Junos Enterprise Switching

Similar documents
Example: Configuring Layer 2 Protocol Tunneling on EX Series Switches

Device Security Feature Guide for EX9200 Switches

Example: Configuring DHCP Snooping, DAI, and MAC Limiting on an EX Series Switch with Access to a DHCP Server Through a Second Switch

GuideTorrent. The best excellent exam certification guide torrent and dumps torrent provider

Configuring Port-Based Traffic Control

Configuring Port-Based Traffic Control

Configuring Firewall Filters (J-Web Procedure)

Configuring Port-Based Traffic Control

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling

Configuring Port-Based Traffic Control

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

JN0-343 Q&As. Juniper Networks Certified Internet Specialist (JNCIS-ENT) Pass Juniper JN0-343 Exam with 100% Guarantee

Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch

Storm Control over EVC

Technology Overview. Retrieving VLAN Information Using SNMP on an EX Series Ethernet Switch. Published:

Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces

Example: Configuring Static MAC Bypass of Authentication on an EX Series Switch

Configuring Traffic Storm Control

Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN

JUNIPER JN0-643 EXAM QUESTIONS & ANSWERS

Lab 5. Spanning Tree. Overview. JNCIS-ENT Bootcamp

Configure Ethernet Physical Interface Properties on page 82. Configure 802.1Q VLANs on page 83. Configure the Management Ethernet Interface on page 84

IT Certification Exams Provider! Weofferfreeupdateserviceforoneyear! h ps://

Lab 2. Spanning Tree Protocols. Overview. JNCIS-ENT++ Bootcamp

Understanding Issues Related to Inter VLAN Bridging

Chapter 4 Configuring Switching

Network Configuration Example

Table of Contents 1 VLAN Configuration 1-1

FSOS. Ethernet Configuration Guide

Monitoring Ports. Port State

Junos Security. Chapter 3: Zones Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Lesson 9 OpenFlow. Objectives :

Network Configuration Example

Lab 4. Firewall Filters and Class of Service. Overview. Introduction to JUNOS Software & Routing Essentials

Configuring Traffic Storm Control

Configuring Q-in-Q VLAN Tunnels

HP 6125G & 6125G/XG Blade Switches

Configuring Interfaces and Circuits

Configuring Access and Trunk Interfaces

ENTERPRISE MPLS. Kireeti Kompella

Configuring Port-Based and Client-Based Access Control (802.1X)

Configuring SPAN and RSPAN

IMPLEMENTING A LAYER 2 ENTERPRISE INFRASTRUCTURE WITH VIRTUAL CHASSIS TECHNOLOGY

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX Series Switch

Network Configuration Example

Configuring Q-in-Q VLAN Tunnels

Configuring Port Channels

Configuring VLANs. Understanding VLANs CHAPTER

Configuring VLANs. Understanding VLANs CHAPTER

Configuring Ethernet Virtual Connections on the Cisco ASR 1000 Series Router

Configuring EtherChannels

User Handbook. Switch Series. Default Login Details. Version 1.0 Edition

IP SLA Service Performance Testing

VLANs Level 3 Unit 9 Computer Networks

J-series Advanced Switching Configuration

FSOS Security Configuration Guide

Configuring SPAN and RSPAN

Lecture 9: Switched Ethernet Features: STP and VLANs

References: tates-roles.html

HP 5120 SI Switch Series

3. INTERCONNECTING NETWORKS WITH SWITCHES. THE SPANNING TREE PROTOCOL (STP)

Certkiller JN q

Network Configuration Example

mls qos (global configuration mode)

Quality of Service. Understanding Quality of Service

Configuring EtherChannels

Configuring SPAN and RSPAN

The features and functions of the D-Link Smart Managed Switch can be configured through the web-based management interface.

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Configuring IGMP Snooping

H3C S10500 Attack Protection Configuration Examples

FiberstoreOS. Security Configuration Guide

Configuring SPAN. About SPAN. SPAN Sources

ASR 5000 Series ICMP Packet Generation from the CLI and Fragmentation Identification

8-Port Gigabit Ethernet Smart Managed Plus Switch with Integrated Cable Management User Manual

Management Software AT-S67 AT-S68. User s Guide FOR USE WITH AT-FS7016 AND AT-FS7024 SMART SWITCHES VERSION PN Rev A

Configuring SPAN and RSPAN

Configure Virtual LANs in Layer 2 VPNs

HP A3100 v2 Switch Series

A. ARPANET was an early packet switched network initially connecting 4 sites (Stanford, UC Santa Barbara, UCLA, and U of Utah).

