Jump to content
Калькуляторы

Защита RE на MX80

Потихоньку переезжаем на MX с 7200 NPE-G2 т.к. циска по процу уходит в полку. Задача у MX - принять 3 фулл вью, отдать в ядро и шейперам дефолт по bgp. В общем, никакой магии.

Вопрос во в чем. Хоть у МХ контрол-плейн и отделен от форвардинг-плейна, но проблемы, к примеру, ICMP-флуда непосредственно на роутер никто не отменял. Потому надо как-то защитить RE. Вот пока придумал:

1. Отполисить входящий ICMP

2. Закрыть порт bgp от всех, кроме нейборов

3. Прикрыть ntp/snmp/tacacs/ssh/telnet из публичных сетей, трафик разрешить только из менеджмент-сетей

4. Разрешить DNS только свои

 

А что собственно еще?

Share this post


Link to post
Share on other sites

А что собственно еще?

 

Шаблонный фильтр, склеивайте, комбинируйте, пользуйтесь :)

 

 

 

# Version 1.4
# Date 03/20/2013
# Author: D.Shokarev
# Business Edge Solution V 1.0
# 
# History of changes
# 1.4 Added family inet6 / mpls to the group 1 at the core-interfaces
#     Expanded allowed TCP port in the accept-tcp-mgmt term to allow ftp
#     Split accept-bfd-control-infra term in two due to a potential bug with a port-range match
#
# In this template, we try to block unauthorized traffic to the routing engine, and limit eligible traffic (in order to avoid denial of service at the control plane)
# 
# Note that all non-customer facing interfaces should be assigned to the interface group 1
# In this template, signalling traffic from the network core is not rate limited, whereas traffic from the customer facing interfaces is rate limited.
# Interface groups are used in order to easily match non-customer facing interfaces
#
# BGP Peer Group Naming Conventions:
# The template supports TTL security mechanism check for BGP. TTL secured BGP peers should be placed into the group named v6-gtsm* or v4-gtsm*.
# Other peers should be placed into the groups named v6* and v4*.
#
# This is work in progress.
# The items below are yet to be done:
# 1. Enable suspicious flow detection;
#
# Constants used in this template
#
# Intefaces
# Core interface group id : 1
# Other non-customer facing reserved interface group ids : 2-3
#
# Policing (CIR/CBS)
# 4Mbps/48k pol-control-customer policer, polices control plane traffic from the customers (OSPF, MLD, IGMP, RIP, etc.)
# 20Mbps/48k pol-tcp-control-customer policer, polices control plane traffic from the customers (BGP)
# 4Mbps/48k pol-control-customer-tcp-conn policer, limits TCP connection / reset attempts
# 10Mbps/48k pol-mgmt policer, polices management plane traffic (SSH, Telnet, SNMP, FTP, WEB)
# 4Mbps/48k pol-mgmt-generic-oam, polices pings (ICMP, MPLS)
#
# Parameters used in this template
#
# Interfaces
# $core_ifd : core interface name
#
# Dependencies : address-space.conf
groups {
   re0 {
       interfaces {
       /* fxp0 interface should belong to group 1, means non-customer facing */
           fxp0 {
               unit 0 {
                   family inet {
                       filter {
                           group 1;
                       }                      
                   }
                   family inet6 {
                       filter {
                           group 1;
                       }                      
                   }
               }
           }
       }
   }
   re1 {
       interfaces {
       /* fxp0 interface should belong to group 1, means non-customer facing */
           fxp0 {
               unit 0 {
                   family inet {
                       filter {
                           group 1;
                       }                      
                   }
                   family inet6 {
                       filter {
                           group 1;
                       }                      
                   }
               }
           }
       }
   }
   /* Apply group below to the core interface */
   core-intf {
       interfaces {
           <*> {
               mtu 9192;
               unit <*> {
                   family inet {
                       filter {
                           group 1;
                       }
                   }
                   family iso;
                   family inet6 {
                       filter {
                           group 1;
