To protect the control plane of your EX series platform from rougue management attempts or overloads, firewall filters can be used. Based on Day One: Securing Routing Engine, this blog shows an example of such a firewall filter.
As the EX series firewall filters options are limited, compared to the MX series, the from ttl, then policer, then log and then count (supported on EX4200) actions are stripped, as explained in techpubs Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches and Support for Match Conditions and Actions for Loopback Firewall Filters on Switches.
This example filter shows the possibilities of the firewall hierarchy on EX platforms:
set interfaces lo0 unit 0 family inet filter input ex-re-filter set policy-options prefix-list router-self apply-path "interfaces <*> unit <*> family inet address <*>" set policy-options prefix-list accept-telnet [...] set policy-options prefix-list accept-telnet A.B.C.D/24 set policy-options prefix-list accept-telnet E.F.G.H/32 edit policy-options prefix-list accept-telnet annotate A.B.C.D/24 management-network annotate E.F.G.H/32 some-host top set policy-options prefix-list accept-ssh [...] set policy-options prefix-list accept-ssh A.B.C.D/24 edit policy-options prefix-list accept-ssh annotate A.B.C.D/24 management-network top set policy-options prefix-list accept-ftp [...] set policy-options prefix-list accept-ftp A.B.C.D/24 edit policy-options prefix-list accept-ftp annotate A.B.C.D/24 management-network top set policy-options prefix-list accept-snmp [...] set policy-options prefix-list accept-snmp A.B.C.D/24 set policy-options prefix-list accept-snmp I.J.K.L/32 edit policy-options prefix-list accept-snmp annotate A.B.C.D/24 management-network annotate I.J.K.L/32 some-other-host top set policy-options prefix-list accept-radius apply-path "system radius-server <*.*>" set policy-options prefix-list accept-dns apply-path "system name-server <*.*>" set policy-options prefix-list accept-ntp-peer apply-path "system ntp peer <*.*>" set policy-options prefix-list accept-ntp-server apply-path "system ntp server <*.*>" set policy-options prefix-list vrrp-routers 224.0.0.18/32 set policy-options prefix-list bgp-neighbor-v4 apply-path "protocols bgp group <*> neighbor <*.*>" set policy-options prefix-list ospf-routers 224.0.0.5/32 set policy-options prefix-list ospf-routers 224.0.0.6/32 set firewall family inet filter ex-re-filter term accept-icmp-no-icmp-fragments from is-fragment set firewall family inet filter ex-re-filter term accept-icmp-no-icmp-fragments from protocol icmp set firewall family inet filter ex-re-filter term accept-icmp-no-icmp-fragments then discard set firewall family inet filter ex-re-filter term accept-icmp from protocol icmp set firewall family inet filter ex-re-filter term accept-icmp from icmp-type echo-reply set firewall family inet filter ex-re-filter term accept-icmp from icmp-type echo-request set firewall family inet filter ex-re-filter term accept-icmp from icmp-type time-exceeded set firewall family inet filter ex-re-filter term accept-icmp from icmp-type unreachable set firewall family inet filter ex-re-filter term accept-icmp from icmp-type source-quench set firewall family inet filter ex-re-filter term accept-icmp from icmp-type router-advertisement set firewall family inet filter ex-re-filter term accept-icmp from icmp-type parameter-problem set firewall family inet filter ex-re-filter term accept-icmp then accept set firewall family inet filter ex-re-filter term accept-telnet from source-prefix-list accept-telnet set firewall family inet filter ex-re-filter term accept-telnet from destination-prefix-list router-self set firewall family inet filter ex-re-filter term accept-telnet from protocol tcp set firewall family inet filter ex-re-filter term accept-telnet from destination-port telnet set firewall family inet filter ex-re-filter term accept-telnet then accept set firewall family inet filter ex-re-filter term accept-ssh from source-prefix-list accept-ssh set firewall family inet filter ex-re-filter term accept-ssh from source-prefix-list router-self set firewall family inet filter ex-re-filter term accept-ssh from destination-prefix-list router-self set firewall family inet filter ex-re-filter term accept-ssh from protocol tcp set firewall family inet filter ex-re-filter term accept-ssh from destination-port ssh set firewall family inet filter ex-re-filter term accept-ssh then accept set firewall family inet filter ex-re-filter term accept-ftp from source-prefix-list accept-ftp set firewall family inet filter ex-re-filter term accept-ftp from destination-prefix-list router-self set firewall family inet filter ex-re-filter term accept-ftp from protocol tcp set firewall family inet filter ex-re-filter term accept-ftp from destination-port ftp set firewall family inet filter ex-re-filter term accept-ftp from destination-port ftp-data set firewall family inet filter ex-re-filter term accept-ftp then accept set firewall family inet filter ex-re-filter term accept-snmp from source-prefix-list accept-snmp set firewall family inet filter ex-re-filter term accept-snmp from protocol udp set firewall family inet filter ex-re-filter term accept-snmp from destination-port snmp set firewall family inet filter ex-re-filter term accept-snmp then accept set firewall family inet filter ex-re-filter term accept-mgmt-out from protocol tcp set firewall family inet filter ex-re-filter term accept-mgmt-out from source-port telnet set firewall family inet filter ex-re-filter term accept-mgmt-out from source-port ssh set firewall family inet filter ex-re-filter term accept-mgmt-out from source-port ftp set firewall family inet filter ex-re-filter term accept-mgmt-out then accept set firewall family inet filter ex-re-filter term accept-radius from source-prefix-list accept-radius set firewall family inet filter ex-re-filter term