To support the example shown in Figure 211, AA is configured with an action to block unsolicited traffic; traffic that is not originated/initiated from the subscriber. The direction field in match criteria of AQPs is utilized to enable this functionality.
Figure 212 shows a similar concept. It is used to allow UDP traffic for peer to peer applications (such as gaming). Once the traffic from one peer is seen by AA-ISA, a pin-hole is opened in the reverse direction to allow for the corresponding UDP traffic from the peer.
The AA FW stateful session filter consists of multiple entries (similar to ACLs) with a match an action per entry. Actions are deny or
permit. A
deny action results in packets being discarded without creating a session/flow context. Match conditions include IP protocol types, source and destination IP addresses and ports. An overall default action is also configurable in case of no match to any session filter entry.
configure application-assurance group 1:2 policy
begin
app-service-options
characteristic "FW-Protection" create
value "None"
value "ON"
default-value "None"
exit
characteristic "ISP-Protection" create
value "None"
value "ON"
default-value "None"
exit
characteristic "DOS-Protection" create
value "None"
value "ON"
default-value "None"
exit
exit
configure application-assurance group 2:103 policy
begin
app-profile "Protected" create
divert
characteristic "FW-Protection" value "ON"
characteristic "ISP-Protection" value "ON"
characteristic "DOS-Protection" value "ON"
exit
configure application-assurance group 2:103 policy
begin
app-profile "unProtected" create
divert
characteristic "FW-Protection" value "ON"
characteristic "ISP-Protection" value "ON"
characteristic "DOS-Protection" value "ON"
exit
configure application-assurance group 2:203 policer Dos_police_Flow_count type flow-count-limit granularity subscriber create
flow-count 500
exit
configure application-assurance group 2:203 policer Dos_Police_ICMPFlows type flow-count-limit granularity system create
flow-count 5000
exit
configure application-assurance group 2:203 policy begin
application ICMP create
exit
app-filter
entry 1540 create
protocol eq "non_tcp_udp"
ip-protocol-num eq icmp
application "ICMP"
no shutdown
exit
entry 35500 create
protocol eq "non_tcp_udp"
ip-protocol-num eq ipv6-icmp
application "ICMP"
no shutdown
exit
configure application-assurance group 2:103 policy
begin
app-qos-policy
description "Protecting ISP1 from DoS attacks from subs"
entry 100 create
match
traffic-direction subscriber-to-network
characteristic "ISP-Protection" eq "ON"
dst-ip eq 10.10.8.0/24
exit
action
flow-count-limit Dos_police_Flow_count
exit
no shutdown
exit
entry 105 create
description "Protecting ISP2 from DoS attacks from subs"
match
traffic-direction subscriber-to-network
characteristic "ISP-Protection" eq "ON"
dst-ip eq 192.168.0.0/24
exit
action
flow-count-limit Dos_police_Flow_count
exit
no shutdown
exit
configure application-assurance group 2:103 policy
begin
app-qos-policy
entry 107 create
match
traffic-direction both
application eq icmp
exit
action
flow-count-limit Dos_Police_ICMPFlows
exit
no shutdown
exit
entry 120 create
match
traffic-direction subscriber-to-network
characteristic “ISP-Protection" eq “ON"
exit
action
session-filter “ProtectISPLan2"
exit
no shutdown
exit
configure application-assurance group 2:103 policy
begin
app-qos-policy
entry 110 create
description "FW for managed opted-in subs"
match
traffic-direction network-to-subscriber
characteristic "FW-Protection" eq "ON"
exit
action
session-filter "denyUnsolictedwMgntCntrl "
exit
no shutdown
exit
entry 130 create
match
traffic-direction both
characteristic "DoS-Protection" eq "ON"
exit
action
cut-through-drop
flow-count-limit Dos_police_Flow_count
exit
no shutdown
exit
configure application-assurance group 1:1 session-filter <name> create
description <description>
default-action permit|deny # default=deny
entry n create
description <entry-description>
match
ip-protocol-num <ip-protocol-number>
no src-ip <ip4_or_v6-address/mask>
no dst-ip <ip4_or_v6-address/mask>
no src-port {eq|gt|lt} <port-num> #or
range <start-port-num> <end-port-num>
no dst-port {eq|gt|lt} <port-num> #or
range <start-port-num> <end-port-num>
exit
action permit|deny
exit
entry m create
. . .
