Rate-Limiting Traffic Flow to the Routing Engine

Problem

You need to ensure the availability of the Routing Engine during times of heavy traffic.

Solution

Configure policers to use with the firewall filter that you apply to the Routing Engine. First, create policers for control and low-priority traffic. The first policer is for SSH connections to the Routing Engine:

	[edit firewall]
	aviva@RouterF# set policer ssh if-exceeding bandwidth-limit 1m
	aviva@RouterF# set policer ssh if-exceeding burst-size-limit 100k
	aviva@RouterF# set policer ssh then discard

Two additional policers limit ICMP and TCP traffic:

	[edit firewall]
	aviva@RouterF# set policer icmp if-exceeding bandwidth-limit 1m
	aviva@RouterF# set policer icmp if-exceeding burst-size-limit 100k
	aviva@RouterF# set policer icmp then discard
	aviva@RouterF# set policer tcp if-exceeding bandwidth-limit 1m
	aviva@RouterF# set policer tcp if-exceeding burst-size-limit 100k
	aviva@RouterF# set policer tcp then discard

A final policer affects various background applications, including SNMP, NTP, and RADIUS:

	[edit firewall]
	aviva@RouterF# set policer utility if-exceeding bandwidth-limit 3m
	aviva@RouterF# set policer utility if-exceeding burst-size-limit 300k
	aviva@RouterF# set policer utility then discard

Then, apply the policers in the then clause of the firewall terms that affect TCP, SSH, ICMP, SNMP, NTP, and RADIUS packets:

	[edit firewall filter protect-RE2 ]
	aviva@RouterF# set term tcp from source-prefix-list ssh-prefixes 
	aviva@RouterF# set term tcp from source-prefix-list bgp-prefixes 
	aviva@RouterF# set term tcp from protocol tcp 
	aviva@RouterF# set term tcp from tcp-flags "(syn & !ack) | fin | rst" 
	aviva@RouterF# set term tcp then policer tcp 
	aviva@RouterF# set term tcp then accept 
	aviva@RouterF# set term ssh from prefix-list ssh-prefixes 
	aviva@RouterF# set term ssh from protocol tcp 
	aviva@RouterF# set term ssh from destination-port ssh 
	aviva@RouterF# set term ssh then policer ssh 
	aviva@RouterF# set term ssh then accept 
	aviva@RouterF# set term utility from source-prefix-list utility-prefixes 
	aviva@RouterF# set term utility from protocol udp 
	aviva@RouterF# set term utility from port [ snmp ntp radius ] 
	aviva@RouterF# set term utility then policer utility 

	aviva@RouterF# set term utility then accept 
	aviva@RouterF# set term icmp from protocol icmp 
	aviva@RouterF# set term icmp from icmp-type [ echo-request echo-reply 
unreachable time-exceeded source-quench ] 
	aviva@RouterF# set term icmp then policer icmp 
	aviva@RouterF# set term icmp then accept 

A final term in the filter counts and discards all remaining traffic:

	[edit firewall filter protect-RE2 ]
	aviva@RouterF# set term final-term then count discarded-packets 
	aviva@RouterF# set term final-term then discard 

To have the filter take effect, apply it to the router's lo0 interface:

	[edit interfaces]
	aviva@RouterF# set lo0 unit 0 family inet filter input protect-RE2

 

Discussion

It is considered good practice to apply policers to Routing Engine firewall filter terms to keep unwanted traffic and possible attacks from overwhelming the routing-protocol software, which runs on the Routing Engine. You want to police control traffic and traffic that is not time-dependent and you don't want to police critical traffic, such as BGP protocol exchanges. This section provides a second example of a Routing Engine firewall filter that includes policers. It is based on a JUNOS secure template publicly available from Team Cymru at http://www.cymru.com.

First, create policers for control and low-priority traffic. The first policer, configured with the set policer ssh commands, discards all SSH traffic when the bandwidth exceeds 1 MB or when the traffic burst size is greater than 100 Kbps. The second and third policers provide similar limits for ICMP and TCP traffic.

The terms of the first three policers are the same, so you might wonder why you should bother creating separate policers. You could use just one, which is fine if you know that you will always want to use the same bandwidth and burst-size limits for these three types of traffic. However, if you think you might need to tweak the policers individually, this will be easier to do if you create separate policers initially. When you change the values, you will just need to reconfigure the policer. Otherwise, you will have to reconfigure both the policer and the firewall term in which the policer is used.

The last policer in this recipe, configured with the set policer utility commands, is for background applications, including SNMP, NTP, and RADIUS. This policer drops traffic when the bandwidth is greater than 3 MB or a traffic burst exceeds 300 Kbps.

You then apply the policers in the then clause of the firewall terms. You need a term for each type of traffic. The first term, configured with the set term tcp commands, accepts TCP control traffic only from trusted sources and rate-limits this traffic. The first two commands match prefix lists defined in the [edit policy] section of the configuration. As with the routing-policy prefix lists, you use these to keep a single list of IP addresses in one place in the configuration. The ssh-prefixes list has all the SSH servers in your network, and the bgp-prefixes list has all your BGP peers. The last from clause command matches bits found in TCP control traffic. The first option, (syn & !ack), matches TCP synchronize packets that are being used to establish connections. For connections that are already established and operating normally, these packets also have the ACK bit set, so we exclude these packets from the policer limits. The RST option is present in packets resetting a TCP session, and FIN indicates that a session has closed and there is no more data from the sender. You must enclose the bits in quotation marks so the CLI interprets them correctly. The final two commands in this term configure the action. The first command applies the tcp policer, and the second accepts the packets.

After the tcp term, you should add the following filter term to accept BGP traffic from trusted sources:

	[edit firewall filter protect-RE2 ]
	aviva@RouterF# set term bgp from source-prefix-list bgp-prefixes 
	aviva@RouterF# set term bgp from protocol tcp 
	aviva@RouterF# set term bgp from port bgp 
	aviva@RouterF# set term bgp then accept 

The first three commands match packets from a prefix list configured in the [edit policy] section that lists the router's BGP peers, and this traffic is TCP protocol traffic sent from the BGP port. The then clause accepts these packets. You don't rate-limit BGP traffic, because it must be received and handled by the Routing Engine.

The ssh, utility, and icmp terms in the filter are similar, accepting and rate-limiting SSH, SNMP, NTP, RADIUS, and ICMP packets. The last term, final-term, counts and discards all remaining traffic.

Finally, to have the filter take effect, apply it to the lo0 interface.


Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net