                       }
                   };
                   family mpls {
                       filter {
                           group 1;
                       }
                   };
               }
           }
       }
   }
   /* Apply group below to the loopback interface */
   loopback-filter {
       interfaces {
           lo0 {
               unit <*> {
                   family inet {
                       filter {
                           input sec-control-plane-v4;
                       }
                   }
                   family inet6 {
                       filter {
                           input sec-control-plane-v6;
                       }
                   }
               }
           }
       }
   }
}
interfaces {
   $core_ifd {
       apply-groups core-intf;        
   } 
   lo0 {
       apply-groups loopback-filter;
   }
}
policy-options {
   /* This prefix list is automatically populated with configured DNS server addresses */
   prefix-list pl-dns {
       apply-path "system name-server <*>";
   }
   /* This prefix list is automatically populated with configured IPv4 inet.0 BGP neighbors,
      note that V4 neighbor is identified by the group name (it should start with v4) */
   prefix-list pl-bgp-inet0-v4 {
       apply-path "protocols bgp group <v4*> neighbor <*>";
   }
   /* This prefix list is automatically populated with configured IPV4 VPN BGP neighbors,
      note that V4 neighbor is identified by the group name (it should start with v4) */
   prefix-list pl-bgp-vpn-v4 {
       apply-path "routing-instances <*> protocols bgp group <v4*> neighbor <*>";
   }
   /* This prefix list is automatically populated with configured IPv6 inet.0 BGP neighbors,
      note that V6 neighbor is identified by the group name (it should start with v6) */
   prefix-list pl-bgp-inet0-v6 {
       apply-path "protocols bgp group <v6*> neighbor <*>";
   }
   /* This prefix list is automatically populated with configured IPv6 VPN BGP neighbors,
      note that V6 neighbor is identified by the group name (it should start with v6) */
   prefix-list pl-bgp-vpn-v6 {
       apply-path "routing-instances <*> protocols bgp group <v6*> neighbor <*>";
   }
   /* This prefix list is automatically populated with configured IPv4 inet.0 BGP neighbors 
      that should be enabled for the TTL security check, note that ttl check enabled V4 neighbor is identified 
      by the group name (it should start with v4-gtsm) */
   prefix-list pl-bgp-inet0-ttl-secured-v4 {
       apply-path "protocols bgp group <v4-gtsm*> neighbor <*>";
   }
   /* This prefix list is automatically populated with configured IPv4 VPN BGP neighbors 
      that should be enabled for the TTL security check, note that ttl check enabled V4 neighbor is identified 
      by the group name (it should start with v4-gtsm) */
   prefix-list pl-bgp-vpn-ttl-secured-v4 {
       apply-path "routing-instances <*> protocols bgp group <v4-gtsm*> neighbor <*>";
   }
   /* This prefix list is automatically populated with configured IPv6 inet.0 BGP neighbors 
      that should be enabled for the TTL security check, note that ttl check enabled V6 neighbor is identified 
      by the group name (it should start with v6-gtsm) */
   prefix-list pl-bgp-inet0-ttl-secured-v6 {
       apply-path "protocols bgp group <v6-gtsm*> neighbor <*>";
   }
   /* This prefix list is automatically populated with configured IPv6 VPN BGP neighbors 
      that should be enabled for the TTL security check, note that ttl check enabled V6 neighbor is identified 
      by the group name (it should start with v6-gtsm) */
   prefix-list pl-bgp-vpn-ttl-secured-v6 {
       apply-path "routing-instances <*> protocols bgp group <v6-gtsm*> neighbor <*>";
   }
   /* This prefix list is automatically populated with configured RADIUS server addresses */
   prefix-list pl-radius {
       apply-path "system radius-server <*>";
   }
   /* This prefix list is automatically populated with configured NTP peer addresses */
   prefix-list pl-ntp-peer {
       apply-path "system ntp peer <*>";
   }
   /* This prefix list is automatically populated with configured NTP server addresses */
   prefix-list pl-ntp-server {
       apply-path "system ntp server <*>";
   }    
}

