Junos Enterprise Switching Chapter 6: Device Security and Firewall Filters 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services
Chapter Objectives After successfully completing this chapter, you will be able to: Describe the storm control security feature Configure and monitor the storm control security feature Describe firewall filter support for EX Series switches Implement and monitor the effects of a firewall filter www.juniper.net 6-2
Agenda: Device Security and Firewall Filters Storm Control Firewall Filters www.juniper.net 6-3
Traffic Storms Some traffic types, such as broadcast and unknown unicast, can continuously propagate through a LAN consuming resources and affecting performance User A initiates traffic to a destination MAC address not known or located in the network User A MAC: 00:26:88:02:74:86 Switch-1 Switch-2 User C MAC: 00:26:88:02:74:88 User B MAC: 00:26:88:02:74:87 Flood Traffic Storm Flood User D MAC: 00:26:88:02:74:89 Switch-3 Flood User E MAC: 00:26:88:02:74:90 User F MAC: 00:26:88:02:74:91 www.juniper.net 6-4
Introducing Storm Control Storm control monitors traffic levels and drops traffic when the threshold (storm control level) is exceeded Prevents traffic from proliferating and degrading the LAN Switch-1 Traffic Storm The storm control feature ensures traffic storms do not degrade LAN performance www.juniper.net 6-5
Storm Control Configuration Storm control is enabled by default on EX switches Default storm control level is 80 percent for all interfaces You can modify the default configuration settings at the [edit ethernet-switching-options] hierarchy {master:0[edit] user@switch-1# load factory-default warning: activating factory configuration Switch-1 {master:0[edit] user@switch-1# show ethernet-switching-options storm-control { interface all; Note: Using the default configuration, all broadcast, multicast, and unknown unicast traffic in excess of 80 percent is dropped. www.juniper.net 6-6
Changing the Default Configuration Before modifying the default configuration, monitor broadcast, multicast, and unknown unicast traffic levels in LAN under normal operating conditions Use benchmark data to determine acceptable traffic levels Configure storm control to set the level at which you want to drop broadcast traffic, multicast traffic, unknown unicast traffic, or all three. Is too high? Default Storm Control Level Is acceptable? Is too low? www.juniper.net 6-8
Storm Control Actions When the storm control level is exceeded, the switch can either drop offending traffic (default) or shut down the interface through which the traffic is passing {master:0[edit ethernet-switching-options] user@switch-1# show storm-control { interface all; Traffic is discarded Bit Bucket {master:0[edit ethernet-switching-options] user@switch-1# show storm-control { action-shutdown; interface all; Use the action-shutdown option to alter the default behavior Interface is disabled www.juniper.net 6-9
Automatic Error Condition Recovery By default, when the action-shutdown option is used and the storm control level is exceeded the interface is shut down until it is manually re-enabled Alternatively, you can automate error condition recovery using the port-error-disable option: {master:0[edit ethernet-switching-options] user@switch-1# show port-error-disable { disable-timeout 300; storm-control { action-shutdown; interface all; Specify a disable timeout value between 10 and 3600 seconds www.juniper.net 6-10
