smart85 Posted February 15, 2017 (edited) · Report post Коллеги, доброго времени суток! Есть интерфейс, хочу сделать с входящими пакетами так: - sampling - accept на то, что нужно - discard на то, что не нужно - accept на транзитный трафик Делаю следующее: set firewall filter sampling term sample then sample set firewall filter accept-icmp term discard-icmp-fragments from destination-prefix-list LOCALS-v4 set firewall filter accept-icmp term discard-icmp-fragments from is-fragment set firewall filter accept-icmp term discard-icmp-fragments from protocol icmp set firewall filter accept-icmp term discard-icmp-fragments then count discard-icmp-fragments set firewall filter accept-icmp term discard-icmp-fragments then discard set firewall filter accept-icmp term accept-icmp from destination-prefix-list LOCALS-v4 set firewall filter accept-icmp term accept-icmp from icmp-type echo-reply set firewall filter accept-icmp term accept-icmp from icmp-type echo-request set firewall filter accept-icmp term accept-icmp from icmp-type time-exceeded set firewall filter accept-icmp term accept-icmp from icmp-type unreachable set firewall filter accept-icmp term accept-icmp from icmp-type source-quench set firewall filter accept-icmp term accept-icmp from icmp-type router-advertisement set firewall filter accept-icmp term accept-icmp from icmp-type parameter-problem set firewall filter accept-icmp term accept-icmp then policer management-1m set firewall filter accept-icmp term accept-icmp then count accept-icmp set firewall filter accept-icmp term accept-icmp then accept set firewall filter discard-all-to-locals-v4 term discard-ip-options from destination-prefix-list LOCALS-v4 set firewall filter discard-all-to-locals-v4 term discard-ip-options from ip-options any set firewall filter discard-all-to-locals-v4 term discard-ip-options then count discard-ip-options set firewall filter discard-all-to-locals-v4 term discard-ip-options then log set firewall filter discard-all-to-locals-v4 term discard-ip-options then discard set firewall filter discard-all-to-locals-v4 term discard-TTL_1-unknown from destination-prefix-list LOCALS-v4 set firewall filter discard-all-to-locals-v4 term discard-TTL_1-unknown from ttl 1 set firewall filter discard-all-to-locals-v4 term discard-TTL_1-unknown then count discard-TTL_1-unknown set firewall filter discard-all-to-locals-v4 term discard-TTL_1-unknown then log set firewall filter discard-all-to-locals-v4 term discard-TTL_1-unknown then discard set firewall filter discard-all-to-locals-v4 term discard-tcp from destination-prefix-list LOCALS-v4 set firewall filter discard-all-to-locals-v4 term discard-tcp from protocol tcp set firewall filter discard-all-to-locals-v4 term discard-tcp then count discard-tcp set firewall filter discard-all-to-locals-v4 term discard-tcp then log set firewall filter discard-all-to-locals-v4 term discard-tcp then discard set firewall filter discard-all-to-locals-v4 term discard-udp from destination-prefix-list LOCALS-v4 set firewall filter discard-all-to-locals-v4 term discard-udp from protocol udp set firewall filter discard-all-to-locals-v4 term discard-udp then count discard-udp set firewall filter discard-all-to-locals-v4 term discard-udp then log set firewall filter discard-all-to-locals-v4 term discard-udp then discard set firewall filter discard-all-to-locals-v4 term discard-icmp from destination-prefix-list LOCALS-v4 set firewall filter discard-all-to-locals-v4 term discard-icmp from protocol icmp set firewall filter discard-all-to-locals-v4 term discard-icmp then count discard-icmp set firewall filter discard-all-to-locals-v4 term discard-icmp then log set firewall filter discard-all-to-locals-v4 term discard-icmp then discard set firewall filter discard-all-to-locals-v4 term discard-unknown from destination-prefix-list LOCALS-v4 set firewall filter discard-all-to-locals-v4 term discard-unknown then count discard-unknown set firewall filter discard-all-to-locals-v4 term discard-unknown then log set firewall filter discard-all-to-locals-v4 term discard-unknown then discard set firewall filter discard-all-to-locals-v4 term accept-all-other then accept Вешаю на интерфейс set family inet filter input-list [sampling accept-icmp discard-all-to-locals-v4] и в итоге получаю, что пакеты после фильтра sampling не обрабатываются остальными в листе. Если sampling убрать, что все отлично. Что я делаю не так? Или sampling лучше включить на интерфейсе через set interfaces X unit Y family inet sampling input, а через filter input-list выполнять только фильтрацию? И btw, вопрос: я верно понял, что любой фильтр имеет последний неявный term с discard, т.