firewall {
   family inet {
       filter sec-control-plane-v4 {
           /* Discard framgents */
           term discard-first-fragment {
               from {
                   first-fragment;
               }
               then {
                   count c-cp-v4-discard-fragments;
                   log;
                   syslog;
                   discard;
               }
           }
           term discard-other-fragments {
               from {
                   is-fragment;
               }
               then {
                   count c-cp-v4-discard-fragments;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Discard bad options */
           term discard-bad-options {
               from {
                   ip-options [ loose-source-route route-record security timestamp stream-id strict-source-route ];
               }
               then {
                   count c-cp-v4-discard-bad-options;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Discard and log RSVP packets from unauthorized sources */
           term discard-unauth-rsvp {
               from {
                   source-prefix-list {
                       pl-default-v4;
                       pl-infra-v4 except;
                   }
                   protocol rsvp;
               }
               then {
                   count c-cp-v4-discard-rsvp;
                   log;
                   syslog;
                   discard;
               }
           }
           term discard-unauth-rsvp-address-overlap {
               from {
                   interface-group-except [ 1 - 3];
                   protocol rsvp;
               }
               then {
                   count c-cp-v4-discard-rsvp;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Next 5 terms might allow traffic with IP Options */
           /* Accept IGMP packets from the non-customer facing interfaces, no rate limit enforced */
           term accept-igmp-infra {
               from {
                   interface-group 1;
                   protocol igmp;
               }
               then {
                   count c-cp-v4-accept-igmp-infra;
                   accept;
               }
           }
           /* Accept IGMP packets from the customer facing interfaces, subject to the rate limit */
           term accept-igmp-customer {
               from {
                   interface-group-except [ 1-3];
                   protocol igmp;
               }
               then {
                   policer pol-control-customer;
                   count c-cp-v4-accept-igmp-cust;
                   accept;
               }
           }
           /* Accept RSVP packets from the non-customer facing interfaces */
           term accept-rsvp {
               from {
                   /* Allow non-customer facing interfaces only */
                   interface-group 1;
                   source-prefix-list {
                       pl-infra-v4;
                   }
                   protocol rsvp;
               }
               then {
                   count c-cp-v4-accept-rsvp;
                   accept;
               }
           }
           /* Accept MPLS ping from infrastructure addresses */
           term accept-mpls-ping {
               from {
                   /* Allow non-customer facing interfaces only */
                   interface-group 1;
                   source-prefix-list {
                       pl-infra-v4;
                   }
                   protocol udp;
                   port 3503;
               }
               then {
                   policer pol-mgmt-generic-oam;
                   count c-cp-v4-accept-mpls-ping;
                   accept;
               }
           }
           /* At this point all eligible traffic with IP Options is processed, discard the rest of the traffic with options */
           term discard-options {
               from {
                   ip-options any;
               }
               then {
                   count c-cp-v4-discard-options;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Discard and log DNS response packets from unauthorized sources */
           term discard-unauth-dns {
               from {
                   source-prefix-list {
                       pl-default-v4;
                       pl-dns except;
                   }
                   protocol udp;
                   port domain;
               }
               then {
                   count c-cp-v4-discard-dns;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Some L3 VPN customers may have address overlaps with pl-dns prefixes, need to account for that case as well */
           term discard-unauth-dns-address-overlap {
               from {
                   interface-group-except [ 1-3];
                   protocol udp;
                   port domain;
               }
               then {
                   count c-cp-v4-discard-dns;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Discard and log NTP packets from unauthorized sources */
           term discard-unauth-ntp {
               from {
                   source-prefix-list {
                       pl-default-v4;
                       pl-ntp-peer except;
                       pl-ntp-server except;
                   }
                   protocol udp;
                   port ntp;
               }
               then {
                   count c-cp-v4-discard-ntp;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Some L3 VPN customers may have address overlaps with pl-ntp-peer / pl-ntp-server prefixes, need to account for that case as well */
           term discard-unauth-ntp-address-overlap {
               from {
                   interface-group-except [ 1-3];
                   protocol udp;
                   port ntp;
               }
               then {
                   count c-cp-v4-discard-ntp;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Discard and log FTP packets from unauthorized sources */
           term discard-unauth-ftp {