accept-radius from destination-prefix-list router-self set firewall family inet filter ex-re-filter term accept-radius from protocol udp set firewall family inet filter ex-re-filter term accept-radius from protocol tcp set firewall family inet filter ex-re-filter term accept-radius from source-port radacct set firewall family inet filter ex-re-filter term accept-radius from source-port radius set firewall family inet filter ex-re-filter term accept-radius then accept set firewall family inet filter ex-re-filter term accept-dns from source-prefix-list accept-dns set firewall family inet filter ex-re-filter term accept-dns from destination-prefix-list router-self set firewall family inet filter ex-re-filter term accept-dns from protocol udp set firewall family inet filter ex-re-filter term accept-dns from protocol tcp set firewall family inet filter ex-re-filter term accept-dns from source-port domain set firewall family inet filter ex-re-filter term accept-dns then accept set firewall family inet filter ex-re-filter term accept-ntp from source-prefix-list accept-ntp-peer set firewall family inet filter ex-re-filter term accept-ntp from source-prefix-list accept-ntp-server set firewall family inet filter ex-re-filter term accept-ntp from destination-prefix-list router-self set firewall family inet filter ex-re-filter term accept-ntp from protocol udp set firewall family inet filter ex-re-filter term accept-ntp from protocol tcp set firewall family inet filter ex-re-filter term accept-ntp from source-port ntp set firewall family inet filter ex-re-filter term accept-ntp then accept set firewall family inet filter ex-re-filter term accept-traceroute-udp from destination-prefix-list router-self set firewall family inet filter ex-re-filter term accept-traceroute-udp from protocol udp set firewall family inet filter ex-re-filter term accept-traceroute-udp from destination-port 33435-33450 set firewall family inet filter ex-re-filter term accept-traceroute-udp then accept set firewall family inet filter ex-re-filter term accept-traceroute-icmp from destination-prefix-list router-self set firewall family inet filter ex-re-filter term accept-traceroute-icmp from protocol icmp set firewall family inet filter ex-re-filter term accept-traceroute-icmp from icmp-type echo-request set firewall family inet filter ex-re-filter term accept-traceroute-icmp from icmp-type timestamp set firewall family inet filter ex-re-filter term accept-traceroute-icmp from icmp-type time-exceeded set firewall family inet filter ex-re-filter term accept-traceroute-icmp then accept set firewall family inet filter ex-re-filter term accept-vrrp from source-prefix-list router-self set firewall family inet filter ex-re-filter term accept-vrrp from destination-prefix-list vrrp-routers set firewall family inet filter ex-re-filter term accept-vrrp from protocol vrrp set firewall family inet filter ex-re-filter term accept-vrrp from protocol ah set firewall family inet filter ex-re-filter term accept-vrrp then accept set firewall family inet filter ex-re-filter term accept-bgp-in-1 from source-prefix-list bgp-neighbor-v4 set firewall family inet filter ex-re-filter term accept-bgp-in-1 from destination-prefix-list router-self set firewall family inet filter ex-re-filter term accept-bgp-in-1 from protocol tcp set firewall family inet filter ex-re-filter term accept-bgp-in-1 from destination-port bgp set firewall family inet filter ex-re-filter term accept-bgp-in-1 then accept set firewall family inet filter ex-re-filter term accept-bgp-in-2 from source-prefix-list bgp-neighbor-v4 set firewall family inet filter ex-re-filter term accept-bgp-in-2 from destination-prefix-list router-self set firewall family inet filter ex-re-filter term accept-bgp-in-2 from protocol tcp set firewall family inet filter ex-re-filter term accept-bgp-in-2 from source-port bgp set firewall family inet filter ex-re-filter term accept-bgp-in-2 then accept set firewall family inet filter ex-re-filter term accept-bgp-out-1 from source-prefix-list router-self set firewall family inet filter ex-re-filter term accept-bgp-out-1 from destination-prefix-list bgp-neighbor-v4 set firewall family inet filter ex-re-filter term accept-bgp-out-1 from protocol tcp set firewall family inet filter ex-re-filter term accept-bgp-out-1 from source-port bgp set firewall family inet filter ex-re-filter term accept-bgp-out-1 then accept set firewall family inet filter ex-re-filter term accept-bgp-out-2 from source-prefix-list router-self set firewall family inet filter ex-re-filter term accept-bgp-out-2 from destination-prefix-list bgp-neighbor-v4 set firewall family inet filter ex-re-filter term accept-bgp-out-2 from protocol tcp set firewall family inet filter ex-re-filter term accept-bgp-out-2 from destination-port bgp set firewall family inet filter ex-re-filter term accept-bgp-out-2 then accept set firewall family inet filter ex-re-filter term accept-ospf from source-prefix-list router-self set firewall family inet filter ex-re-filter term accept-ospf from source-prefix-list ospf-routers set firewall family inet filter ex-re-filter term accept-ospf from destination-prefix-list ospf-routers set firewall family inet filter ex-re-filter term accept-ospf from destination-prefix-list router-self set firewall family inet filter ex-re-filter term accept-ospf from protocol ospf set firewall family inet filter ex-re-filter term accept-ospf then accept set firewall family inet filter ex-re-filter term accept-ospf-igmp from destination-prefix-list ospf-routers set firewall family inet filter ex-re-filter term accept-ospf-igmp from protocol igmp set firewall family inet filter ex-re-filter term accept-ospf-igmp then accept set firewall family inet filter ex-re-filter term discard-all then count discard-all set firewall family inet filter ex-re-filter term discard-all then discard
Plaats reactie