Monitoring Automatic Recovery You can monitor the automatic recovery process by: Using show ethernet-switching interfaces to view interface state details: {master:0 user@switch-1> show ethernet-switching interfaces Interface State VLAN members Tag Tagging Blocking ge-0/0/6.0 up v11 11 untagged unblocked ge-0/0/8.0 up v11 11 tagged unblocked ge-0/0/9.0 down v11 11 tagged Storm control in effect (00:03:57) remaining me0.0 up mgmt untagged unblocked Using show log messages to view violation details: {master:0 user@switch-1> show log messages match storm match ge-0/0/9 Jul 29 09:38:23 Switch-1 eswd[856]: ESWD_ST_CTL_ERROR_DISABLED: ge-0/0/9.0: storm control disabled port Jul 29 09:43:23 Switch-1 eswd[856]: ESWD_ST_CTL_ERROR_ENABLED: ge-0/0/9.0: storm control enabled port Interface was re-enabled after disable timeout period (5 minutes) www.juniper.net 6-11
Clearing Violations Manually Use clear ethernet-switching port-error interface to clear violations manually: {master:0 user@switch-1> show ethernet-switching interfaces Interface State VLAN members Tag Tagging Blocking ge-0/0/6.0 up v11 11 untagged unblocked ge-0/0/8.0 up v11 11 tagged unblocked ge-0/0/9.0 down v11 11 tagged Storm control in effect (00:04:17) remaining me0.0 up mgmt untagged unblocked {master:0 user@switch-1> clear ethernet-switching port-error interface ge-0/0/9 {master:0 user@switch-1> show ethernet-switching interfaces Interface State VLAN members Tag Tagging Blocking ge-0/0/6.0 up v11 11 untagged unblocked ge-0/0/8.0 up v11 11 tagged unblocked ge-0/0/9.0 up v11 11 tagged unblocked me0.0 up mgmt untagged unblocked www.juniper.net 6-12
Agenda: Device Security and Firewall Filters Storm Control Firewall Filters www.juniper.net 6-13
Firewall Filters: A Review Firewall filters control the traffic entering and leaving a networking device in a stateless fashion: Processes every packet independently Used to filter and monitor network traffic www.juniper.net 6-14
Firewall Filter Types Firewall filter types include: Filter Type Port-based VLAN-based Router-based Application Description Applied to Layer 2 switch ports in ingress and egress directions Applied to Layer 2 VLANs in the ingress and egress directions Applied to Layer 3 routed interfaces in ingress and egress directions {master:0[edit firewall] user@switch-1# edit family? Possible completions: > any Protocol-independent filter > ethernet-switching Protocol family Ethernet Switching for firewall filter > inet Protocol family IPv4 for firewall filter > inet6 Protocol family IPv6 for firewall filter Port-based and VLAN-based filters use family ethernet-switching option while routerbased filters use family inet or family inet6 depending on the traffic type www.juniper.net 6-15
Processing Order of Firewall Filters Processing order considerations: Ingress processing order is port, VLAN, then router Egress processing is performed in the reverse order A router-based filter applied to an RVI does not apply to switched packets in the same VLAN Router Filter Router Filter VLAN Filter VLAN Filter Port Filter Port Filter Rx Packet Input Tx Packet Output www.juniper.net 6-16
Building Blocks of Firewall Filters Firewall filters consist of one or more terms; the software evaluates terms sequentially until it reaches a terminating action from statements describe match conditions my-filter term firstterm from then match no match term secondterm from then match no match term Default discard User-defined filter and term names then statements describe the actions to take if a match with the from statement occurs Default action for packets not explicitly allowed Note: Ordering matters! If you must reorder terms within a filter, consider using the insert CLI command. www.juniper.net 6-17
Common Match Criteria Can match based on most header fields: Match conditions categories include: Numeric range Address Bit field The from statements describe match conditions term firstterm from then match www.juniper.net 6-18
Firewall Filter Actions Common actions in firewall filters: Terminating actions: accept discard reject Action modifiers: analyzer, count, log, and syslog forwarding-class and loss-priority policer term firstterm from then match The then statements describe actions to take Note: The software discards all traffic not explicitly allowed! www.juniper.net 6-20