               from {
                   source-prefix-list {
                       pl-default-v4;
                       pl-mgmt-v4 except;
                   }
                   protocol tcp;
                   port [ ftp ftp-data ];
               }
               then {
                   count c-cp-v4-discard-ftp;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Some L3 VPN customers may have address overlaps with pl-mgmt prefixes, need to account for that case as well */
           term discard-unauth-ftp-address-overlap {
               from {
                   interface-group-except [ 1-3];
                   protocol tcp;
                   port [ ftp ftp-data ];
               }
               then {
                   count c-cp-v4-discard-ftp;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Discard and log http packets from unauthorized sources */
           term discard-unauth-web {
               from {
                   source-prefix-list {
                       pl-default-v4;
                       pl-mgmt-v4 except;
                   }
                   protocol tcp;
                   port [ http https ];
               }
               then {
                   count c-cp-v4-discard-http;
                   log;
                   syslog;
                   discard;
               }
           }
           term discard-unauth-web-address-overlap {
               from {
                   interface-group-except [ 1-3];
                   protocol tcp;
                   port [ http https ];
               }
               then {
                   count c-cp-v4-discard-http;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Discard and log RADIUS packets from unauthorized sources */
           term discard-unauth-radius {
               from {
                   source-prefix-list {
                       pl-default-v4;
                       pl-radius except;
                   }
                   protocol udp;
                   port [ radacct radius ];
               }
               then {
                   count c-cp-v4-discard-radius;
                   log;
                   syslog;
                   discard;
               }
           }
           term discard-unauth-radius-address-overlap {
               from {
                   interface-group-except [ 1-3];
                   protocol udp;
                   port [ radacct radius ];
               }
               then {
                   count c-cp-v4-discard-radius;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Discard and log unauthorized telnet login attempts */
           term discard-unauth-telnet {
               from {
                   source-prefix-list {
                       pl-default-v4;
                       pl-mgmt-v4 except;
                   }
                   protocol tcp;
                   port telnet;
               }
               then {
                   count c-cp-v4-discard-telnet;
                   log;
                   syslog;
                   discard;
               }
           }
           term discard-unauth-telnet-address-overlap {
               from {
                   interface-group-except [ 1-3];
                   protocol tcp;
                   port telnet;
               }
               then {
                   count c-cp-v4-discard-telnet;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Discard and log unauthorized SSH login attempts */
           term discard-unauth-ssh {
               from {
                   source-prefix-list {
                       pl-default-v4;
                       pl-mgmt-v4 except;
                   }
                   protocol tcp;
                   port ssh;
               }
               then {
                   count c-cp-v4-discard-ssh;
                   log;
                   syslog;
                   discard;
               }
           }
           term discard-unauth-ssh-address-overlap {
               from {
                   interface-group-except [ 1-3];
                   protocol tcp;
                   port ssh;
               }
               then {
                   count c-cp-v4-discard-ssh;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Discard and log unauthorized BGP connection attempts */
           term discard-unauth-bgp {
               from {
                   source-prefix-list {
                       pl-default-v4;
                       pl-bgp-inet0-v4 except;
                       pl-bgp-vpn-v4 except;
                   }
                   protocol tcp;
                   port bgp;
               }
               then {
                   count c-cp-v4-discard-bgp;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Discard and log unauthorized BGP connection attempts from 
              neighbors which are supposed to be TTL secured. 
              The assumption is that VPN space should not have any overlap 
              with the TTL secured neighbor addresses. */
           term discard-invalid-ttl-secured-sessions {
               from {
                   source-prefix-list {
                       pl-bgp-inet0-ttl-secured-v4;
                       pl-bgp-vpn-ttl-secured-v4;
                   }
                   protocol tcp;
                   port bgp;
                   ttl-except 255;
               }
               then {
                   count c-cp-v4-discard-bgp-invalid-ttl;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Discard and log LDP packets from unauthorized sources */
           term discard-unauth-ldp {
               from {
                   source-prefix-list {
                       pl-default-v4;
                       pl-infra-v4 except;
                   }
                   protocol [ tcp udp ];
                   port ldp;
               }
               then {
                   count c-cp-v4-discard-ldp;
                   log;
                   syslog;
                   discard;
               }
           }
           term discard-unauth-ldp-address-overlap {
