JEX 11.a C6 DeviceSecurity and FirewallFilters PDF

Junos Enterprise Switching
Chapter 6: Device Security and

Firewall Filters
2011 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Chapter Objectives
After successfully completing this chapter, you will be

able to:
Describe the storm control security feature
Configure and monitor the storm control security feature
Describe firewall filter support for EX Series switches
Implement and monitor the effects of a firewall filter
2011 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6-2
Agenda: Device Security and Firewall Filters
Storm Control
Firewall Filters
Traffic Storms
Some traffic types, such as broadcast and unknown

unicast, can continuously propagate through a LAN
consuming resources and affecting performance
User A initiates traffic to a destination MAC
address not known or located in the network
User A User C
Switch-1 Switch-2
MAC: 00:26:88:02:74:86 MAC: 00:26:88:02:74:88
User B Traffic User D

Flood Flood
MAC: 00:26:88:02:74:87 Storm MAC: 00:26:88:02:74:89
Switch-3
Flood
User E User F
MAC: 00:26:88:02:74:90 MAC: 00:26:88:02:74:91
Introducing Storm Control
Storm control monitors traffic levels and drops traffic

when the threshold (storm control level) is exceeded
Prevents traffic from proliferating and degrading the LAN
Switch-1
Traffic
Storm
The storm control feature ensures traffic storms do not degrade LAN performance
Storm Control Configuration
Storm control is enabled by default on EX switches

Default storm control level is 80 percent for all interfaces
You can modify the default configuration settings at the
[edit ethernet-switching-options] hierarchy
{master:0}[edit]
user@Switch-1# load factory-default Switch-1
warning: activating factory configuration
{master:0}[edit]
user@Switch-1# show ethernet-switching-options
storm-control {
interface all;
}
Note: Using the default configuration, all broadcast , multicast, and unknown unicast traffic in excess of 80 percent is dropped.
Changing the Default Configuration
Before modifying the default configuration, monitor

broadcast, multicast, and unknown unicast traffic
levels in LAN under normal operating conditions
Use benchmark data to determine acceptable traffic levels
Configure storm control to set the level at which you want to
drop broadcast traffic, multicast traffic, unknown unicast
traffic, or all three.
Is too high?
Default Storm Control Level Is acceptable?
Is too low?
Storm Control Actions
When the storm control level is exceeded, the switch

can either drop offending traffic (default) or shut down
the interface through which the traffic is passing
{master:0}[edit ethernet-switching-options]
user@Switch-1# show
storm-control { Traffic is discarded
interface all;
}
Bit Bucket
user@Switch-1# show
storm-control {
action-shutdown;
interface all;
} Interface is disabled
Use the action-shutdown
option to alter the default behavior
Automatic Error Condition Recovery
By default, when the action-shutdown option is

used and the storm control level is exceeded the
interface is shut down until it is manually re-enabled
Alternatively, you can automate error condition recovery
using the port-error-disable option:
user@Switch-1# show
port-error-disable {
Specify a disable timeout value
disable-timeout 300;
between 10 and 3600 seconds
}
storm-control {
action-shutdown;
interface all;
}
Monitoring Automatic Recovery
You can monitor the automatic recovery process by:

Using show ethernet-switching interfaces to
view interface state details:
{master:0}
user@Switch-1> show ethernet-switching interfaces
Interface State VLAN members Tag Tagging Blocking
ge-0/0/6.0 up v11 11 untagged unblocked
ge-0/0/8.0 up v11 11 tagged unblocked
ge-0/0/9.0 down v11 11 tagged Storm control in effect
(00:03:57) remaining
me0.0 up mgmt untagged unblocked
Using show log messages to view violation details:

{master:0}
user@Switch-1> show log messages | match storm | match ge-0/0/9
Jul 29 09:38:23 Switch-1 eswd[856]: ESWD_ST_CTL_ERROR_DISABLED: ge-0/0/9.0: storm control
disabled port
Jul 29 09:43:23 Switch-1 eswd[856]: ESWD_ST_CTL_ERROR_ENABLED: ge-0/0/9.0: storm control
enabled port
Interface was re-enabled after disable timeout period (5 minutes)
Clearing Violations Manually
Use clear ethernet-switching port-error

interface to clear violations manually:
{master:0}
ge-0/0/9.0 down v11 11 tagged Storm control in effect
(00:04:17) remaining
{master:0}
user@Switch-1> clear ethernet-switching port-error interface ge-0/0/9
{master:0}
Agenda: Device Security and Firewall Filters
Storm Control
Firewall Filters
Firewall Filters: A Review
Firewall filters control the traffic entering and leaving

a networking device in a stateless fashion:
Processes every packet independently
Used to filter and monitor network traffic
Firewall Filter Types
Firewall filter types include:

Filter Type Application Description
Port-based Applied to Layer 2 switch ports in ingress and egress directions
VLAN-based Applied to Layer 2 VLANs in the ingress and egress directions
Router-based Applied to Layer 3 routed interfaces in ingress and egress
directions
{master:0}[edit firewall]
user@Switch-1# edit family ?
Possible completions:
> any Protocol-independent filter
> ethernet-switching Protocol family Ethernet Switching for firewall filter
> inet Protocol family IPv4 for firewall filter
> inet6 Protocol family IPv6 for firewall filter
Port-based and VLAN-based filters use family ethernet-switching option while router-
based filters use family inet or family inet6 depending on the traffic type
Processing Order of Firewall Filters
Processing order considerations:

Ingress processing order is port, VLAN, then router
Egress processing is performed in the reverse order
A router-based filter applied to an RVI does not apply to
switched packets in the same VLAN
Router Filter Router Filter
VLAN Filter VLAN Filter
Port Filter Port Filter
Rx Packet Tx Packet
Input Output
Building Blocks of Firewall Filters
Firewall filters consist of one or

more terms; the software evaluates my-filter
terms sequentially until it reaches a User-defined filter
terminating action and term names
term firstterm
from then
match
no match
term secondterm then statements describe the
from statements describe
from then actions to take if a match with the
match conditions from statement occurs
match
no match
term Default
Default action for packets not
discard explicitly allowed
Note: Ordering matters! If you must reorder terms within a filter, consider using the insert CLI command.
Common Match Criteria
Can match based on most header fields:
Match conditions categories include:

Numeric range
Address
Bit field
term firstterm
The from statements
describe match conditions
from then
match
Firewall Filter Actions
Common actions in firewall filters:

Terminating actions:
accept
discard
reject
Action modifiers:
analyzer, count, log, and syslog
forwarding-class and loss-priority
policer
term firstterm
The then statements
from then describe actions to take
match
Note: The software discards all traffic not explicitly allowed!

Case Study: Topology and Objectives
Objectives:
Implement filters on the access ports so that only frames
using the expected source MAC addresses are permitted
Discard and count frames sourced from any other MAC addresses
Implement a filter on both VLANs to block frames destined
to MAC address 01:80:c2:00:00:00
Discard and count frames destined to the referenced MAC address
User A - (VLAN: v11)

172.23.11.100/24
MAC: 00:26:88:02:74:86 Switch-1
Access ports
User B - (VLAN: v12)

172.23.12.100/24
MAC: 00:26:88:02:74:87
Case Study: Configuring the Filters (1 of 2)
{master:0}[edit firewall family ethernet-switching] {master:0}[edit firewall family ethernet-switching]
user@Switch-1# show filter limit-MAC-ge006 user@Switch-1# show filter limit-MAC-ge007
term 1 { term 1 {
from { from {
source-mac-address { source-mac-address {
00:26:88:02:74:86; 00:26:88:02:74:87;
} }
} }
then accept; then accept;
} }
term 2 { term 2 {
then { then {
discard; discard;
count ge006-invalid-MAC; count ge007-invalid-MAC;
} }
} }

172.23.11.100/24
MAC: 00:26:88:02:74:86 Switch-1
Access ports

172.23.12.100/24
MAC: 00:26:88:02:74:87
Case Study: Configuring the Filters (2 of 2)
{master:0}[edit firewall family ethernet-switching]
user@Switch-1# show filter block-dest-MAC-01:80:c2:00:00:00
term 1 {
from {
destination-mac-address {
01:80:c2:00:00:00;
}
}
then {
discard;
count block-stp-bpdus;
}
}
term 2 {
then accept;
}

