Juniper Control Plane Protection

I already wrote about Control Plane Protection in one of my previous posts focused on Cisco device configuration. Here we will make the same thing on Juniper device, I was using Juniper SRX300 and Juniper SRX1500 devices in my lab.

CoPP ??

Control Plane Protection (CoPP) is a method of protecting processor unit, running services on your network device, against excessive flooding. Excessive flooding of traffic aimed towards your router/firewall processor, being that valid or malicious, is always undesirable and can also be dangerous.

A network device, which starts the receive more control traffic that his processor can process, will eventually experience control traffic packet drops and it will lead to some of the router functions to become unstable. Some of the most common control traffic generating services on a router are routing protocols with different update packets, Spanning Tree with BPDU packets, HSRP, CDP, ARP, and different management traffic services like SSH, SNMP, RADIUS etc.

Some of those control plane traffic types are more important than others but they all have in common the fact that they don’t normally use much bandwidth to function. Having that in mind, it is easy to conclude that the situation above with router processor at 100% because of control plane traffic is most surely caused by a DDoS attack towards your device.

More unusual is the situation when a neighboring device is experiencing some kind of malfunction which makes him send large amounts of control plane traffic out of his interfaces towards your device.

CoPP is the best way to avoid this kind of attacks or malfunctions to get in the way of your network device stability. CoPP is basically configuration of QoS inbound to your device control plane (CPU).

CoPP Best Practices

The way to configure CoPP in the most stable and effective way is to use guaranteed minimal available bandwidth for each control plane traffic type.

It is important to guarantee just a small portion of bandwidth for each control protocol, minimal but enough for it to function correctly.

At the end of CoPP policy, it is a good advice to catch all other traffic entering control plane and guarantee some bandwidth for it too, so we don’t deny something that we didn’t think of at that time or simply for some protocol that will be implemented sometime in the future.

You can usually get the info about minimal bandwidth needed for every protocol based on previous experience or protocol documentation.

CoPP Configuration

Apply CoPP policy on Juniper device is done on Loopback 0.0 interface which represents the entrance to control plane.

set interface lo0 unit 0 family inet filter input CoPP_Policy

If you are a Cisco guy, you will probably expect to catch different control plane traffic types with Extended Access List. Here in Juniper they are called filters and are written a bit differently.

Before you can apply CoPP_Policy to lo0.0 interface you need to configure it:

This first part of CoPP_Policy firewall filter catches OSPF, PIM and BGP protocol traffic and applies policer CRITICAL to it:

set firewall filter CoPP_Policy term CRITICAL from protocol ospf
set firewall filter CoPP_Policy term CRITICAL from protocol pim
set firewall filter CoPP_Policy term CRITICAL from protocol tcp destination-port bgp
set firewall filter CoPP_Policy term CRITICAL from protocol tcp source-port bgp
set firewall filter CoPP_Policy term CRITICAL then policer CRITICAL

Second part of CoPP_Policy firewall filter catches management SSH, TELNET, SNMP, NTP protocol traffic and applies policer IMPORTANT to it. Additionally, SSH traffic is allowed only from specific IP subnets (10.10.10.0/24) which is the Juniper way of configuring what is in Cisco: access-class SSH_ACCESS in

set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port ssh
set firewall filter CoPP_Policy term IMPORTANT from source-address 10.10.10.0/24
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp tcp-established destination-address 10.1.16.250
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port telnet
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port snmp
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port ntp
set firewall filter CoPP_Policy term IMPORTANT then policer IMPORTANT
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port ssh
set firewall filter CoPP_Policy term IMPORTANT then discard

Cisco uses separate commands under line vty to limit SSH and TELNET to specific sources only and that is usually not part of CoPP:

ip access-list standard SSH_ACCESS
 permit 10.10.10.0 255.255.255.0

line vty 0 15
 access-class SSH_ACCESS in
 transport input ssh telnet

Third part of CoPP_Policy firewall filter catches Expired TTL and different ICMP protocol packets and applies policer NORMAL to it:

set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-code ttl-eq-zero-during-transit
set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-code port-unreachable
set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-type echo-reply
set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-type echo-request
set firewall filter CoPP_Policy term NORMAL then policer NORMAL

Fourth part of CoPP_Policy firewall filter catches UDP port 1434 packets and applies policer UNDESIRABLE to it:

set firewall filter CoPP_Policy term UNDESIRABLE from protocol udp destination-port 1434
set firewall filter CoPP_Policy term UNDESIRABLE then policer UNDESIRABLE

The last part catches everything else (everything together with stuff that we forgot or didn’t even know we are using in control plane) and applies policer ALL-OTHER to it:

set firewall filter CoPP_Policy term ALL-OTHER from address 0.0.0.0/0
set firewall filter CoPP_Policy term ALL-OTHER then policer ALL-OTHER

Firewall policers are also defined under firewall configuration where we configure the limits for each policer together with allowed burst:

set firewall policer CRITICAL filter-specific
set firewall policer CRITICAL if-exceding bandwidth-limit 4000000 burst-size-limit 1500
set firewall policer CRITICAL then discard

set firewall policer IMPORTANT filter-specific
set firewall policer IMPORTANT if-exceding bandwidth-limit 512000 burst-size-limit 16000
set firewall policer IMPORTANT then discard

set firewall policer NORMAL filter-specific
set firewall policer NORMAL if-exceding bandwidth-limit 64000 burst-size-limit 2000
set firewall policer NORMAL then discard

set firewall policer UNDESIRABLE filter-specific
set firewall policer UNDESIRABLE if-exceding bandwidth-limit 32000 burst-size-limit 1500
set firewall policer UNDESIRABLE then discard

set firewall policer ALL-OTHER filter-specific
set firewall policer ALL-OTHER if-exceding bandwidth-limit 32000 burst-size-limit 1500
set firewall policer ALL-OTHER then discard

 

Leave a Reply