Ethernet Switching
Ethernet Switching

firewall rule to protect Ex switch from flood?

‎09-29-2018 01:39 PM

Hello Community,

Can anyone guide me how to write a firewall rule to protect  Ex switches from

ICMP Flood DDoS

Syn Flood

ACKFlood

TCP Connection Flood

UDP Flood DDoS

In case if ddos is above say X gig it auto null route the IP.

Ex Switch has 2x10G or 4x10G

Thanks in advance.

6 REPLIES 6
Ethernet Switching

Re: firewall rule to protect Ex switch from flood?

[ Edited ]
‎09-29-2018 06:28 PM

Hi Folks,

Just thought of sharing a sample filter used in vpls,

 

[edit firewalls]

family vpls {

        filter sptflooding-protect {

            term discard_pvst {

                from {

                    destination-mac-address {

                        01:00:0c:cc:cc:cd/48;

                    }

                }

                then {

                    count pvst;

                    discard;

                }  

            }

            term discard_st {

                from {

                    destination-mac-address {

                        01:80:c2:00:00:00/48;

                    }

                }

                then {

                    count stp;

                    discard;

                }

            }

            term discard_cdp {

                from {

                    destination-mac-address {

                        01:00:0c:cc:cc:cc/48;

                    }

                }

                then {

                    count cdp;

                    discard;

                }

            }

            term discard_stp_upfast {

                from {

                    destination-mac-address {

                        01:00:0c:cd:cd:cd/48;

                    }

                }

                then {

                    count stp_upfast;

                    discard;

                }

            }

            term discard_vlan-bridge {

                from {

                    destination-mac-address {

                        01:00:0c:cd:cd:ce/48;

                    }

                }

                then {

                    count vlan-bridge;

                    discard;

                }

            }      

            term default {

                then accept;

            }

 

 

 

-Python JNCIE 3X [SP|DC|ENT] JNCIP-SEC JNCDS 3X [ WAN | DC|SEC] JNCIS-Cloud JNCIS-DevOps CCIP ITIL
#Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Ethernet Switching

Re: firewall rule to protect Ex switch from flood?

‎09-29-2018 06:33 PM

Hi Folks,

If you are looking for loopback filter, the below url on “Using loopback filter to protect M, T, MX routers' routing-engine from DoS attack” is quite useful,

 

https://kb.juniper.net/InfoCenter/index?page=content&id=TN226&cat=&actp=LIST

-Python JNCIE 3X [SP|DC|ENT] JNCIP-SEC JNCDS 3X [ WAN | DC|SEC] JNCIS-Cloud JNCIS-DevOps CCIP ITIL
#Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Ethernet Switching

Re: firewall rule to protect Ex switch from flood?

‎09-30-2018 02:47 AM

It's for M or T series router but we are looking for EX access switch.

Ethernet Switching

Re: firewall rule to protect Ex switch from flood?

‎09-30-2018 03:50 AM

There is some limited protection configuration available if your ex platform and Junos version is on the feature list here.

 

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/ddos.html

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Ethernet Switching

Re: firewall rule to protect Ex switch from flood?

‎09-30-2018 10:29 PM

Is it a pure L2 DEVICE ? Else you are expecting L3 aswell?

-Python JNCIE 3X [SP|DC|ENT] JNCIP-SEC JNCDS 3X [ WAN | DC|SEC] JNCIS-Cloud JNCIS-DevOps CCIP ITIL
#Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Ethernet Switching

Re: firewall rule to protect Ex switch from flood?

‎09-30-2018 11:07 PM

Just to add,

It is convenient to have a forwarding plane protection for Broadcast, Unknown unicast and multicast traffic. Forwarding plane protection eliminate the replicated traffic maintaining network services and minimizing/avoiding service degradation.

 

term broadcast-traffic {

      from {

            traffic-type broadcast;

            }

      then {

            policer POLICER-BUM;

            accept;

            }

}

term multicast-traffic {

      from {

            traffic-type multicast;

      }

      then {

            policer POLICER-BUM;

            accept;

      }

}

term unknown-unicast-traffic {

      from {

            traffic-type unknown-unicast;

      }

      then {

            policer POLICER-BUM;

            accept;

      }

}

 

[edit]

user@host# show firewall policer POLICER-BUM

if-exceeding {

      bandwidth-limit 10m;

      burst-size-limit 10m;

}

then discard;

 

routing-instances {

      <NAME> {

            forwarding-options {

                  family vpls {

                        flood {

                              input flood-filter-10M;

                        }

                  }

            }

      }

}

 

In summary, remember that the broadcast storm will impact both, the network control plane and the forwarding plane, both must be protected. The first one to protect the network integrity and therefore all the service, the second one to minimize the service degradation.

 

-Python JNCIE 3X [SP|DC|ENT] JNCIP-SEC JNCDS 3X [ WAN | DC|SEC] JNCIS-Cloud JNCIS-DevOps CCIP ITIL
#Please mark my solution as accepted if it helped, Kudos are appreciated as well.