е. то, что не accept, то будет в любом случае отброшено, но если используется filter input-list, по пакет следует по правилам слева направо и только в последнем фильтре отработает неявный discard ? + еще вопрос: на данный момент IP адрес на интерфейс lo0 не назначен: Physical interface: lo0, Enabled, Physical link is Up Interface index: 6, SNMP ifIndex: 6 Type: Loopback, MTU: Unlimited Device flags : Present Running Loopback Interface flags: SNMP-Traps Link flags : None Last flapped : Never Input packets : 4706 Output packets: 4706 Logical interface lo0.16384 (Index 320) (SNMP ifIndex 21) Flags: SNMP-Traps Encapsulation: Unspecified Input packets : 774 Output packets: 774 Protocol inet, MTU: Unlimited Addresses Local: 127.0.0.1 Logical interface lo0.16385 (Index 321) (SNMP ifIndex 22) Flags: SNMP-Traps Encapsulation: Unspecified Input packets : 3926 Output packets: 3926 Protocol inet, MTU: Unlimited Как Local ID в show bgp neighbor x.x.x.x виден IP адрес интерфейса fxp0.0, как в таком случае фильтровать трафик до RE? На fxp0.0? Edited February 17, 2017 by mse.rus77 Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
smart85 Posted February 15, 2017 · Report post По первому вопросу разобрался: There is no difference in both the configurations that you have shown below. The usage of the two configurations differ: 1. For example, if you want to sample every family inet packet on the interface, you can just use "family inet sampling input/output" on the interface. It will mark every packet for sampling irrespective of the flow. 2. If you want to sample only specific type of IP traffic, for example, you want to sample traffic coming from specific source IP or from specific destination IP you can create a customized firewall filter and match that specific traffic type for sampling. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
orlik Posted February 16, 2017 · Report post set firewall filter sampling term sample then sample У вас тут не явный discard поэтому все будет дррпаться. Делайте сампл в таермах где accept или discard или как уже посоветовали, вешайте на весь интерфес. Sample не является терминирующим действием Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
smart85 Posted February 16, 2017 · Report post set firewall filter sampling term sample then sample У вас тут не явный discard поэтому все будет дррпаться. Делайте сампл в таермах где accept или discard или как уже посоветовали, вешайте на весь интерфес. Sample не является терминирующим действием Уже повесил на интерфейс сэмплинг. А вот на счет discard после then sample - наоборот, все на accept после sample пошло. Проверял telnet ${external_if_addr} 22. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
vvertexx Posted February 16, 2017 · Report post mse.rus77 > sample; # default action is accept лень искать доки, в примерах всегда указывают что accept по умолчанию на sample, это исключение из общего правила Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
smart85 Posted February 16, 2017 · Report post mse.rus77 > sample; # default action is accept лень искать доки, в примерах всегда указывают что accept по умолчанию на sample, это исключение из общего правила Спасибо. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
