[j-nsp] routing engine protection (rate-limiting ARP traffic,policing by pps, best-practises guidelines) on JunOS

Kisito Nguene Ndoum kisito at juniper.net
Sun Jan 22 06:50:35 EST 2006 

For the best practices, you can use this "JUNOS Router Security" 
application note as a good starting point,
to protect your M-series routers  :
http://www.juniper.net/solutions/literature/app_note/350013.pdf

- Kisito

At 12:40 PM 1/22/2006, Richard A Steenbergen wrote:

>On Sun, Jan 22, 2006 at 11:10:54AM +0100, Johannes Resch wrote:
> > Greetings!
> >
> > I'm currently building a control-plane filter for M-series routers and
> > I'd like to police the maximum ARP traffic allowed to the RE, in case
> > Something Bad (tm) happens on connected ethernet networks.
> >
> > How can this be achieved with JunOS 7.4? I was unable to find a way to
> > match ARP traffic in a firewall filter term.
> > (In cisco CoPP I can specify "match protocol arp" for this)
>
>It's built in, though you can change it if needed.
>
><https://puck.nether.net/pipermail/juniper-nsp/2004-March/002169.html>https://puck.nether.net/pipermail/juniper-nsp/2004-March/002169.html
>
>I don't think there is any way to police arp for the entire box, only the
>per-interface policers.
>
> > Regarding the same subject (control plane protection): is it possible to
> > police traffic based on packet/sec counters instead of bw only?
> > This would also come handy for RE protection - I'd rather have ICMP
> > traffic policed by pps than bandwidth, for example.
>
>Nope, all you've got is:
>
>   bandwidth-limit      Bandwidth limit (32000..40000000000 bits per second)
>   bandwidth-percent    Bandwidth limit in percentage (1..100 percent)
>
> > If somebody knows any documentation or best-practices guidelines
> > regarding how to efficiently do RE protection on JunOS, I'd be grateful
> > for pointers.
>
>Probably the biggest thing you want to know if you're used to dealing with
>CoPP is that Juniper can reference existing prefix-lists and use them in
>a firewall statement. This is a huge win for managing things like
>administrative access to the router, bogon filters, infrastructure routes,
>etc, all from one place (to be used in multiple firewalls and policy
>statements).
>
>Which of course leads to this one neat trick that Cisco can't do: :P
>
>policy-options {
>     prefix-list bgp-neighbors {
>         apply-path "protocols bgp group <*> neighbor <*>";
>     }
>}
>firewall {
>     filter control-plane {
>         ....
>         term allow-configured-bgp-neighbors-only {
>             from {
>                 source-prefix-list {
>                     bgp-neighbors;
>                 }
>                 protocol tcp;
>                 port 179;
>             }
>             then blah blah blah;
>         }
>         ....
>     }
>}
>
>--
>Richard A Steenbergen 
><ras at e-gerbil.net> 
><http://www.e-gerbil.net/ras>http://www.e-gerbil.net/ras
>GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
><http://puck.nether.net/mailman/listinfo/juniper-nsp>http://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list