JEX 11.a C6 DeviceSecurity and FirewallFilters

Junos Enterprise Switching
Chapter 6: Device Security and

Firewall Filters
2011 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Chapter Objectives
After successfully completing this chapter, you will be
able to:
Describe the storm control security feature
Configure and monitor the storm control security feature
Describe firewall filter support for EX Series switches
Implement and monitor the effects of a firewall filter
2011 Juniper Networks, Inc. All rights reserved.
Worldwide Education Services
www.juniper.net | 6-2
Agenda: Device Security and Firewall Filters

Storm Control
Firewall Filters
Traffic Storms
Some traffic types, such as broadcast and unknown
unicast, can continuously propagate through a LAN
consuming resources and affecting performance
User A initiates traffic to a destination MAC
address not known or located in the network
User A
MAC: 00:26:88:02:74:86
Switch-1
User B
MAC: 00:26:88:02:74:87
Flood
Traffic
Storm
Switch-2
User C
MAC: 00:26:88:02:74:88
Flood
User D
MAC: 00:26:88:02:74:89
Switch-3
Flood
User E
MAC: 00:26:88:02:74:90
User F
MAC: 00:26:88:02:74:91
Introducing Storm Control

Storm control monitors traffic levels and drops traffic
when the threshold (storm control level) is exceeded
Prevents traffic from proliferating and degrading the LAN
Switch-1
Traffic
Storm
The storm control feature ensures traffic storms do not degrade LAN performance
Storm Control Configuration

Storm control is enabled by default on EX switches
Default storm control level is 80 percent for all interfaces
You can modify the default configuration settings at the
[edit ethernet-switching-options] hierarchy
{master:0}[edit]
user@Switch-1# load factory-default
warning: activating factory configuration
Switch-1
{master:0}[edit]
user@Switch-1# show ethernet-switching-options
storm-control {
interface all;
}
Note: Using the default configuration, all broadcast , multicast, and unknown unicast traffic in excess of 80 percent is dropped.
Changing the Default Configuration

Before modifying the default configuration, monitor
broadcast, multicast, and unknown unicast traffic
levels in LAN under normal operating conditions
Use benchmark data to determine acceptable traffic levels
Configure storm control to set the level at which you want to
drop broadcast traffic, multicast traffic, unknown unicast
traffic, or all three.
Is too high?
Is acceptable?
Default Storm Control Level
Is too low?
Storm Control Actions

When the storm control level is exceeded, the switch
can either drop offending traffic (default) or shut down
the interface through which the traffic is passing
{master:0}[edit ethernet-switching-options]
user@Switch-1# show
storm-control {
interface all;
}
Traffic is discarded
Bit Bucket
user@Switch-1# show
storm-control {
action-shutdown;
interface all;
}
Use the action-shutdown
option to alter the default behavior
Interface is disabled
Automatic Error Condition Recovery

By default, when the action-shutdown option is
used and the storm control level is exceeded the
interface is shut down until it is manually re-enabled
Alternatively, you can automate error condition recovery
using the port-error-disable option:
user@Switch-1# show
port-error-disable {
Specify a disable timeout value
disable-timeout 300;
between 10 and 3600 seconds
}
storm-control {
action-shutdown;
interface all;
}
Monitoring Automatic Recovery

You can monitor the automatic recovery process by:
Using show ethernet-switching interfaces to
view interface state details:
{master:0}
user@Switch-1> show
Interface
State
ge-0/0/6.0
up
ge-0/0/8.0
up
ge-0/0/9.0
down
ethernet-switching interfaces
VLAN members
Tag
Tagging
v11
11
untagged
v11
11
tagged
v11
11
tagged
me0.0
mgmt
up
Blocking
unblocked
unblocked
Storm control in effect
(00:03:57) remaining
untagged unblocked
Using show log messages to view violation details:

{master:0}
user@Switch-1> show log messages | match storm | match ge-0/0/9
Jul 29 09:38:23 Switch-1 eswd[856]: ESWD_ST_CTL_ERROR_DISABLED: ge-0/0/9.0: storm control
disabled port
Jul 29 09:43:23 Switch-1 eswd[856]: ESWD_ST_CTL_ERROR_ENABLED: ge-0/0/9.0: storm control
enabled port
Interface was re-enabled after disable timeout period (5 minutes)

