[j-nsp] routing engine protection (rate-limiting ARP traffic, policing by pps, best-practises guidelines) on JunOS

Richard A Steenbergen ras at e-gerbil.net
Sun Jan 22 06:40:53 EST 2006


On Sun, Jan 22, 2006 at 11:10:54AM +0100, Johannes Resch wrote:
> Greetings!
> 
> I'm currently building a control-plane filter for M-series routers and
> I'd like to police the maximum ARP traffic allowed to the RE, in case
> Something Bad (tm) happens on connected ethernet networks.
> 
> How can this be achieved with JunOS 7.4? I was unable to find a way to
> match ARP traffic in a firewall filter term.
> (In cisco CoPP I can specify "match protocol arp" for this)

It's built in, though you can change it if needed.

https://puck.nether.net/pipermail/juniper-nsp/2004-March/002169.html

I don't think there is any way to police arp for the entire box, only the 
per-interface policers.

> Regarding the same subject (control plane protection): is it possible to
> police traffic based on packet/sec counters instead of bw only?
> This would also come handy for RE protection - I'd rather have ICMP
> traffic policed by pps than bandwidth, for example.

Nope, all you've got is:

  bandwidth-limit      Bandwidth limit (32000..40000000000 bits per second)
  bandwidth-percent    Bandwidth limit in percentage (1..100 percent)

> If somebody knows any documentation or best-practices guidelines
> regarding how to efficiently do RE protection on JunOS, I'd be grateful
> for pointers.

Probably the biggest thing you want to know if you're used to dealing with 
CoPP is that Juniper can reference existing prefix-lists and use them in 
a firewall statement. This is a huge win for managing things like 
administrative access to the router, bogon filters, infrastructure routes, 
etc, all from one place (to be used in multiple firewalls and policy 
statements).

Which of course leads to this one neat trick that Cisco can't do: :P

policy-options {
    prefix-list bgp-neighbors {
        apply-path "protocols bgp group <*> neighbor <*>";
    }
}
firewall {
    filter control-plane {
        ....
        term allow-configured-bgp-neighbors-only {
            from {
                source-prefix-list {
                    bgp-neighbors;
                }
                protocol tcp;
                port 179;
            }
            then blah blah blah;
        }
        ....
    }
}

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)


More information about the juniper-nsp mailing list