•
|
entry n — A session filter can have multiple match-action rules, each of these match-action rules represent an entry within the session-filter. The entries are executed in order. If a match is found, within one entry, the subsequent entries within the session-filter are skipped (not evaluated).
|
•
|
default-action [ permit| deny] — This action is performed if no match is found for any of the configured entries within the session-filter. Default is deny.
|
→
|
A deny action will drop the packet and will not allow a flow record to be allocated for that flow. Note that a drop action within AA AQP will drop the packet but it will still create flow record.
|
→
|
A permit action will allow the packet to flow through the system. A flow record is also allocated. Note that the packet may get dropped by other configured AQP actions (due to header check failures).
|
•
|
match — Keywords to perform the action specified under the action keyword only if the conditions in the match section are met.
|
crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-frag, ipv6-icmp, ipv6-no-nxt, ipv6-opts, ipv6-route, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, sctp, stp, tcp, udp, vrrp
→
|
src-ip/ dst-ip ipv4-address/mask src-ip/ dst-ip iv6-address/mask
|
→
|
src-port src-port-numbers src-port { eq| gt| lt} port-num
|
gt — match port numbers that are greater than the one specified.
lt — match port numbers that are smaller than the one specified.
port-num — 0..65535 (Applicable to TCP, UDP and SCTP protocols only.)
range — Keyword- that match port numbers within the specified range:
→
|
deny or permit action is only executed if a match is found.
|
→
|
deny action will drop the packet and will not create a flow record.
|
→
|
permit action will allow the packet to go through (unless another different action is found that causes it to be dropped).
|
config application-assurance group 1:2
session-filter " denyUnsolictedwMgntCntrl" create
description “S-FW opted-in sub – allow ISP access"
default-action deny
entry 10 create
description "allow ICMP access from ISP LAN1"
match
ip-protocol-num icmp
src-ip 10.10.8.0/24
exit
action permit
exit
entry 20 create
description "allow ICMP access from ISP LAN2"
match
ip-protocol-num icmp
src-ip 192.168.0.0/24
exit
action permit
exit
entry 30 create
description "allow all TCP (e.g. FTP/telnet)access from ISP LAN2"
match
ip-protocol-num tcp
src-ip 192.168.0.0/24
exit
action permit
entry 40 create
description "allow TCP on port 80 /HTTP access from ISP LAN1"
match
ip-protocol-num tcp
src-ip 10.10.8.0/24
dst-port eq 80
exit
action permit
exit
configure application-assurance group 1:2
session-filter "protectISPLan2" create
description "S-FW to deny all unsolicited requests to LAN2"
default-action deny
entry 10 create
description "allow ftp access from ISP LAN1"
match
ip-protocol-num tcp
src-ip 10.10.8.0/24
dst-port eq 21
exit
action permit
exit
*A:PE-1# show application-ass group 2:103 policy app-qos-policy 110
===========================================================
Application QOS Policy Entry 110 (Default Subscriber Policy)
===========================================================
Description : FW for managed opted-in subs
Admin State : in-service
Hits : 95 flows
Conflicts : 0 flows
Match :
Traffic Direction : network-to-subscriber
ASO Characteristics :
FW-Protection : eq FW-Protection
Action :
Session Filter : denyUnsolictedwMgntCntrl
================================================================
*A:PE-1# show application-ass group 2:1 session-filter "denyUnsolictedwMgntCntrl"
===========================================================
AA Session Filter Instance "denyUnsolictedwMgntCntrl"
===========================================================
Description : S-FW opted-in sub �allow ISP access
Default Action : deny
AQP Entries : 110
-----------------------------------------------------------
Filter Match Criteria
-----------------------------------------------------------
Entry : 10
Description : allow ICMP access from ISP LAN1
IP Protocol : icmp
Source IP : 10.10.8.0/24
Action : permit
Hits : 3 flows
-----------------------------------------------------------
Entry : 20
Description : allow ICMP access from ISP LAN2
IP Protocol : icmp
Source IP : 192.168.0.0/24
Action : permit
Hits : 21 flows
-----------------------------------------------------------
Entry : 30
Description : allow TCP access from LAN2
IP Protocol : tcp
Source IP : 192.168.0.113/32
Action : permit
Hits : 50 flows
-----------------------------------------------------------
Entry : 40
Description : allow HTTP access from LAN1
IP Protocol : tcp
Source IP : 10.10.8.0/24
Source Port : eq 80
Action : permit
Hits : 2 flows
-----------------------------------------------------------
No. of entries : 4
==========================================================