Configuring system and routing security
To configure the system and routing security for peering, users can configure CPM filters, Management Access Filters (MAF), Access Control List filters (ACL), and Policy-based Routing (PBR).
CPM filters
CPM filters are hardware-based filters used to restrict traffic from the line cards directed to the CPM, such as control and management packets. Separate configuration is required for IPv4 and IPv6 packet matching conditions. Use prefix lists for groups of IP addresses. SR OS supports the use of the apply-path command.to autogenerate the IPv4 and IPv6 prefix list entries for BGP peers.
For more information about CPM filters, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide.
Configuring IPv4 and IPv6 prefix list using apply-path
configure filter match-list ip-prefix-list "bgp-neighbors" apply-path bgp-peers 1 group "^eBGP-.*"
configure filter match-list ip-prefix-list "bgp-neighbors" apply-path bgp-peers 1 neighbor "^192.*"
configure filter match-list ip-prefix-list "bgp-neighbors" apply-path bgp-peers 1 router-instance "Base"
configure filter match-list ipv6-prefix-list "eBGP-v6-Peers" apply-path bgp-peers 1 group "^eBGP-.*"
configure filter match-list ipv6-prefix-list "eBGP-v6-Peers" apply-path bgp-peers 1 neighbor ".*"
configure filter match-list ipv6-prefix-list "eBGP-v6-Peers" apply-path bgp-peers 1 router-instance "Base"
Configuring IPv4 CPM filters
The following example contains three entries. The third entry logs and drops all unmatched packets not explicitly treated by the first two entries.
configure filter match-list { ip-prefix-list "SNMP-Source" prefix 192.168.10.30/32 }
configure filter match-list { ip-prefix-list "SSH-Sources" prefix 10.10.100.10/32 }
configure filter match-list { ip-prefix-list "SSH-Sources" prefix 172.16.20.0/24 }
configure system security cpm-filter ip-filter admin-state enable
configure system security cpm-filter ip-filter entry 100 description "SSH Access"
configure system security cpm-filter ip-filter entry 100 match protocol tcp
configure system security cpm-filter ip-filter entry 100 match src-ip ip-prefix-list "SSH-Sources"
configure system security cpm-filter ip-filter entry 100 match dst-port eq 22
configure system security cpm-filter ip-filter entry 100 action accept
configure system security cpm-filter ip-filter entry 200 description "SNMP Access"
configure system security cpm-filter ip-filter entry 200 match protocol udp
configure system security cpm-filter ip-filter entry 200 match src-ip ip-prefix-list "SNMP-Source"
configure system security cpm-filter ip-filter entry 200 match dst-port eq 161
configure system security cpm-filter ip-filter entry 200 action accept
configure system security cpm-filter ip-filter entry 1000 log 101
configure system security cpm-filter ip-filter entry 1000 action drop
Configuring IPv6 CPM filters
configure filter match-list { ipv6-prefix-list "EBGP-v6-PEERS" prefix 2001:a8::4/127 }
configure filter match-list { ipv6-prefix-list "EBGP-v6-PEERS" prefix 2013:ab33:1::54/127 }
configure system security cpm-filter ipv6-filter admin-state enable
configure system security cpm-filter ipv6-filter entry 700 description "Inbound eBGP IPv6 peers"
configure system security cpm-filter ipv6-filter entry 700 match next-header tcp
configure system security cpm-filter ipv6-filter entry 700 match src-ip ipv6-prefix-list "EBGP-v6-PEERS"
configure system security cpm-filter ipv6-filter entry 700 match dst-port eq 179
configure system security cpm-filter ipv6-filter entry 700 action accept
configure system security cpm-filter ipv6-filter entry 750 description "Outbound eBGP IPv6 peers"
configure system security cpm-filter ipv6-filter entry 750 match next-header tcp
configure system security cpm-filter ipv6-filter entry 750 match src-ip ipv6-prefix-list "EBGP-v6-PEERS"
configure system security cpm-filter ipv6-filter entry 750 match src-port eq 179
configure system security cpm-filter ipv6-filter entry 750 action accept
show system security cpm-filter ip-filter entry 1000
CPM filter entry output
===============================================================================
CPM IP Filter Entry
===============================================================================
Entry Id : 1000
Description : (Not Specified)
-------------------------------------------------------------------------------
Filter Entry Match Criteria :
-------------------------------------------------------------------------------
Log Id : 101
Src. IP : n/a
Src. Port : n/a
Dst. IP : n/a
Dest. Port : n/a
Protocol : none Dscp : Undefined
ICMP Type : Undefined ICMP Code : Undefined
Fragment : Off Option-present : Off
IP-Option : n/a Multiple Option : Off
TCP-syn : Off TCP-ack : Off
Action : Forward
Match Router ID : n/a
Dropped pkts : 0 Forwarded pkts : 0
===============================================================================
Management Access Filter
The CPM uses Management Access Filters (MAFs) to perform filtering that applies to both traffic from the line cards directed to the CPM's CPU, as well as traffic from the management Ethernet port. Separate configuration is required for IPv4 and IPv6 packet matching conditions.
