDE_OTHER then accept

Configure an export statement referencing the advertise policy on all external BGP peer groups as shown in the example below.

[edit protocols bgp group GROUP_AS4]
set export BGP_ADVERTISE_POLICY

The Juniper BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

Description

Remediation Templates

A Manual Procedure