               from {
                   interface-group-except [ 1-3];
                   protocol [ tcp udp ];
                   port ldp;
               }
               then {
                   count c-cp-v4-discard-ldp;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Discard and log SNMP packets from unauthorized sources */
           term discard-unauth-snmp {
               from {
                   source-prefix-list {
                       pl-default-v4;
                       pl-mgmt-v4 except;
                   }
                   protocol udp;
                   port snmp;
               }
               then {
                   count c-cp-v4-discard-snmp;
                   log;
                   syslog;
                   discard;
               }
           }
           term discard-unauth-snmp-address-overlap {
               from {
                   interface-group-except [ 1-3];
                   protocol udp;
                   port snmp;
               }
               then {
                   count c-cp-v4-discard-snmp;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Accept traceroutes */
           term accept-traceroute-udp {
               from {
                   protocol udp;
                   destination-port 33434-33523;
               }
               then {
                   policer pol-mgmt-generic-oam;
                   count c-cp-v4-accept-traceroute-udp;
                   accept;
               }
           }
           /* Accept ICMP requests */
           term accept-icmp {
               from {
                   protocol icmp;
                   icmp-type [ echo-reply echo-request time-exceeded unreachable ];
               }
               then {
                   policer pol-mgmt-generic-oam;
                   count c-cp-v4-accept-icmp;
                   accept;
               }
           }
           /* Accept eligible traffic in this section, and selectively rate limit it (set up different limits for customer facing & non-customer facing interfaces) */
           /* Limit TCP management traffic (from non-customer facing interfaces) */
           term limit-tcp-mgmt {
               from {
                   interface-group 1;
                   source-prefix-list {
                       pl-mgmt-v4;
                   }
                   protocol tcp;
                   port [ ssh telnet ftp ftp-data 1024-65535 ];
               }
               then {
                   policer pol-mgmt;
                   count c-cp-v4-accept-tcp-mgmt;
                   accept;
               }
           }
           /* Limit UDP management traffic (from non-customer facing interfaces) */
           term limit-udp-mgmt {
               from {
                   interface-group 1;
                   source-prefix-list {
                       pl-mgmt-v4;
                   }
                   protocol udp;
                   port [ snmp domain ntp radius ];
               }
               then {
                   policer pol-mgmt;
                   count c-cp-v4-accept-udp-mgmt;
                   accept;
               }
           }
           /* Accept TCP control traffic from non-customer facing (infrastructure) interfaces unconditionally */
           term accept-tcp-control-infra {
               from {
                   interface-group 1;
                   source-prefix-list {
                       pl-infra-v4;
                   }
                   protocol tcp;
                   port [ ldp bgp ];
               }
               then {
                   count c-cp-v4-accept-tcp-ctrl-infra;
                   accept;
               }
           }
           /* Accept BFD control traffic from the non-customer facing (infrastructure) interfaces unconditionally, includes BFD only for now */
           term accept-bfd-control-infra {
               from {
                   interface-group 1;
                   source-prefix-list {
                       pl-infra-v4;
                   }
                   protocol udp;
                   source-port 49152-65535;
                   destination-port [ 3784 4784 ];
               }
               then {
                   count c-cp-v4-accept-udp-ctrl-infra;
                   accept;
               }
           }
           /* Accept BFD control traffic from the non-customer facing (infrastructure) interfaces unconditionally, includes BFD only for now */
           term accept-bfd-control-infra-2 {
               from {
                   interface-group 1;
                   source-prefix-list {
                       pl-infra-v4;
                   }
                   protocol udp;
                   source-port 49152-65535;
                   destination-port 3785;
               }
               then {
                   count c-cp-v4-accept-udp-ctrl-infra;
                   accept;
               }
           }
           /* Accept LDP discovery control traffic from the non-customer facing (infrastructure) interfaces unconditionally */
           term accept-ldp-discovery-infra {
               from {
                   interface-group 1;
                   source-prefix-list {
                       pl-infra-v4;
                   }
                   protocol udp;
                   port ldp;
               }
               then {
                   count c-cp-v4-accept-udp-ctrl-infra;
                   accept;
               }
           }
           /* Accept PIM from the non-customer facing (infrastructure) interfaces unconditionally */
           term accept-pim-infra {
               from {
                   interface-group 1;
                   protocol pim;
               }
               then {
                   count c-cp-v4-accept-pim-infra;
                   accept;
               }
           }
           /* Limit the rate of TCP connection / reset attempts */
           term limit-tcp-conn-customer {
               from {
                   interface-group-except [ 1-3];
