Bogon IPv4 Ingress and Egress Filtering in Juniper

As mentioned from the previous post, Bogon prefixes or routes should never appear in the Internet routing table. Network Engineers should implement “Best Practices” in their network, that includes filtering of bogons as it maybe used in DDoS attacks or Spams. Refer to https://freenetworktutorials.com/ipv4-and-ipv6-bogon-address-list  for more info.
“Martians” bogons may changed occasionally so at least make sure private address mentioned in https://freenetworktutorials.com/ipv4-classful-and-reserved-addresses are filtered so it wont leak out into the Internet.

Here is sample steps and configuration. (This is the equivalent configuration for Juniper based on this post for Cisco’s Bogon IPv4 Ingress and Egress Filtering in Cisco IOS-XR,; the objective is similar so can compare the configuration commands.

1. Create the Ingress and Egress ACL
Example list of Bogon IPs to filter:
0.0.0.0/8 “This” network
127.0.0.0/8 Loopback
169.254.0.0/16 Link local
192.0.2.0/24 TEST-NET-1
192.168.0.0/16 Private-use networks
224.0.0.0/4 Multicast
10.0.0.0/8 Private-use networks
172.16.0.0/12 Private-use networks

darwin@JUNIPER-re0>configure
Entering configuration mode
{master}[edit]
darwin@JUNIPER-re0>#

set policy-options route-filter-list BOGONS 0.0.0.0/0 exact
set policy-options route-filter-list BOGONS 127.0.0.0/8 upto /32
set policy-options route-filter-list BOGONS 169.254.0.0/16 upto /32
set policy-options route-filter-list BOGONS 192.0.2.0/24 upto /32
set policy-options route-filter-list BOGONS 192.168.0.0/16 upto /32
set policy-options route-filter-list BOGONS 224.0.0.0/4 upto /32
set policy-options route-filter-list BOGONS 10.0.0.0/8 upto /32
set policy-options route-filter-list BOGONS 172.16.0.0/12 upto /32

set firewall family inet filter ACL_IN term 1 from source-prefix-list BOGONS
set firewall family inet filter ACL_IN term 1 then reject
set firewall family inet filter ACL_IN term 2 then accept

Note: For ACL Ingress, the idea is deny all the bogons (also those ports you want to block) and permit everything

Example:  own network prefix to advertise (111.111.111.0/24)

set policy-options route-filter-list PREFIXES 111.111.111.0/24 exact

set firewall family inet filter ACL_OUT term 1 from source-prefix-list BOGONS
set firewall family inet filter ACL_OUT term 1 then reject
set firewall family inet filter ACL_OUT term 2 from source-prefix-list PREFIXES
set firewall family inet filter ACL_OUT term 2 then accept
set firewall family inet filter ACL_OUT term 3 then reject

Note: For ACL Egress, the idea is deny all the bogons (also those ports you want to block) ,allow your own networks to advertise in your BGP peering (e.g.111.111.111.0/24) and deny everything

2.Apply the ACL

set interfaces ae0 unit 0 family inet filter input ACL_IN
set interfaces ae0 unit 0 family inet filter output ACL_OUT

3. Verify:

show firewall family inet filter ACL_IN
show firewall family inet filter ACL_OUT

Be First to Comment

Leave a Reply