I already wrote about Control Plane Protection in one of my previous posts focused on Cisco device configuration. Here we will make the same thing on Juniper device, I was using Juniper SRX300 and Juniper SRX1500 devices in my lab.
CoPP ??
Control Plane Protection (CoPP) is a method of protecting processor unit, running services on your network device, against excessive flooding. Excessive flooding of traffic aimed towards your router/firewall processor, being that valid or malicious, is always undesirable and can also be dangerous.
A network device, which starts the receive more control traffic that his processor can process, will eventually experience control traffic packet drops and it will lead to some of the router functions to become unstable. Some of the most common control traffic generating services on a router are routing protocols with different update packets, Spanning Tree with BPDU packets, HSRP, CDP, ARP, and different management traffic services like SSH, SNMP, RADIUS etc.
Some of those control plane traffic types are more important than others but they all have in common the fact that they don’t normally use much bandwidth to function. Having that in mind, it is easy to conclude that the situation above with router processor at 100% because of control plane traffic is most surely caused by a DDoS attack towards your device.
More unusual is the situation when a neighboring device is experiencing some kind of malfunction which makes him send large amounts of control plane traffic out of his interfaces towards your device.
CoPP is the best way to avoid this kind of attacks or malfunctions to get in the way of your network device stability. CoPP is basically configuration of QoS inbound to your device control plane (CPU).
CoPP Best Practices
The way to configure CoPP in the most stable and effective way is to use guaranteed minimal available bandwidth for each control plane traffic type.
It is important to guarantee just a small portion of bandwidth for each control protocol, minimal but enough for it to function correctly.
At the end of CoPP policy, it is a good advice to catch all other traffic entering control plane and guarantee some bandwidth for it too, so we don’t deny something that we didn’t think of at that time or simply for some protocol that will be implemented sometime in the future.
You can usually get the info about minimal bandwidth needed for every protocol based on previous experience or protocol documentation.
CoPP Configuration
Apply CoPP policy on Juniper device is done on Loopback 0.0 interface which represents the entrance to control plane.
set interface lo0 unit 0 family inet filter input CoPP_Policy
If you are a Cisco guy, you will probably expect to catch different control plane traffic types with Extended Access List. Here in Juniper they are called filters and are written a bit differently.
Before you can apply CoPP_Policy to lo0.0 interface you need to configure it:
This first part of CoPP_Policy firewall filter catches OSPF, PIM and BGP protocol traffic and applies policer CRITICAL to it:
set firewall filter CoPP_Policy term CRITICAL from protocol ospf set firewall filter CoPP_Policy term CRITICAL from protocol pim set firewall filter CoPP_Policy term CRITICAL from protocol tcp destination-port bgp set firewall filter CoPP_Policy term CRITICAL from protocol tcp source-port bgp set firewall filter CoPP_Policy term CRITICAL then policer CRITICAL
Second part of CoPP_Policy firewall filter catches management SSH, TELNET, SNMP, NTP protocol traffic and applies policer IMPORTANT to it. Additionally, SSH traffic is allowed only from specific IP subnets (10.10.10.0/24) which is the Juniper way of configuring what is in Cisco: access-class SSH_ACCESS in
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port ssh set firewall filter CoPP_Policy term IMPORTANT from source-address 10.10.10.0/24 set firewall filter CoPP_Policy term IMPORTANT from protocol tcp tcp-established destination-address 10.1.16.250 set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port telnet set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port snmp set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port ntp set firewall filter CoPP_Policy term IMPORTANT then policer IMPORTANT set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port ssh set firewall filter CoPP_Policy term IMPORTANT then discard
Cisco uses separate commands under line vty to limit SSH and TELNET to specific sources only and that is usually not part of CoPP:
ip access-list standard SSH_ACCESS permit 10.10.10.0 255.255.255.0 line vty 0 15 access-class SSH_ACCESS in transport input ssh telnet
Third part of CoPP_Policy firewall filter catches Expired TTL and different ICMP protocol packets and applies policer NORMAL to it:
set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-code ttl-eq-zero-during-transit set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-code port-unreachable set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-type echo-reply set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-type echo-request set firewall filter CoPP_Policy term NORMAL then policer NORMAL
Fourth part of CoPP_Policy firewall filter catches UDP port 1434 packets and applies policer UNDESIRABLE to it:
set firewall filter CoPP_Policy term UNDESIRABLE from protocol udp destination-port 1434 set firewall filter CoPP_Policy term UNDESIRABLE then policer UNDESIRABLE
The last part catches everything else (everything together with stuff that we forgot or didn’t even know we are using in control plane) and applies policer ALL-OTHER to it:
set firewall filter CoPP_Policy term ALL-OTHER from address 0.0.0.0/0 set firewall filter CoPP_Policy term ALL-OTHER then policer ALL-OTHER
Firewall policers are also defined under firewall configuration where we configure the limits for each policer together with allowed burst:
set firewall policer CRITICAL filter-specific set firewall policer CRITICAL if-exceding bandwidth-limit 4000000 burst-size-limit 1500 set firewall policer CRITICAL then discard set firewall policer IMPORTANT filter-specific set firewall policer IMPORTANT if-exceding bandwidth-limit 512000 burst-size-limit 16000 set firewall policer IMPORTANT then discard set firewall policer NORMAL filter-specific set firewall policer NORMAL if-exceding bandwidth-limit 64000 burst-size-limit 2000 set firewall policer NORMAL then discard set firewall policer UNDESIRABLE filter-specific set firewall policer UNDESIRABLE if-exceding bandwidth-limit 32000 burst-size-limit 1500 set firewall policer UNDESIRABLE then discard set firewall policer ALL-OTHER filter-specific set firewall policer ALL-OTHER if-exceding bandwidth-limit 32000 burst-size-limit 1500 set firewall policer ALL-OTHER then discard