Chapter 6: Device Security and Firewall...

© 2011 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services

Chapter 6: Device Security and

Firewall Filters

Junos Enterprise Switching

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-2Worldwide Education Services

Chapter Objectives

After successfully completing this chapter, you will be

able to:

•Describe the storm control security feature

•Configure and monitor the storm control security feature

•Describe firewall filter support for EX Series switches

•Implement and monitor the effects of a firewall filter


Agenda: Device Security and Firewall Filters

Storm Control

Firewall Filters


Traffic Storms

Some traffic types, such as broadcast and unknown

unicast, can continuously propagate through a LAN

consuming resources and affecting performance

Switch-1 Switch-2

Switch-3

User A

MAC: 00:26:88:02:74:86

User B

MAC: 00:26:88:02:74:87

User C

MAC: 00:26:88:02:74:88

User D

MAC: 00:26:88:02:74:89

User E

MAC: 00:26:88:02:74:90

User F

MAC: 00:26:88:02:74:91

Flood Flood

Flood

User A initiates traffic to a destination MAC

address not known or located in the network

Traffic

Storm


Storm control monitors traffic levels and drops traffic

when the threshold (storm control level) is exceeded

•Prevents traffic from proliferating and degrading the LAN

Traffic

Storm

Introducing Storm Control

Switch-1

The storm control feature ensures traffic storms do not degrade LAN performance


Storm Control Configuration

Storm control is enabled by default on EX switches

•Default storm control level is 80 percent for all interfaces

•You can modify the default configuration settings at the

[edit ethernet-switching-options] hierarchy

Switch-1

{master:0}[edit]

user@Switch-1# load factory-default

warning: activating factory configuration

{master:0}[edit]

user@Switch-1# show ethernet-switching-options

storm-control {

interface all;

}

Note: Using the default configuration, all broadcast , multicast, and unknown unicast traffic in excess of 80 percent is dropped.


Changing the Default Configuration

Before modifying the default configuration, monitor

broadcast, multicast, and unknown unicast traffic

levels in LAN under normal operating conditions

•Use benchmark data to determine acceptable traffic levels

•Configure storm control to set the level at which you want to

drop broadcast traffic, multicast traffic, unknown unicast

traffic, or all three.

Default Storm Control Level Is acceptable?

Is too high?

Is too low?


Storm Control Actions

When the storm control level is exceeded, the switch

can either drop offending traffic (default) or shut down

the interface through which the traffic is passing

{master:0}[edit ethernet-switching-options]

user@Switch-1# show

storm-control {

interface all;

}


user@Switch-1# show

storm-control {

action-shutdown;

interface all;

}

Bit Bucket

Traffic is discarded

Interface is disabledUse the action-shutdown

option to alter the default behavior


Automatic Error Condition Recovery

By default, when the action-shutdown option is

used and the storm control level is exceeded the

interface is shut down until it is manually re-enabled

Alternatively, you can automate error condition recovery

using the port-error-disable option:


user@Switch-1# show

port-error-disable {

disable-timeout 300;

}

storm-control {

action-shutdown;

interface all;

}

Specify a disable timeout value

between 10 and 3600 seconds


Monitoring Automatic Recovery

You can monitor the automatic recovery process by:

•Using show ethernet-switching interfaces to

view interface state details:

•Using show log messages to view violation details:

{master:0}

user@Switch-1> show ethernet-switching interfaces

Interface State VLAN members Tag Tagging Blocking

ge-0/0/6.0 up v11 11 untagged unblocked

ge-0/0/8.0 up v11 11 tagged unblocked

ge-0/0/9.0 down v11 11 tagged Storm control in effect

(00:03:57) remaining

me0.0 up mgmt untagged unblocked

{master:0}

user@Switch-1> show log messages | match storm | match ge-0/0/9

Jul 29 09:38:23 Switch-1 eswd[856]: ESWD_ST_CTL_ERROR_DISABLED: ge-0/0/9.0: storm control

disabled port

Jul 29 09:43:23 Switch-1 eswd[856]: ESWD_ST_CTL_ERROR_ENABLED: ge-0/0/9.0: storm control

enabled port

Interface was re-enabled after disable timeout period (5 minutes)


Clearing Violations Manually

Use clear ethernet-switching port-error

interface to clear violations manually:{master:0}





ge-0/0/9.0 down v11 11 tagged Storm control in effect

(00:04:17) remaining


{master:0}

user@Switch-1> clear ethernet-switching port-error interface ge-0/0/9

{master:0}








Agenda: Device Security and Firewall Filters

Storm Control

Firewall Filters


Firewall filters control the traffic entering and leaving

a networking device in a stateless fashion:

•Processes every packet independently

•Used to filter and monitor network traffic

Firewall Filters: A Review


Firewall filter types include:

Filter Type Application Description

Port-based Applied to Layer 2 switch ports in ingress and egress directions

VLAN-based Applied to Layer 2 VLANs in the ingress and egress directions

Router-based Applied to Layer 3 routed interfaces in ingress and egress

directions

{master:0}[edit firewall]

user@Switch-1# edit family ?