IP SLA Service Performance Testing

Configuring Port Channels

Configuring IEEE 802.1Q Tunneling

Juniper.Selftestengine.jn0-694.v by.KIM-HL.52q

Configuring Tap Aggregation and MPLS Stripping

Configuring Port-Based Traffic Control

Configuring sflow. Information About sflow. sflow Agent. This chapter contains the following sections:

Junos Security. Chapter 11: High Availability Clustering Implementation

VLAN Configuration. Understanding VLANs CHAPTER

JN0-346 juniper

Specialist Level Certification JNCIS-ENT; 5 Days; Instructor-led

Configuring sflow. About sflow. sflow Agent

Configuring Port Channels

H3C S5130-EI Switch Series

Configuring Private VLANs

Configuring EtherChannels

Traditional network management methods have typically

Transcription:

Junos Enterprise Switching Chapter 6: Device Security and Firewall Filters 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services

Chapter Objectives After successfully completing this chapter, you will be able to: Describe the storm control security feature Configure and monitor the storm control security feature Describe firewall filter support for EX Series switches Implement and monitor the effects of a firewall filter www.juniper.net 6-2

Agenda: Device Security and Firewall Filters Storm Control Firewall Filters www.juniper.net 6-3

Traffic Storms Some traffic types, such as broadcast and unknown unicast, can continuously propagate through a LAN consuming resources and affecting performance User A initiates traffic to a destination MAC address not known or located in the network User A MAC: 00:26:88:02:74:86 Switch-1 Switch-2 User C MAC: 00:26:88:02:74:88 User B MAC: 00:26:88:02:74:87 Flood Traffic Storm Flood User D MAC: 00:26:88:02:74:89 Switch-3 Flood User E MAC: 00:26:88:02:74:90 User F MAC: 00:26:88:02:74:91 www.juniper.net 6-4

Introducing Storm Control Storm control monitors traffic levels and drops traffic when the threshold (storm control level) is exceeded Prevents traffic from proliferating and degrading the LAN Switch-1 Traffic Storm The storm control feature ensures traffic storms do not degrade LAN performance www.juniper.net 6-5

Storm Control Configuration Storm control is enabled by default on EX switches Default storm control level is 80 percent for all interfaces You can modify the default configuration settings at the [edit ethernet-switching-options] hierarchy {master:0[edit] user@switch-1# load factory-default warning: activating factory configuration Switch-1 {master:0[edit] user@switch-1# show ethernet-switching-options storm-control { interface all; Note: Using the default configuration, all broadcast, multicast, and unknown unicast traffic in excess of 80 percent is dropped. www.juniper.net 6-6

Changing the Default Configuration Before modifying the default configuration, monitor broadcast, multicast, and unknown unicast traffic levels in LAN under normal operating conditions Use benchmark data to determine acceptable traffic levels Configure storm control to set the level at which you want to drop broadcast traffic, multicast traffic, unknown unicast traffic, or all three. Is too high? Default Storm Control Level Is acceptable? Is too low? www.juniper.net 6-8

Storm Control Actions When the storm control level is exceeded, the switch can either drop offending traffic (default) or shut down the interface through which the traffic is passing {master:0[edit ethernet-switching-options] user@switch-1# show storm-control { interface all; Traffic is discarded Bit Bucket {master:0[edit ethernet-switching-options] user@switch-1# show storm-control { action-shutdown; interface all; Use the action-shutdown option to alter the default behavior Interface is disabled www.juniper.net 6-9

Automatic Error Condition Recovery By default, when the action-shutdown option is used and the storm control level is exceeded the interface is shut down until it is manually re-enabled Alternatively, you can automate error condition recovery using the port-error-disable option: {master:0[edit ethernet-switching-options] user@switch-1# show port-error-disable { disable-timeout 300; storm-control { action-shutdown; interface all; Specify a disable timeout value between 10 and 3600 seconds www.juniper.net 6-10

