[j-nsp] routing engine protection (rate-limiting ARP
traffic,policing by pps, best-practises guidelines) on JunOS
Kisito Nguene Ndoum
kisito at juniper.net
Sun Jan 22 06:50:35 EST 2006
For the best practices, you can use this "JUNOS Router Security"
application note as a good starting point,
to protect your M-series routers :
http://www.juniper.net/solutions/literature/app_note/350013.pdf
- Kisito
At 12:40 PM 1/22/2006, Richard A Steenbergen wrote:
>On Sun, Jan 22, 2006 at 11:10:54AM +0100, Johannes Resch wrote:
> > Greetings!
> >
> > I'm currently building a control-plane filter for M-series routers and
> > I'd like to police the maximum ARP traffic allowed to the RE, in case
> > Something Bad (tm) happens on connected ethernet networks.
> >
> > How can this be achieved with JunOS 7.4? I was unable to find a way to
> > match ARP traffic in a firewall filter term.
> > (In cisco CoPP I can specify "match protocol arp" for this)
>
>It's built in, though you can change it if needed.
>
><https://puck.nether.net/pipermail/juniper-nsp/2004-March/002169.html>https://puck.nether.net/pipermail/juniper-nsp/2004-March/002169.html
>
>I don't think there is any way to police arp for the entire box, only the
>per-interface policers.
>
> > Regarding the same subject (control plane protection): is it possible to
> > police traffic based on packet/sec counters instead of bw only?
> > This would also come handy for RE protection - I'd rather have ICMP
> > traffic policed by pps than bandwidth, for example.
>
>Nope, all you've got is:
>
> bandwidth-limit Bandwidth limit (32000..40000000000 bits per second)
> bandwidth-percent Bandwidth limit in percentage (1..100 percent)
>
> > If somebody knows any documentation or best-practices guidelines
> > regarding how to efficiently do RE protection on JunOS, I'd be grateful
> > for pointers.
>
>Probably the biggest thing you want to know if you're used to dealing with
>CoPP is that Juniper can reference existing prefix-lists and use them in
>a firewall statement. This is a huge win for managing things like
>administrative access to the router, bogon filters, infrastructure routes,
>etc, all from one place (to be used in multiple firewalls and policy
>statements).
>
>Which of course leads to this one neat trick that Cisco can't do: :P
>
>policy-options {
> prefix-list bgp-neighbors {
> apply-path "protocols bgp group <*> neighbor <*>";
> }
>}
>firewall {
> filter control-plane {
> ....
> term allow-configured-bgp-neighbors-only {
> from {
> source-prefix-list {
> bgp-neighbors;
> }
> protocol tcp;
> port 179;
> }
> then blah blah blah;
> }
> ....
> }
>}
>
>--
>Richard A Steenbergen
><ras at e-gerbil.net>
><http://www.e-gerbil.net/ras>http://www.e-gerbil.net/ras
>GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
><http://puck.nether.net/mailman/listinfo/juniper-nsp>http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list