Clearing Violations Manually

Use clear ethernet-switching port-error
interface to clear violations manually:
{master:0}
user@Switch-1> show
Interface
State
ge-0/0/6.0
up
ge-0/0/8.0
up
ge-0/0/9.0
down
VLAN members
Tag
Tagging
v11
11
untagged
v11
11
tagged
v11
11
tagged
me0.0
mgmt
up
Blocking
unblocked
unblocked
Storm control in effect
(00:04:17) remaining
untagged unblocked
{master:0}
user@Switch-1> clear ethernet-switching port-error interface ge-0/0/9
{master:0}
user@Switch-1> show
Interface
State
ge-0/0/6.0
up
ge-0/0/8.0
up
ge-0/0/9.0
up
me0.0
up
VLAN members
Tag
Tagging
v11
11
untagged
v11
11
tagged
v11
11
tagged
mgmt
untagged
Blocking
unblocked
unblocked
unblocked
unblocked
Agenda: Device Security and Firewall Filters

Storm Control
Firewall Filters
Firewall Filters: A Review

Firewall filters control the traffic entering and leaving
a networking device in a stateless fashion:
Processes every packet independently
Used to filter and monitor network traffic
Firewall Filter Types

Firewall filter types include:
Filter Type
Application Description
Port-based
Applied to Layer 2 switch ports in ingress and egress directions
VLAN-based
Applied to Layer 2 VLANs in the ingress and egress directions
Router-based
Applied to Layer 3 routed interfaces in ingress and egress

directions
{master:0}[edit firewall]
user@Switch-1# edit family ?
Possible completions:
> any
Protocol-independent filter
> ethernet-switching
Protocol family Ethernet Switching for firewall filter
> inet
Protocol family IPv4 for firewall filter
> inet6
Protocol family IPv6 for firewall filter
Port-based and VLAN-based filters use family ethernet-switching option while routerbased filters use family inet or family inet6 depending on the traffic type
Processing Order of Firewall Filters

Processing order considerations:
Ingress processing order is port, VLAN, then router
Egress processing is performed in the reverse order
A router-based filter applied to an RVI does not apply to
switched packets in the same VLAN
Router Filter
Router Filter
VLAN Filter
VLAN Filter
Port Filter
Port Filter
Rx Packet
Tx Packet
Input
Output
Building Blocks of Firewall Filters

Firewall filters consist of one or
more terms; the software evaluates
terms sequentially until it reaches a
terminating action
my-filter
User-defined filter
and term names
term firstterm
from
then
match
no match
term secondterm
from statements describe
match conditions
from
then
match
no match
then statements describe the

actions to take if a match with the
from statement occurs
term Default
discard
Default action for packets not

explicitly allowed
Note: Ordering matters! If you must reorder terms within a filter, consider using the insert CLI command.
Common Match Criteria

Can match based on most header fields:
Match conditions categories include:

Numeric range
Address
Bit field
term firstterm
The from statements
describe match conditions
from
match
then
Firewall Filter Actions

Common actions in firewall filters:
Terminating actions:
accept
discard
reject
Action modifiers:
analyzer, count, log, and syslog
forwarding-class and loss-priority
policer
term firstterm
from
match
then
The then statements

describe actions to take
Note: The software discards all traffic not explicitly allowed!

Case Study: Topology and Objectives

Objectives:
Implement filters on the access ports so that only frames
using the expected source MAC addresses are permitted
Discard and count frames sourced from any other MAC addresses
Implement a filter on both VLANs to block frames destined

to MAC address 01:80:c2:00:00:00
Discard and count frames destined to the referenced MAC address
User A - (VLAN: v11)
172.23.11.100/24
MAC: 00:26:88:02:74:86
Switch-1
Access ports
User B - (VLAN: v12)

172.23.12.100/24
MAC: 00:26:88:02:74:87
Case Study: Configuring the Filters (1 of 2)

{master:0}[edit firewall family ethernet-switching]
user@Switch-1# show filter limit-MAC-ge006
term 1 {
from {
source-mac-address {
00:26:88:02:74:86;
}
}
then accept;
}
term 2 {
then {
discard;
count ge006-invalid-MAC;
}
}

user@Switch-1# show filter limit-MAC-ge007
term 1 {
from {
source-mac-address {
00:26:88:02:74:87;
}
}
then accept;
}
term 2 {
then {
discard;
count ge007-invalid-MAC;
}
}

