Simple Control-Plane Protection

To protect your control plane (routing-engine) you can define a stateless firewall to filter traffic based on source/destination ip addresses, protocols or ports. You should only allow protocols which the router really needs and you should specify as most exactly the parameters.

This is an example of an input filter to allow the following protocols:

Term

Protocol

Action

management-accept Telnet and SSH count and accept
tacacs-accept TACACS+ count and accept
icmp-accept ICMP Ping and Traceroute count and accept
traceroute-accept Traceroute via UDP count and accept
bgp-accept BGP count and accept
ospf-accept OSPF count and accept
ldp-udp-hello-accept LDP Hello via UDP count and accept
ldp-tcp-session-accept LDP Session (database exchange via TCP) count and accept
deny-all log, syslog, discard and count

Keep in mind: You could not create a firewall filter for family iso to filter protocols like ISIS or ESIS.

The following configuration shows you such a filter for family inet (IPv4) which could also be used for inet6 (IPv6).

firewall {
    family inet {
        filter protect-re {
            term management-accept {
                from {
                    protocol tcp;
                    destination-port [ ssh telnet ];
                }
                then {
                    count management-accept;
                    accept;
                }
            }
            term tacacs-accept {
                from {
                    protocol tcp;
                    source-port tacacs;
                }
                then {
                    count tacacs-accept;
                    accept;
                }
            }
            term icmp-accept {
                from {
                    protocol icmp;
                    icmp-type [ echo-request echo-reply unreachable time-exceeded ];
                }
                then {
                    count icmp-accept;
                    accept;
                }
            }
            term traceroute-accept {
                from {
                    protocol udp;
                    destination-port 33434-33534;
                }
                then {
                    count traceroute-accept;
                    accept;
                }
            }
            term bgp-accept {
                from {
                    protocol tcp;
                    port bgp;
                }
                then {
                    count bgp-accept;
                    accept;
                }
            }
            term ospf-accept {
                from {
                    protocol ospf;
                }
                then {
                    count ospf-accept;
                    accept;
                }
            }
            term ldp-udp-hello-accept {
                from {
                    protocol udp;
                    destination-port ldp;
                }
                then {
                    count ldp-udp-hello-accept;
                    accept;
                }
            }
            term ldp-tcp-session-accept {
                from {
                    protocol tcp;
                    port ldp;
                }
                then {
                    count ldp-tcp-session-accept;
                    accept;
                }
            }
            term deny-all {
                then {
                    count denied-packets;
                    log;
                    syslog;
                    discard;
                }
            }
        }
    }
}

It must be applied to the lo0.0 interface in input direction:

interfaces {
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input protect-re;
                }
                address 1.1.1.1/32;
            }
        }
    }
}

You can verify the filter counter by “show firewall filter protect-re”.  If some adjacencies or neighborship’s doesn’t come up, you can take a closer look at the firewall logfile, which should log every packet as specified in the “term deny-all”:

admin@ROUTER> show firewall log
Log :
Time      Filter    Action Interface     Protocol        Src Addr                         Dest Addr
13:47:08  pfe       D      xe-1/3/0.11   PIM             101.21.11.3                      224.0.0.13
13:47:05  pfe       D      xe-1/3/0.11   PIM             101.21.11.3                      224.0.0.13
13:47:02  pfe       D      xe-1/3/0.11   PIM             101.21.11.3                      224.0.0.13

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.