                   protocol tcp;
                   port bgp;
                   tcp-flags "(syn & !ack) | fin | rst";
               }
               then {
                   policer pol-control-customer-tcp-conn;
                   count c-cp-v4-limit-tcp-conn-cust;
                   next term;
               }
           }
           /* Limit TCP control traffic from the customer facing interfaces */
           term limit-tcp-control-customer {
               from {
                   interface-group-except [ 1-3];
                   protocol tcp;
                   port bgp;
               }
               then {
                   policer pol-control-customer;
                   count c-cp-v4-accept-tcp-ctrl-cust;
                   accept;
               }
           }
           term limit-bfd-control-customer {
               from {
                   interface-group-except [ 1-3];
                   protocol udp;
                   source-port 49152-65535;
                   destination-port [ 3784-3785 4784 ];
               }
               then {
                   policer pol-control-customer;
                   count c-cp-v4-accept-udp-ctrl-cust;
                   accept;
               }
           }
           term limit-rip-control-customer {
               from {
                   interface-group-except [ 1-3];
                   protocol udp;
                   destination-port rip;
               }
               then {
                   policer pol-control-customer;
                   count c-cp-v4-accept-udp-ctrl-cust;
                   accept;
               }
           }
           term limit-ospf-control-customer {
               from {
                   interface-group-except [ 1-3];
                   protocol ospf;
               }
               then {
                   policer pol-control-customer;
                   count c-cp-v4-accept-ospf-ctrl-cust;
                   accept;
               }
           }
           term limit-pim-control-customer {
               from {
                   interface-group-except [ 1-3];
                   protocol pim;
               }
               then {
                   policer pol-control-customer;
                   count c-cp-v4-accept-pim-ctrl-cust;
                   accept;
               }
           }
           term discard-unknown {
               then {
                   count c-cp-v4-discard-unknown;
                   log;
                   syslog;
                   discard;
               }
           }
       }
   }
       family inet6 {
       filter sec-control-plane-v6 {
           /* Discard path MTU discovery attempts, except from BGP neighbors */
           term discard-unauth-bgp-mtu-discovery {
               from {
                   source-prefix-list {
                       pl-default-v6;
                       pl-bgp-inet0-v6 except;
                       pl-bgp-vpn-v6 except;
                   }
                   next-header icmpv6;
                   icmp-type packet-too-big;
               }
               then {
                   count c-cp-v6-discard-mtu-discovery;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Discard BGP packets form every host except a configured BGP peer */
           term discard-unauth-bgp {
               from {
                   source-prefix-list {
                       pl-default-v6;
                       pl-bgp-inet0-v6 except;
                       pl-bgp-vpn-v6 except;
                   }
                   next-header tcp;
                   port bgp;
               }
               then {
                   count c-cp-v6-discard-bgp;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Discard and log unauthorized BGP connection attempts from 
              neighbors which are supposed to be TTL secured. 
              The assumption is that VPN space should not have any overlap 
              with the TTL secured neighbor addresses. */
           term discard-invalid-ttl-secured-sessions {
               from {
                   source-prefix-list {
                       pl-bgp-inet0-ttl-secured-v6;
                       pl-bgp-vpn-ttl-secured-v6;
                   }
                   next-header tcp;
                   port bgp;
                   hop-limit-except 255;
               }
               then {
                   count c-cp-v6-discard-bgp-invalid-ttl;
                   log;
                   syslog;
                   discard;
               }
           }
           /* Accept a traceroute */
           term accept-traceroute-udp {
               from {
                   next-header udp;
                   destination-port 33434-33523;
               }
               then {
                   policer pol-mgmt-generic-oam;
                   count c-cp-v6-accept-traceroute-udp;
                   accept;
               }
           }
           /* Accept ICMP PINGs, etc, except address resolution */
           term accept-icmp {
               from {
                   next-header icmpv6;
                   icmp-type [ echo-request echo-reply destination-unreachable time-exceeded packet-too-big ];
               }
               then {
                   policer pol-mgmt-generic-oam;
                   count c-cp-v6-accept-icmp;
                   accept;
               }
           }
           /* Accept ICMP neighbor solicitation & MLD */
           term accept-icmp-control-infra {
               from {
                   interface-group 1;
                   next-header icmpv6;
                   icmp-type [ neighbor-advertisement neighbor-solicit router-solicit router-advertisement membership-query membership-report membership-termination ];
               }
               then {
                   count c-cp-v6-accept-icmp-ctrl-infra;
                   accept;
               }
           }
           /* Accept hop by hop extension headers */
           term accept-icmp-control-infra {
               from {
                   interface-group 1;                    