Prefix lists can be used for groups of IP addresses.
For more information about MAFs, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide.
The following example shows three entries. The third entry logs and drops all unmatched packets not explicitly treated by the first two entries.
Configuring IPv4 MAFs
configure system security management-access-filter ip-filter default-action drop
configure system security management-access-filter ip-filter entry 100 description "Permit SSH Prefix"
configure system security management-access-filter ip-filter entry 100 action accept
configure system security management-access-filter ip-filter entry 100 match router-instance "management"
configure system security management-access-filter ip-filter entry 100 match protocol tcp
configure system security management-access-filter ip-filter entry 100 match src-ip ip-prefix-list "SSH-Sources"
configure system security management-access-filter ip-filter entry 100 match mgmt-port cpm
configure system security management-access-filter ip-filter entry 100 match dst-port port 22
configure system security management-access-filter ip-filter entry 200 description "Permit SNMP Prefix"
configure system security management-access-filter ip-filter entry 200 action accept
configure system security management-access-filter ip-filter entry 200 match router-instance "management"
configure system security management-access-filter ip-filter entry 200 match protocol udp
configure system security management-access-filter ip-filter entry 200 match src-ip ip-prefix-list "SNMP-Source"
configure system security management-access-filter ip-filter entry 200 match mgmt-port cpm
configure system security management-access-filter ip-filter entry 200 match dst-port port 161
configure system security management-access-filter ip-filter entry 2000 description "Management Plane Default"
configure system security management-access-filter ip-filter entry 2000 action drop
configure system security management-access-filter ip-filter entry 2000 log-events true
configure system security management-access-filter ip-filter entry 2000 match router-instance "management"
configure system security management-access-filter ip-filter entry 2000 match mgmt-port cpm
Configuring IPv6 MAFs
The following example displays the configuration of MAF IPv6 filters.
configure filter match-list { ipv6-prefix-list "EBGP-v6-PEERS" prefix 2001:a8::4/127 }
configure filter match-list { ipv6-prefix-list "EBGP-v6-PEERS" prefix 2013:ab33:1::54/127 }
configure system security management-access-filter ipv6-filter default-action drop
configure system security management-access-filter ipv6-filter entry 10 match router-instance "management"
configure system security management-access-filter ipv6-filter entry 10 action accept
configure system security management-access-filter ipv6-filter entry 10 match mgmt-port cpm
configure system security management-access-filter ipv6-filter entry 10 match next-header tcp-udp
configure system security management-access-filter ipv6-filter entry 10 match src-ip ipv6-prefix-list "EBGP-v6-PEERS"
configure system security management-access-filter ipv6-filter entry 1000 action accept
configure system security management-access-filter ipv6-filter entry 1000 match router-instance "management"
configure system security management-access-filter ipv6-filter entry 1000 match mgmt-port cpm
show system security management-access-filter ip-filter entry 2000
IPv4 MAF output
===============================================================================
IPv4 Management Access Filter
===============================================================================
filter type : ip
Def. Action : deny
Admin Status : enabled (no shutdown)
-------------------------------------------------------------------------------
Entry : 2000
Description : Management Plane Default
Src-ip : undefined
Mgmt-port : cpm
Protocol : undefined
Dst-port : undefined
Src-port : undefined
Router-instance: management
Action : permit
Log : enabled
Matches : 1424
===============================================================================
ACLs
ACL filter policies, also referred to as Access Control Lists (ACLs) or just ‟filters”, are sets of ordered rule entries specifying packet match criteria and actions performed on a packet after a match. Filter policies are created with a unique filter ID and filter name. After the filter policy is created, the policy must be associated with interfaces or services.
For more information about ACL configuration, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide.
