Configuring system and routing security
To configure the system and routing security for peering, users can configure CPM filters, Management Access Filters (MAF), Access Control List filters (ACL), and Policy-based Routing (PBR).
CPM filters
CPM filters are hardware-based filters used to restrict traffic from the line cards directed to the CPM, such as control and management packets. Separate configuration is required for IPv4 and IPv6 packet matching conditions. Use prefix lists for groups of IP addresses.
For more information about CPM filters, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide.
Configuring IPv4 CPM filters
The following example contains three entries. The third entry logs and drops all unmatched packets not explicitly treated by the first two entries.
configure filter match-list { ip-prefix-list "SNMP-Source" prefix 192.168.10.30/32 }
configure filter match-list { ip-prefix-list "SSH-Sources" prefix 10.10.100.10/32 }
configure filter match-list { ip-prefix-list "SSH-Sources" prefix 172.16.20.0/24 }
configure system security cpm-filter ip-filter { admin-state enable }
configure system security cpm-filter ip-filter { entry 100 description "SSH Access" }
configure system security cpm-filter ip-filter { entry 100 match protocol tcp }
configure system security cpm-filter ip-filter { entry 100 match src-ip ip-prefix-list "SSH-Sources" }
configure system security cpm-filter ip-filter { entry 100 match dst-port eq 22 }
configure system security cpm-filter ip-filter { entry 100 action accept }
configure system security cpm-filter ip-filter { entry 200 description "SNMP Access" }
configure system security cpm-filter ip-filter { entry 200 match protocol udp }
configure system security cpm-filter ip-filter { entry 200 match src-ip ip-prefix-list "SNMP-Source" }
configure system security cpm-filter ip-filter { entry 200 match dst-port eq 161 }
configure system security cpm-filter ip-filter { entry 200 action accept }
configure system security cpm-filter ip-filter { entry 1000 log 101 }
configure system security cpm-filter ip-filter { entry 1000 action drop }
Configuring IPv6 CPM filters
configure filter match-list { ipv6-prefix-list "EBGP-v6-PEERS" prefix 2001:a8::4/127 }
configure filter match-list { ipv6-prefix-list "EBGP-v6-PEERS" prefix 2013:ab33:1::54/127 }
configure system security cpm-filter ipv6-filter { admin-state enable }
configure system security cpm-filter ipv6-filter { entry 700 description "Inbound eBGP IPv6 peers" }
configure system security cpm-filter ipv6-filter { entry 700 match next-header tcp }
configure system security cpm-filter ipv6-filter { entry 700 match src-ip ipv6-prefix-list "EBGP-v6-PEERS" }
configure system security cpm-filter ipv6-filter { entry 700 match dst-port eq 179 }
configure system security cpm-filter ipv6-filter { entry 700 action accept }
configure system security cpm-filter ipv6-filter { entry 750 description "Outbound eBGP IPv6 peers" }
configure system security cpm-filter ipv6-filter { entry 750 match next-header tcp }
configure system security cpm-filter ipv6-filter { entry 750 match src-ip ipv6-prefix-list "EBGP-v6-PEERS" }
configure system security cpm-filter ipv6-filter { entry 750 match src-port eq 179 }
configure system security cpm-filter ipv6-filter { entry 750 action accept }
show system security cpm-filter ip-filter entry 1000
CPM filter entry output
===============================================================================
CPM IP Filter Entry
===============================================================================
Entry Id : 1000
Description : (Not Specified)
-------------------------------------------------------------------------------
Filter Entry Match Criteria :
-------------------------------------------------------------------------------
Log Id : 101
Src. IP : n/a
Src. Port : n/a
Dst. IP : n/a
Dest. Port : n/a
Protocol : none Dscp : Undefined
ICMP Type : Undefined ICMP Code : Undefined
Fragment : Off Option-present : Off
IP-Option : n/a Multiple Option : Off
TCP-syn : Off TCP-ack : Off
Action : Forward
Match Router ID : n/a
Dropped pkts : 0 Forwarded pkts : 0
===============================================================================
Management Access Filter
The CPM uses Management Access Filters (MAFs) to perform filtering that applies to both traffic from the line cards directed to the CPM's CPU, as well as traffic from the management Ethernet port. Separate configuration is required for IPv4 and IPv6 packet matching conditions.
Prefix lists can be used for groups of IP addresses.
For more information about MAFs, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide.
The following example shows three entries. The third entry logs and drops all unmatched packets not explicitly treated by the first two entries.
