Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Need to setup a Bogon list on an SSG-520

    Posted 02-03-2009 11:59
    I need to apply a bogon list to a SSG-520 and I need help.


  • 2.  RE: Need to setup a Bogon list on an SSG-520

    Posted 02-03-2009 15:50

    There are two strategies imho on how to do this.  One is to sinkhole (null route) the bogon list, or you can use a policy to block it.

     

    You can locate a bogon list ( plenty of examples on Google ), or use your own ( make sure you are careful here).

     

    Current  Iana allocations.  You can see the allocated addressing here. 

     

    Example CYMRU Bogon List

     

    The below example is based off of the CYMRU Bogon list.

    set route 1.0.0.0/8 int null
set route 2.0.0.0/8 int null
set route 5.0.0.0/8 int null 
set route 10.0.0.0/8 int null
set route 14.0.0.0/8 int null
set route 23.0.0.0/8 int null
set route 27.0.0.0/8 int null
set route 31.0.0.0/8 int null
set route 36.0.0.0/8 int null
set route 37.0.0.0/8 int null
set route 39.0.0.0/8 int null
set route 42.0.0.0/8 int null
set route 46.0.0.0/8 int null
set route 49.0.0.0/8 int null
set route 50.0.0.0/8 int null
set route 100.0.0.0/8 int null
set route 101.0.0.0/8 int null
set route 102.0.0.0/8 int null
set route 103.0.0.0/8 int null
set route 104.0.0.0/8 int null
set route 105.0.0.0/8 int null
set route 106.0.0.0/8 int null
set route 107.0.0.0/8 int null
set route 127.0.0.0/8 int null
set route 169.254.0.0/16 int null
set route 172.16.0.0/12 int null
set route 175.0.0.0/8 int null
set route 176.0.0.0/8 int null
set route 177.0.0.0/8 int null
set route 179.0.0.0/8 int null
set route 180.0.0.0/8 int null
set route 181.0.0.0/8 int null
set route 182.0.0.0/8 int null
set route 183.0.0.0/8 int null
set route 185.0.0.0/8 int null
set route 192.0.2.0/24 int null
set route 192.168.0.0/16 int null
set route 198.18.0.0/15 int null
set route 223.0.0.0/8 int null
set route 224.0.0.0/3 int null

     

    For option two, you would need to create address book entries for each of the networks,  create a group, and then create a drop policy with the group as the destination, and move it above your internet access policies. 

     

     

     

     

    **Note on the Bogon list;  From a interop standpoint with internal RFC 1918 addressing. Some people may feel the need based on legacy design to advertise the same bit length internal network summary route for your RFC 1918 address that you want to use in your bogon list.  This is probably a good place for a split virtual router setup, with your untrust zone being bound to your untrust-vr.  This way you can isolate your internal RFC 1918 addresses from your bogon assignments.  This should be thought of before you go into production, as changing virtual router assignments for your zone requires the unbinding of interfaces from that zone.  You have to back them out, change the zone's virtual router assignment, then re-add them.  It can be a lot of work depending on how much is bound to your untrust interfaces.  Now most allocations internally are more specific than your bogons so the bogon null route shouldn't interfere and a single virtual router should suffice, but this is an option if you cannot overcome a design constraint.

     

    Message Edited by shadow on 02-03-2009 05:52 PM
    Message Edited by shadow on 02-03-2009 05:56 PM
    Message Edited by shadow on 02-03-2009 08:25 PM
    Message Edited by shadow on 02-03-2009 08:27 PM


  • 3.  RE: Need to setup a Bogon list on an SSG-520
    Best Answer

    Posted 02-04-2009 09:44

    thank you very much