Case Study: Topology and Objectives Objectives: Implement filters on the access ports so that only frames using the expected source MAC addresses are permitted Discard and count frames sourced from any other MAC addresses Implement a filter on both VLANs to block frames destined to MAC address 01:80:c2:00:00:00 Discard and count frames destined to the referenced MAC address User A - (VLAN: v11) 172.23.11.100/24 MAC: 00:26:88:02:74:86 Switch-1 Access ports User B - (VLAN: v12) 172.23.12.100/24 MAC: 00:26:88:02:74:87 www.juniper.net 6-21
Case Study: Configuring the Filters (1 of 2) {master:0[edit firewall family ethernet-switching] user@switch-1# show filter limit-mac-ge006 term 1 { from { source-mac-address { 00:26:88:02:74:86; then accept; term 2 { then { discard; count ge006-invalid-mac; {master:0[edit firewall family ethernet-switching] user@switch-1# show filter limit-mac-ge007 term 1 { from { source-mac-address { 00:26:88:02:74:87; then accept; term 2 { then { discard; count ge007-invalid-mac; User A - (VLAN: v11) 172.23.11.100/24 MAC: 00:26:88:02:74:86 Switch-1 Access ports User B - (VLAN: v12) 172.23.12.100/24 MAC: 00:26:88:02:74:87 www.juniper.net 6-22
Case Study: Configuring the Filters (2 of 2) {master:0[edit firewall family ethernet-switching] user@switch-1# show filter block-dest-mac-01:80:c2:00:00:00 term 1 { from { destination-mac-address { 01:80:c2:00:00:00; then { discard; count block-stp-bpdus; term 2 { then accept; User A - (VLAN: v11) 172.23.11.100/24 MAC: 00:26:88:02:74:86 Switch-1 Access ports User B - (VLAN: v12) 172.23.12.100/24 MAC: 00:26:88:02:74:87 www.juniper.net 6-23
Case Study: Applying the Filters (1 of 2) {master:0[edit interfaces] user@switch-1# show ge-0/0/6 unit 0 { family ethernet-switching { vlan { members v11; filter { input limit-mac-ge006; {master:0[edit interfaces] user@switch-1# show ge-0/0/7 unit 0 { family ethernet-switching { vlan { members v12; filter { input limit-mac-ge007; User A - (VLAN: v11) 172.23.11.100/24 MAC: 00:26:88:02:74:86 Switch-1 Access ports User B - (VLAN: v12) 172.23.12.100/24 MAC: 00:26:88:02:74:87 www.juniper.net 6-24
Case Study: Applying the Filters (2 of 2) {master:0[edit vlans] user@switch-1# show v11 { vlan-id 11; filter { input block-dest-mac-01:80:c2:00:00:00; l3-interface vlan.11; v12 { vlan-id 12; filter { input block-dest-mac-01:80:c2:00:00:00; l3-interface vlan.12; User A - (VLAN: v11) 172.23.11.100/24 MAC: 00:26:88:02:74:86 Switch-1 Access ports User B - (VLAN: v12) 172.23.12.100/24 MAC: 00:26:88:02:74:87 www.juniper.net 6-25
Case Study: Monitoring Firewall Filters {master:0 user@switch-1> show firewall Filter: block-dest-mac-01:80:c2:00:00:00 Counters: Name Bytes Packets block-stp-bpdus 472 7 Filter: limit-mac-ge006 Counters: Name Bytes Packets ge006-invalid-mac 1148 12 Filter: limit-mac-ge007 Counters: Name Bytes Packets ge007-invalid-mac 842 9 User A - (VLAN: v11) 172.23.11.100/24 MAC: 00:26:88:02:74:86 Switch-1 Access ports User B - (VLAN: v12) 172.23.12.100/24 MAC: 00:26:88:02:74:87 www.juniper.net 6-26
Summary In this chapter, we: Described the storm control security feature Configured and monitored the storm control security feature Described firewall filter support for EX Series switches Implemented and monitored the effects of a firewall filter www.juniper.net 6-27
Review Questions 1. What is a traffic storm and how is it created? 2. What actions can be taken when a storm control level is exceeded? 3. Which types of firewall filters are supported on EX Series switches? Where are they applied? www.juniper.net 6-28
Lab 5: Storm Control and Firewall Filters Implement the storm control security feature. Configure and monitor firewall filters. www.juniper.net 6-29
Worldwide Education Services