                   next-header hop-by-hop;                    
               }
               then {
                   count c-cp-v6-accept-hbh-ctrl-infra;
                   accept;
               }
           }
           /* Limit ICMP neighbor solicitation & MLD from the customer side */
           term limit-icmp-control-customer {
               from {
                   interface-group-except [ 1-3];
                   next-header icmpv6;
                   icmp-type [ neighbor-advertisement neighbor-solicit router-solicit router-advertisement membership-query membership-report membership-termination ];
               }
               then {
                   policer pol-control-customer;
                   count c-cp-v6-accept-icmp-ctrl-cust;
                   accept;
               }
           }
           /* Limit the rate of TCP connection / reset attempts */
           term limit-tcp-conn-customer {
               from {
                   interface-group-except [ 1-3];
                   next-header tcp;
                   port bgp;
                   tcp-flags "(syn & !ack) | fin | rst";
               }
               then {
                   policer pol-control-customer-tcp-conn;
                   count c-cp-v6-limit-tcp-conn-cust;
                   next term;
               }
           }
           /* Limit TCP control packets from the customer facing interfaces */
           term limit-tcp-control-customer {
               from {
                   interface-group-except [ 1-3];
                   next-header tcp;
                   port bgp;
               }
               then {
                   policer pol-tcp-control-customer;
                   count c-cp-v6-accept-tcp-ctrl-cust;
                   accept;
               }
           }
           /* Limit PIM control packets from the customer facing interfaces */
           term limit-pim-control-customer {
               from {
                   interface-group-except [ 1-3];
                   next-header pim;
               }
               then {
                   policer pol-control-customer;
                   count c-cp-v6-accept-pim-ctrl-cust;
                   accept;
               }
           }
           /* Limit IGMP control packets from the customer facing interfaces */
           term limit-igmp-control-customer {
               from {
                   interface-group-except [ 1-3];
                   next-header igmp;
               }
               then {
                   policer pol-control-customer;
                   count c-cp-v6-accept-igmp-ctrl-cust;
                   accept;
               }
           }
           /* Limit hop-by-hop control packets from the customer facing interfaces 
              they are used for MLD, which is in turn used by OSPF */
           term limit-hbh-control-customer {
               from {
                   source-prefix-list { 
                       pl-link-local-v6;
                       pl-unspecified-v6;
                   }
                   interface-group-except [ 1-3];
                   next-header hop-by-hop;
               }
               then {
                   policer pol-control-customer;
                   count c-cp-v6-accept-hbh-ctrl-cust;
                   accept;
               }
           }
           /* Limit OSPF control packets from the customer facing interfaces */
           term limit-ospf-control-customer {
               from {
                   interface-group-except [ 1-3];
                   next-header ospf;
               }
               then {
                   policer pol-control-customer;
                   count c-cp-v6-accept-ospf-ctrl-cust;
                   accept;
               }
           }
           /* Discard unknown traffic, log the packet */
           term discard-unknown {
               then {
                   count c-cp-v6-discard-unknown;
                   log;
                   syslog;
                   discard;
               }
           }
       }
   }
   policer pol-control-customer {
       filter-specific;
       /* Allow 4Mbps of non-TCP packets per second, 
          For example, this policer may accept up to ~7K 62 byte BFD packets per second,
          It is shared between all non-tcp protocols */
       if-exceeding {
           bandwidth-limit 4m;
           burst-size-limit 48k;
       }
       then discard;
   }
   policer pol-tcp-control-customer {
       filter-specific;
       /* Allow 20 Mbps of TCP packets per second */
       if-exceeding {
           bandwidth-limit 20m;
           burst-size-limit 48k;
       }
       then discard;
   }
   policer pol-control-customer-tcp-conn {
       filter-specific;
       /* Allow 4Mbps of TCP packets per second, this equals to 10416 TCP SYNs / second, 1000 packets in a burst */
       if-exceeding {
           bandwidth-limit 4m;
           burst-size-limit 48k;
       }
       then discard;
   }
   policer pol-mgmt {
       filter-specific;
       if-exceeding {
           bandwidth-limit 10m;
           burst-size-limit 48k;
       }
       then discard;
   }
   policer pol-mgmt-generic-oam {
       filter-specific;
       if-exceeding {
           bandwidth-limit 5m;
           burst-size-limit 48k;
       }
       then discard;
   }
}

 

 

Edited by fomka31ru

Share this post


Link to post
Share on other sites

Хороший шаблончик, кое-то из него и себе утяну, спасибо.

 

По поводу полисинга входящего ICMP - у МХ-ов есть встроенный, и не только на ICMP. Скажите show ddos-protection protocols parameters brief и он покажет дефолты (если не меняли). По умолчанию ICMP режет после 20kpps. Подробнее есть в книжке про МХ, и в доках на сайте (ищите по ddos protection, они под этим подразумевают исключительно ddos на RE, а не кастомеров, если что).

 

2,3,4 - это к шаблонному фильтру выше. Заодно рекоммендую вот этот буклетик, написанный автором книги про МХ, отлично разбирающий многие вещи.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.