Possible completions:

> any Protocol-independent filter

> ethernet-switching Protocol family Ethernet Switching for firewall filter

> inet Protocol family IPv4 for firewall filter

> inet6 Protocol family IPv6 for firewall filter

Port-based and VLAN-based filters use family ethernet-switching option while router-

based filters use family inet or family inet6 depending on the traffic type

Firewall Filter Types


Processing Order of Firewall Filters

Processing order considerations:•Ingress processing order is port, VLAN, then router

•Egress processing is performed in the reverse order

•A router-based filter applied to an RVI does not apply to

switched packets in the same VLAN

Rx Packet

Input

Port Filter

VLAN Filter

Router Filter

Tx Packet

Output

Port Filter

VLAN Filter

Router Filter


Building Blocks of Firewall Filters

no match

no match

term secondterm

term Default

term firstterm

match

thenfrom

match

my-filterFirewall filters consist of one or

more terms; the software evaluates

terms sequentially until it reaches a

terminating action

then statements describe the

actions to take if a match with the

from statement occurs

User-defined filter

and term names

discardDefault action for packets not

explicitly allowed

Note: Ordering matters! If you must reorder terms within a filter, consider using the insert CLI command.

from statements describe

match conditionsthenfrom


Can match based on most header fields:

Match conditions categories include:•Numeric range

•Address

•Bit field

Common Match Criteria

The from statements

describe match conditions

term firstterm

matchthenfrom


Common actions in firewall filters:

•Terminating actions:

• accept

• discard

• reject

•Action modifiers:

• analyzer, count, log, and syslog

• forwarding-class and loss-priority

• policer

Firewall Filter Actions

The then statements

describe actions to take

Note: The software discards all traffic not explicitly allowed!

term firstterm

matchthenfrom


Objectives:

•Implement filters on the access ports so that only frames

using the expected source MAC addresses are permitted

• Discard and count frames sourced from any other MAC addresses

•Implement a filter on both VLANs to block frames destined

to MAC address 01:80:c2:00:00:00

• Discard and count frames destined to the referenced MAC address

Case Study: Topology and Objectives

Switch-1

User B - (VLAN: v12)

172.23.12.100/24

MAC: 00:26:88:02:74:87

User A - (VLAN: v11)

172.23.11.100/24

MAC: 00:26:88:02:74:86

Access ports


Case Study: Configuring the Filters (1 of 2)

{master:0}[edit firewall family ethernet-switching]

user@Switch-1# show filter limit-MAC-ge006

term 1 {

from {

source-mac-address {

00:26:88:02:74:86;

}

}

then accept;

}

term 2 {

then {

discard;

count ge006-invalid-MAC;

}

}


user@Switch-1# show filter limit-MAC-ge007

term 1 {

from {

source-mac-address {

00:26:88:02:74:87;

}

}

then accept;

}

term 2 {

then {

discard;

count ge007-invalid-MAC;

}

}

Switch-1


172.23.12.100/24

MAC: 00:26:88:02:74:87


172.23.11.100/24

MAC: 00:26:88:02:74:86

Access ports


Case Study: Configuring the Filters (2 of 2)


user@Switch-1# show filter block-dest-MAC-01:80:c2:00:00:00

term 1 {

from {

destination-mac-address {

01:80:c2:00:00:00;

}

}

then {

discard;

count block-stp-bpdus;

}

}

term 2 {

then accept;

}

Switch-1


172.23.12.100/24

MAC: 00:26:88:02:74:87


172.23.11.100/24

MAC: 00:26:88:02:74:86

Access ports


Case Study: Applying the Filters (1 of 2)

{master:0}[edit interfaces]

user@Switch-1# show ge-0/0/6

unit 0 {

family ethernet-switching {

vlan {

members v11;

}

filter {

input limit-MAC-ge006;

}

}

}

{master:0}[edit interfaces]

user@Switch-1# show ge-0/0/7

unit 0 {

family ethernet-switching {

vlan {

members v12;

}

filter {

input limit-MAC-ge007;

}

}

}

Switch-1


172.23.12.100/24

MAC: 00:26:88:02:74:87


172.23.11.100/24

MAC: 00:26:88:02:74:86

Access ports


Case Study: Applying the Filters (2 of 2)

{master:0}[edit vlans]

user@Switch-1# show

v11 {

vlan-id 11;

filter {

input block-dest-MAC-01:80:c2:00:00:00;

}

l3-interface vlan.11;

}

v12 {

vlan-id 12;

filter {

input block-dest-MAC-01:80:c2:00:00:00;

}

l3-interface vlan.12;

}

Switch-1


172.23.12.100/24

MAC: 00:26:88:02:74:87


172.23.11.100/24

MAC: 00:26:88:02:74:86

Access ports


Case Study: Monitoring Firewall Filters

{master:0}

user@Switch-1> show firewall

Filter: block-dest-MAC-01:80:c2:00:00:00

Counters:

Name Bytes Packets

block-stp-bpdus 472 7

Filter: limit-MAC-ge006

Counters:

Name Bytes Packets

ge006-invalid-MAC 1148 12

Filter: limit-MAC-ge007

Counters:

Name Bytes Packets

ge007-invalid-MAC 842 9

Switch-1


172.23.12.100/24

MAC: 00:26:88:02:74:87


172.23.11.100/24

MAC: 00:26:88:02:74:86

Access ports


Summary

In this chapter, we:

•Described the storm control security feature

•Configured and monitored the storm control security feature

•Described firewall filter support for EX Series switches

•Implemented and monitored the effects of a firewall filter


Review Questions

1. What is a traffic storm and how is it created?

2. What actions can be taken when a storm control

level is exceeded?

3. Which types of firewall filters are supported on

EX Series switches? Where are they applied?


Lab 5: Storm Control and Firewall Filters

Implement the storm control security feature.

Configure and monitor firewall filters.

Worldwide Education Services

Chapter 6: Device Security and Firewall...

Documents

Transcript of Chapter 6: Device Security and Firewall...