172.23.11.100/24
MAC: 00:26:88:02:74:86
Switch-1
Access ports

172.23.12.100/24
MAC: 00:26:88:02:74:87
Case Study: Configuring the Filters (2 of 2)

user@Switch-1# show filter block-dest-MAC-01:80:c2:00:00:00
term 1 {
from {
destination-mac-address {
01:80:c2:00:00:00;
}
}
then {
discard;
count block-stp-bpdus;
}
}
term 2 {
then accept;
}

172.23.11.100/24
MAC: 00:26:88:02:74:86
Switch-1
Access ports

172.23.12.100/24
MAC: 00:26:88:02:74:87
Case Study: Applying the Filters (1 of 2)

{master:0}[edit interfaces]
user@Switch-1# show ge-0/0/6
unit 0 {
family ethernet-switching {
vlan {
members v11;
}
filter {
input limit-MAC-ge006;
}
}
}
{master:0}[edit interfaces]
user@Switch-1# show ge-0/0/7
unit 0 {
family ethernet-switching {
vlan {
members v12;
}
filter {
input limit-MAC-ge007;
}
}
}

172.23.11.100/24
MAC: 00:26:88:02:74:86
Switch-1
Access ports

172.23.12.100/24
MAC: 00:26:88:02:74:87
Case Study: Applying the Filters (2 of 2)

{master:0}[edit vlans]
user@Switch-1# show
v11 {
vlan-id 11;
filter {
input block-dest-MAC-01:80:c2:00:00:00;
}
l3-interface vlan.11;
}
v12 {
vlan-id 12;
filter {
input block-dest-MAC-01:80:c2:00:00:00;
}
l3-interface vlan.12;
}

172.23.11.100/24
MAC: 00:26:88:02:74:86
Switch-1
Access ports

172.23.12.100/24
MAC: 00:26:88:02:74:87
Case Study: Monitoring Firewall Filters

{master:0}
user@Switch-1> show firewall
Filter: block-dest-MAC-01:80:c2:00:00:00
Counters:
Name
block-stp-bpdus
Bytes
472
Packets
7
Filter: limit-MAC-ge006
Counters:
Name
ge006-invalid-MAC
Bytes
1148
Packets
12
Filter: limit-MAC-ge007
Counters:
Name
ge007-invalid-MAC
Bytes
842
Packets
9

172.23.11.100/24
MAC: 00:26:88:02:74:86
Switch-1
Access ports

172.23.12.100/24
MAC: 00:26:88:02:74:87
Summary
In this chapter, we:
Described the storm control security feature
Configured and monitored the storm control security feature
Described firewall filter support for EX Series switches
Implemented and monitored the effects of a firewall filter
Review Questions
1. What is a traffic storm and how is it created?
2. What actions can be taken when a storm control
level is exceeded?
3. Which types of firewall filters are supported on
EX Series switches? Where are they applied?
Lab 5: Storm Control and Firewall Filters

Implement the storm control security feature.
Configure and monitor firewall filters.

JEX 11.a C6 DeviceSecurity and FirewallFilters

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

JEX 11.a C6 DeviceSecurity and FirewallFilters

Uploaded by

Copyright:

Available Formats

Junos Enterprise Switching

Chapter 6: Device Security and

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

Agenda: Device Security and Firewall Filters

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

Introducing Storm Control

Worldwide Education Services

Storm Control Configuration

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

Changing the Default Configuration

Default Storm Control Level

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

Storm Control Actions

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

Automatic Error Condition Recovery

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

Monitoring Automatic Recovery

Using show log messages to view violation details:

Interface was re-enabled after disable timeout period (5 minutes)

Worldwide Education Services

Clearing Violations Manually

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

Agenda: Device Security and Firewall Filters

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

Firewall Filters: A Review

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

Firewall Filter Types

Applied to Layer 2 switch ports in ingress and egress directions

Applied to Layer 2 VLANs in the ingress and egress directions

Applied to Layer 3 routed interfaces in ingress and egress

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

Processing Order of Firewall Filters

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

Building Blocks of Firewall Filters

then statements describe the

Default action for packets not

Worldwide Education Services

Common Match Criteria

Match conditions categories include:

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

Firewall Filter Actions

The then statements

Note: The software discards all traffic not explicitly allowed!

Worldwide Education Services

Case Study: Topology and Objectives

Implement a filter on both VLANs to block frames destined

User B - (VLAN: v12)

Worldwide Education Services

Case Study: Configuring the Filters (1 of 2)

{master:0}[edit firewall family ethernet-switching]