Configuring and applying ACL filter policies
configure filter match-list port-list "AS7xx-Ports" { port 179 }
configure filter match-list port-list "AS7xx-Ports" range start 30000 end 64000
configure filter ip-filter "AS700-ALLOW" filter-id 700
configure filter ip-filter "AS700-ALLOW" entry 10 match protocol tcp
configure filter ip-filter "AS700-ALLOW" entry 10 match src-ip ip-prefix-list "SSH-Sources"
configure filter ip-filter "AS700-ALLOW" entry 10 match dst-ip ip-prefix-list "SNMP-Source"
configure filter ip-filter "AS700-ALLOW" entry 10 action accept
configure filter ipv6-filter "AS-IPv6-ALLOW" filter-id 800
configure filter ipv6-filter "AS-IPv6-ALLOW" entry 10 match next-header tcp
configure filter ipv6-filter "AS-IPv6-ALLOW" entry 10 match src-ip ipv6-prefix-list "EBGP-v6-PEERS"
configure filter ipv6-filter "AS-IPv6-ALLOW" entry 10 match src-port port-list "AS7xx-Ports"
configure filter ipv6-filter "AS-IPv6-ALLOW" entry 10 action accept
configure filter ipv6-filter "AS-IPv6-ALLOW" entry 20 match next-header tcp
configure filter ipv6-filter "AS-IPv6-ALLOW" entry 20 match dst-ip ipv6-prefix-list "EBGP-v6-PEERS"
configure filter ipv6-filter "AS-IPv6-ALLOW" entry 20 match dst-port port-list "AS7xx-Ports"
configure filter ipv6-filter "AS-IPv6-ALLOW" entry 20 action accept
configure router "Base" interface "To-Peering-LAN" ingress filter ip "AS700-ALLOW"
configure router "Base" interface "To-Peering-LAN" ingress filter ipv6 "AS-IPv6-ALLOW"
Rate limiting DDoS traffic
Use ACL policies to rate limit NTP, DNS, or other types of common DDoS packet types.
For more information about ACL configuration, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide.
Rate limiting NTP and DNS packets
In the following example, rate limits are configured for NTP and DNS packets based on UDP, packet length, ports and destination IP.
configure filter match-list ip-prefix-list "Core-IP" { prefix 172.16.20.0/24 }
configure filter ip-filter "AS700-ALLOW" type packet-length
configure filter ip-filter "AS700-ALLOW" entry 20 match protocol udp
configure filter ip-filter "AS700-ALLOW" entry 20 match dst-ip ip-prefix-list "Core-IP"
configure filter ip-filter "AS700-ALLOW" entry 20 match port eq 123
configure filter ip-filter "AS700-ALLOW" entry 20 match packet-length gt 600
configure filter ip-filter "AS700-ALLOW" entry 20 action accept
configure filter ip-filter "AS700-ALLOW" entry 20 action rate-limit pir 1000
configure filter ip-filter "AS700-ALLOW" entry 30 match protocol udp
configure filter ip-filter "AS700-ALLOW" entry 30 match dst-ip ip-prefix-list "Core-IP"
configure filter ip-filter "AS700-ALLOW" entry 30 match port eq 53
configure filter ip-filter "AS700-ALLOW" entry 30 match packet-length gt 600
configure filter ip-filter "AS700-ALLOW" entry 30 action accept
configure filter ip-filter "AS700-ALLOW" entry 30 action rate-limit pir 1000
Redirecting suspicious traffic
Use ACL policies to redirect suspicious DDoS packets to a scrubbing device. This is achieved using Policy-Based Routing (PBR) and Policy-Based Forwarding (PBF) actions under the ACL context.
For more information about ACL configuration, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide.
Redirecting packets to a different next hop based on source or destination IP match
configure filter match-list ip-prefix-list "Core-IP" { prefix 172.16.20.0/24 }
configure filter ip-filter "pbr-nh-1" filter-id 788
configure filter ip-filter "pbr-nh-1" entry 10 match src-ip ip-prefix-list "Core-IP”
configure filter ip-filter "pbr-nh-1" entry 10 action forward next-hop nh-ip address 172.19.20.3
configure filter ip-filter "pbr-nh-1" entry 20 match dst-ip ip-prefix-list “Core-IP"
configure filter ip-filter "pbr-nh-1" entry 20 action forward next-hop nh-ip indirect true
configure filter ip-filter "pbr-nh-1" entry 20 action forward next-hop nh-ip address 192.168.40.3
configure router "Base" interface "Interface-to-AS65501" ingress filter ip "pbr-nh-1"
ACL show commands
For more information about ACL configuration, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide.
Use the following show commands to display IPv4 filter information.
show filter ip 10 associations
show filter ip 10 counters
show filter ip 10 detail
Use the following command to display all system resource usage information.
tools dump resource-usage system all | match ‘ACL|Total’
PBR
SR OS-based routers support configuring of IPv4 and IPv6 redirect policies. Redirect policies allow a user to specify multiple redirect target destinations and define status check test methods to validate the ability for a destination to receive redirected traffic. For more information about Policy-Based Routing (PBR) configuration, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide.
The following example displays a ping test used to verify the destination. If the destination is not reachable, traffic is not redirected to that destination, and regular route forwarding takes place.
Configuring policy-based routing
configure filter redirect-policy "FIREWALL-V4" admin-state enable
configure filter redirect-policy "FIREWALL-V4" destination 10.200.200.0 ping-test interval 5
configure filter redirect-policy "FIREWALL-V4" destination 10.200.200.0 ping-test drop-count 1
configure filter ip-filter "ACL_PBR_V4" filter-id 155
configure filter ip-filter "ACL_PBR_V4" entry 1000 match protocol ip
configure filter ip-filter "ACL_PBR_V4" entry 1000 action forward redirect-policy "FIREWALL-V4"