Configuring IPv4 MAFs
configure system security management-access-filter ip-filter { default-action drop }
configure system security management-access-filter ip-filter { entry 100 description "Permit SSH Prefix" }
configure system security management-access-filter ip-filter { entry 100 action accept }
configure system security management-access-filter ip-filter { entry 100 match router-instance "management" }
configure system security management-access-filter ip-filter { entry 100 match protocol tcp }
configure system security management-access-filter ip-filter { entry 100 match src-ip ip-prefix-list "SSH-Sources" }
configure system security management-access-filter ip-filter { entry 100 match mgmt-port cpm }
configure system security management-access-filter ip-filter { entry 100 match dst-port port 22 }
configure system security management-access-filter ip-filter { entry 200 description "Permit SNMP Prefix" }
configure system security management-access-filter ip-filter { entry 200 action accept }
configure system security management-access-filter ip-filter { entry 200 match router-instance "management" }
configure system security management-access-filter ip-filter { entry 200 match protocol udp }
configure system security management-access-filter ip-filter { entry 200 match src-ip ip-prefix-list "SNMP-Source" }
configure system security management-access-filter ip-filter { entry 200 match mgmt-port cpm }
configure system security management-access-filter ip-filter { entry 200 match dst-port port 161 }
configure system security management-access-filter ip-filter { entry 2000 description "Management Plane Default" }
configure system security management-access-filter ip-filter { entry 2000 action drop }
configure system security management-access-filter ip-filter { entry 2000 log-events true }
configure system security management-access-filter ip-filter { entry 2000 match router-instance "management" }
configure system security management-access-filter ip-filter { entry 2000 match mgmt-port cpm }
Configuring IPv6 MAFs
The following example displays the configuration of MAF IPv6 filters.
configure filter match-list { ipv6-prefix-list "EBGP-v6-PEERS" prefix 2001:a8::4/127 }
configure filter match-list { ipv6-prefix-list "EBGP-v6-PEERS" prefix 2013:ab33:1::54/127 }
configure system security management-access-filter ipv6-filter default-action drop
configure system security management-access-filter ipv6-filter entry 10 { match router-instance "management" }
configure system security management-access-filter ipv6-filter { entry 10 action accept }
configure system security management-access-filter ipv6-filter entry 10 { match mgmt-port cpm }
configure system security management-access-filter ipv6-filter { entry 10 match next-header tcp-udp }
configure system security management-access-filter ipv6-filter { entry 10 match src-ip ipv6-prefix-list "EBGP-v6-PEERS" }
configure system security management-access-filter ipv6-filter entry 1000 { action accept }
configure system security management-access-filter ipv6-filter entry 1000 { match router-instance "management" }
configure system security management-access-filter ipv6-filter entry 1000 { match mgmt-port cpm }
show system security management-access-filter ip-filter entry 2000
IPv4 MAF output
===============================================================================
IPv4 Management Access Filter
===============================================================================
filter type : ip
Def. Action : deny
Admin Status : enabled (no shutdown)
-------------------------------------------------------------------------------
Entry : 2000
Description : Management Plane Default
Src-ip : undefined
Mgmt-port : cpm
Protocol : undefined
Dst-port : undefined
Src-port : undefined
Router-instance: management
Action : permit
Log : enabled
Matches : 1424
===============================================================================
ACLs
ACL filter policies, also referred to as Access Control Lists (ACLs) or just ‟filters”, are sets of ordered rule entries specifying packet match criteria and actions performed on a packet after a match. Filter policies are created with a unique filter ID and filter name. After the filter policy is created, the policy must be associated with interfaces or services.
For more information about ACL configuration, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide.
Configuring and applying ACL filter policies
configure filter match-list port-list "AS7xx-Ports" { port 179 }
configure filter match-list port-list "AS7xx-Ports" range start 30000 end 64000 { }
configure filter ip-filter "AS700-ALLOW" filter-id 700
configure filter ip-filter "AS700-ALLOW" entry 10 { match protocol tcp }
configure filter ip-filter "AS700-ALLOW" entry 10 { match src-ip ip-prefix-list "SSH-Sources" }
configure filter ip-filter "AS700-ALLOW" entry 10 { match dst-ip ip-prefix-list "SNMP-Source" }
configure filter ip-filter "AS700-ALLOW" entry 10 { action accept }
configure filter ipv6-filter "AS-IPv6-ALLOW" filter-id 800
configure filter ipv6-filter "AS-IPv6-ALLOW" entry 10 { match next-header tcp }
configure filter ipv6-filter "AS-IPv6-ALLOW" entry 10 { match src-ip ipv6-prefix-list "EBGP-v6-PEERS" }
configure filter ipv6-filter "AS-IPv6-ALLOW" entry 10 { match src-port port-list "AS7xx-Ports" }
configure filter ipv6-filter "AS-IPv6-ALLOW" entry 10 { action accept }
configure filter ipv6-filter "AS-IPv6-ALLOW" entry 20 { match next-header tcp }
configure filter ipv6-filter "AS-IPv6-ALLOW" entry 20 { match dst-ip ipv6-prefix-list "EBGP-v6-PEERS" }
configure filter ipv6-filter "AS-IPv6-ALLOW" entry 20 { match dst-port port-list "AS7xx-Ports" }
configure filter ipv6-filter "AS-IPv6-ALLOW" entry 20 { action accept }
configure router "Base" interface "To-Peering-LAN" ingress { filter ip "AS700-ALLOW" }
configure router "Base" interface "To-Peering-LAN" ingress { filter ipv6 "AS-IPv6-ALLOW" }
Rate limiting DDoS traffic
Use ACL policies to rate limit NTP, DNS, or other types of common DDoS packet types.