172.23.11.100/24
MAC: 00:26:88:02:74:86 Switch-1
Access ports

172.23.12.100/24
MAC: 00:26:88:02:74:87
Case Study: Applying the Filters (1 of 2)
{master:0}[edit interfaces] {master:0}[edit interfaces]
user@Switch-1# show ge-0/0/6 user@Switch-1# show ge-0/0/7
unit 0 { unit 0 {
family ethernet-switching { family ethernet-switching {
vlan { vlan {
members v11; members v12;
} }
filter { filter {
input limit-MAC-ge006; input limit-MAC-ge007;
} }
} }
} }

172.23.11.100/24
MAC: 00:26:88:02:74:86 Switch-1
Access ports

172.23.12.100/24
MAC: 00:26:88:02:74:87
Case Study: Applying the Filters (2 of 2)
{master:0}[edit vlans]
user@Switch-1# show
v11 {
vlan-id 11;
filter {
input block-dest-MAC-01:80:c2:00:00:00;
}
l3-interface vlan.11;
}
v12 {
vlan-id 12;
filter {
input block-dest-MAC-01:80:c2:00:00:00;
}
l3-interface vlan.12;
}

172.23.11.100/24
MAC: 00:26:88:02:74:86 Switch-1
Access ports

172.23.12.100/24
MAC: 00:26:88:02:74:87
Case Study: Monitoring Firewall Filters
{master:0}
user@Switch-1> show firewall
Filter: block-dest-MAC-01:80:c2:00:00:00
Counters:
Name Bytes Packets
block-stp-bpdus 472 7
Filter: limit-MAC-ge006
Counters:
Name Bytes Packets
ge006-invalid-MAC 1148 12
Filter: limit-MAC-ge007
Counters:
Name Bytes Packets
ge007-invalid-MAC 842 9

172.23.11.100/24
MAC: 00:26:88:02:74:86 Switch-1
Access ports

172.23.12.100/24
MAC: 00:26:88:02:74:87
Summary
In this chapter, we:

Described the storm control security feature
Configured and monitored the storm control security feature
Described firewall filter support for EX Series switches
Implemented and monitored the effects of a firewall filter
Review Questions
1. What is a traffic storm and how is it created?

2. What actions can be taken when a storm control
level is exceeded?
3. Which types of firewall filters are supported on
EX Series switches? Where are they applied?
Lab 5: Storm Control and Firewall Filters
Implement the storm control security feature.

Configure and monitor firewall filters.
Worldwide Education Services

JEX 11.a C6 DeviceSecurity and FirewallFilters PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

JEX 11.a C6 DeviceSecurity and FirewallFilters PDF

Uploaded by

Copyright:

Available Formats

Junos Enterprise Switching

Chapter 6: Device Security and

After successfully completing this chapter, you will be

Some traffic types, such as broadcast and unknown

User B Traffic User D

Storm control monitors traffic levels and drops traffic

Storm control is enabled by default on EX switches

Before modifying the default configuration, monitor

Default Storm Control Level Is acceptable?

When the storm control level is exceeded, the switch

By default, when the action-shutdown option is

You can monitor the automatic recovery process by:

Using show log messages to view violation details:

Interface was re-enabled after disable timeout period (5 minutes)

Use clear ethernet-switching port-error

Firewall filters control the traffic entering and leaving

Firewall filter types include:

Processing order considerations:

Router Filter Router Filter

VLAN Filter VLAN Filter

Port Filter Port Filter

Firewall filters consist of one or

Can match based on most header fields:

Match conditions categories include:

Common actions in firewall filters:

Note: The software discards all traffic not explicitly allowed!

User A - (VLAN: v11)

User B - (VLAN: v12)

User A - (VLAN: v11)

User B - (VLAN: v12)

User A - (VLAN: v11)

User B - (VLAN: v12)

User A - (VLAN: v11)

User B - (VLAN: v12)

User A - (VLAN: v11)

User B - (VLAN: v12)

User A - (VLAN: v11)

User B - (VLAN: v12)

In this chapter, we:

1. What is a traffic storm and how is it created?

Implement the storm control security feature.

You might also like