smart85 Posted February 17, 2017 (edited) · Report post Интересный момент появился, после того, как packet sampling переконфигурировал с firewall filter sample term sample then sample на интерфейс - set interface * unit 0 family inet sample input, в логе появились такие записи: Feb 17 14:29:09 MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Sample:pfe is violated at fpc 0 for 1 times, started at 2017-02-17 14:29:09 GMT-3 Feb 17 14:34:12 MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Sample:pfe has returned to normal. Violated at fpc 0 for 1 times, from 2017-02-17 14:29:09 GMT-3 to 2017-02-17 14:29:11 GMT-3 Feb 17 15:00:47 MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Sample:pfe is violated at fpc 0 for 2 times, started at 2017-02-17 15:00:47 GMT-3 Feb 17 15:05:48 MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Sample:pfe has returned to normal. Violated at fpc 0 for 2 times, from 2017-02-17 15:00:47 GMT-3 to 2017-02-17 15:00:47 GMT-3 Feb 17 15:40:23 MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Sample:pfe is violated at fpc 0 for 3 times, started at 2017-02-17 15:40:22 GMT-3 Feb 17 15:45:22 MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Sample:pfe has returned to normal. Violated at fpc 0 for 3 times, from 2017-02-17 15:40:22 GMT-3 to 2017-02-17 15:40:22 GMT-3 Feb 17 16:46:59 MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Sample:pfe is violated at fpc 0 for 4 times, started at 2017-02-17 16:46:58 GMT-3 Feb 17 16:52:03 MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Sample:pfe has returned to normal. Violated at fpc 0 for 4 times, from 2017-02-17 16:46:58 GMT-3 to 2017-02-17 16:47:03 GMT-3 Feb 17 16:56:34 MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Sample:pfe is violated at fpc 0 for 5 times, started at 2017-02-17 16:56:33 GMT-3 Feb 17 17:02:33 MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Sample:pfe has returned to normal. Violated at fpc 0 for 5 times, from 2017-02-17 16:56:33 GMT-3 to 2017-02-17 16:57:33 GMT-3 Feb 17 17:31:59 MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Sample:pfe is violated at fpc 0 for 6 times, started at 2017-02-17 17:31:58 GMT-3 Feb 17 17:37:39 MX80 jddosd[1548]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Sample:pfe has returned to normal. Violated at fpc 0 for 6 times, from 2017-02-17 17:31:58 GMT-3 to 2017-02-17 17:32:38 GMT-3 Это связано с тем, что много пакетов попадает в sampling и отрабатывает ddos protection? Как лечить? Увеличить стандартные значения? Edited February 17, 2017 by mse.rus77 Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
vvertexx Posted February 17, 2017 · Report post mse.rus77 > show ddos-protection protocols sample pfe Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
smart85 Posted February 20, 2017 · Report post mse.rus77 > show ddos-protection protocols sample pfe Currently tracked flows: 0, Total detected flows: 0 * = User configured value Protocol Group: Sample Packet type: pfe (PFE sample traffic) Individual policer configuration: Bandwidth: 1000 pps Burst: 1000 packets Priority: Medium Recover time: 300 seconds Enabled: Yes Bypass aggregate: No Flow detection configuration: Detection mode: Automatic Detect time: 3 seconds Log flows: Yes Recover time: 60 seconds Timeout flows: No Timeout time: 300 seconds Flow aggregation level configuration: Aggregation level Detection mode Control mode Flow rate Subscriber Automatic Drop 10 pps Logical interface Automatic Drop 10 pps Physical interface Automatic Drop 1000 pps System-wide information: Bandwidth is no longer being violated No. of FPCs that have received excess traffic: 1 Last violation started at: 2017-02-20 09:34:50 GMT-3 Last violation ended at: 2017-02-20 09:34:50 GMT-3 Duration of last violation: 00:00:00 Number of violations: 99 Received: 3474391 Arrival rate: 10 pps Dropped: 105050 Max arrival rate: 866 pps Routing Engine information: Bandwidth: 1000 pps, Burst: 1000 packets, enabled Policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by aggregate policer: 0 FPC slot 0 information: Bandwidth: 100% (1000 pps), Burst: 100% (1000 packets), enabled Policer is no longer being violated Last violation started at: 2017-02-20 09:34:50 GMT-3 Last violation ended at: 2017-02-20 09:34:50 GMT-3 Duration of last violation: 00:00:00 Number of violations: 99 Received: 3474391 Arrival rate: 10 pps Dropped: 105050 Max arrival rate: 866 pps Dropped by this policer: 105050 Dropped by aggregate policer: 0 Dropped by flow suppression: 0 Flow counts: Aggregation level Current Total detected State Subscriber 0 0 Active Но Max arrival rate 866 pps, при максимуме 1000 pps, почему дропается тогда? И почему не дропалось, когда сэмплинг работал через firewall filter, трафик ведь остался без изменений. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...