For more information about ACL configuration, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide.
Rate limiting NTP and DNS packets
In the following example, rate limits are configured for NTP and DNS packets based on UDP, packet length, ports and destination IP.
configure filter match-list ip-prefix-list "Core-IP" { prefix 172.16.20.0/24 }
configure filter ip-filter "AS700-ALLOW" type packet-length
configure filter ip-filter "AS700-ALLOW" entry 20 { match protocol udp }
configure filter ip-filter "AS700-ALLOW" entry 20 { match dst-ip ip-prefix-list "Core-IP" }
configure filter ip-filter "AS700-ALLOW" entry 20 { match port eq 123 }
configure filter ip-filter "AS700-ALLOW" entry 20 { match packet-length gt 600 }
configure filter ip-filter "AS700-ALLOW" entry 20 { action accept }
configure filter ip-filter "AS700-ALLOW" entry 20 { action rate-limit pir 1000 }
configure filter ip-filter "AS700-ALLOW" entry 30 { match protocol udp }
configure filter ip-filter "AS700-ALLOW" entry 30 { match dst-ip ip-prefix-list "Core-IP" }
configure filter ip-filter "AS700-ALLOW" entry 30 { match port eq 53 }
configure filter ip-filter "AS700-ALLOW" entry 30 { match packet-length gt 600 }
configure filter ip-filter "AS700-ALLOW" entry 30 { action accept }
configure filter ip-filter "AS700-ALLOW" entry 30 { action rate-limit pir 1000 }
Redirecting suspicious traffic
Use ACL policies to redirect suspicious DDoS packets to a scrubbing device. This is achieved using Policy-Based Routing (PBR) and Policy-Based Forwarding (PBF) actions under the ACL context.
For more information about ACL configuration, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide.
Redirecting packets to a different next hop based on source or destination IP match
configure filter match-list ip-prefix-list "Core-IP" { prefix 172.16.20.0/24 }
configure filter ip-filter " pbr-nh-1 " filter-id 788
configure filter ip-filter "pbr-nh-1" entry 10 { match src-ip ip-prefix-list "Core-IP” }
configure filter ip-filter "pbr-nh-1" entry 10 { action forward next-hop nh-ip address 172.19.20.3 }
configure filter ip-filter "pbr-nh-1" entry 20 { match dst-ip ip-prefix-list “Core-IP" }
configure filter ip-filter "pbr-nh-1" entry 20 { action forward next-hop nh-ip indirect true }
configure filter ip-filter "pbr-nh-1" entry 20 { action forward next-hop nh-ip address 192.168.40.3 }
configure router "Base" interface "Interface-to-AS65501" ingress { filter ip "pbr-nh-1" }
ACL show commands
For more information about ACL configuration, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide.
Use the following show commands to display IPv4 filter information.
show filter ip 10 associations
show filter ip 10 counters
show filter ip 10 detail
Use the following command to display all system resource usage information.
tools dump resource-usage system all | match ‘ACL|Total’
PBR
SR OS-based routers support configuring of IPv4 and IPv6 redirect policies. Redirect policies allow a user to specify multiple redirect target destinations and define status check test methods to validate the ability for a destination to receive redirected traffic. For more information about Policy-Based Routing (PBR) configuration, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide.
The following example displays a ping test used to verify the destination. If the destination is not reachable, traffic is not redirected to that destination, and regular route forwarding takes place.
Configuring policy-based routing
configure filter redirect-policy "FIREWALL-V4" admin-state enable
configure filter redirect-policy "FIREWALL-V4" destination 10.200.200.0 { ping-test interval 5 }
configure filter redirect-policy "FIREWALL-V4" destination 10.200.200.0 { ping-test drop-count 1 }
configure filter ip-filter "ACL_PBR_V4" filter-id 155
configure filter ip-filter "ACL_PBR_V4" entry 1000 { match protocol ip }
configure filter ip-filter "ACL_PBR_V4" entry 1000 { action forward redirect-policy "FIREWALL-V4" }