Monitoring Automatic Recovery You can monitor the automatic recovery process by: Using show ethernet-switching interfaces to view interface state details: {master:0 user@switch-1> show ethernet-switching interfaces Interface State VLAN members Tag Tagging Blocking ge-0/0/6.0 up v11 11 untagged unblocked ge-0/0/8.0 up v11 11 tagged unblocked ge-0/0/9.0 down v11 11 tagged Storm control in effect (00:03:57) remaining me0.0 up mgmt untagged unblocked Using show log messages to view violation details: {master:0 user@switch-1> show log messages match storm match ge-0/0/9 Jul 29 09:38:23 Switch-1 eswd[856]: ESWD_ST_CTL_ERROR_DISABLED: ge-0/0/9.0: storm control disabled port Jul 29 09:43:23 Switch-1 eswd[856]: ESWD_ST_CTL_ERROR_ENABLED: ge-0/0/9.0: storm control enabled port Interface was re-enabled after disable timeout period (5 minutes) www.juniper.net 6-11

Clearing Violations Manually Use clear ethernet-switching port-error interface to clear violations manually: {master:0 user@switch-1> show ethernet-switching interfaces Interface State VLAN members Tag Tagging Blocking ge-0/0/6.0 up v11 11 untagged unblocked ge-0/0/8.0 up v11 11 tagged unblocked ge-0/0/9.0 down v11 11 tagged Storm control in effect (00:04:17) remaining me0.0 up mgmt untagged unblocked {master:0 user@switch-1> clear ethernet-switching port-error interface ge-0/0/9 {master:0 user@switch-1> show ethernet-switching interfaces Interface State VLAN members Tag Tagging Blocking ge-0/0/6.0 up v11 11 untagged unblocked ge-0/0/8.0 up v11 11 tagged unblocked ge-0/0/9.0 up v11 11 tagged unblocked me0.0 up mgmt untagged unblocked www.juniper.net 6-12

Agenda: Device Security and Firewall Filters Storm Control Firewall Filters www.juniper.net 6-13

Firewall Filters: A Review Firewall filters control the traffic entering and leaving a networking device in a stateless fashion: Processes every packet independently Used to filter and monitor network traffic www.juniper.net 6-14

Firewall Filter Types Firewall filter types include: Filter Type Port-based VLAN-based Router-based Application Description Applied to Layer 2 switch ports in ingress and egress directions Applied to Layer 2 VLANs in the ingress and egress directions Applied to Layer 3 routed interfaces in ingress and egress directions {master:0[edit firewall] user@switch-1# edit family? Possible completions: > any Protocol-independent filter > ethernet-switching Protocol family Ethernet Switching for firewall filter > inet Protocol family IPv4 for firewall filter > inet6 Protocol family IPv6 for firewall filter Port-based and VLAN-based filters use family ethernet-switching option while routerbased filters use family inet or family inet6 depending on the traffic type www.juniper.net 6-15

Processing Order of Firewall Filters Processing order considerations: Ingress processing order is port, VLAN, then router Egress processing is performed in the reverse order A router-based filter applied to an RVI does not apply to switched packets in the same VLAN Router Filter Router Filter VLAN Filter VLAN Filter Port Filter Port Filter Rx Packet Input Tx Packet Output www.juniper.net 6-16

Building Blocks of Firewall Filters Firewall filters consist of one or more terms; the software evaluates terms sequentially until it reaches a terminating action from statements describe match conditions my-filter term firstterm from then match no match term secondterm from then match no match term Default discard User-defined filter and term names then statements describe the actions to take if a match with the from statement occurs Default action for packets not explicitly allowed Note: Ordering matters! If you must reorder terms within a filter, consider using the insert CLI command. www.juniper.net 6-17

Common Match Criteria Can match based on most header fields: Match conditions categories include: Numeric range Address Bit field The from statements describe match conditions term firstterm from then match www.juniper.net 6-18

Firewall Filter Actions Common actions in firewall filters: Terminating actions: accept discard reject Action modifiers: analyzer, count, log, and syslog forwarding-class and loss-priority policer term firstterm from then match The then statements describe actions to take Note: The software discards all traffic not explicitly allowed! www.juniper.net 6-20

Case Study: Topology and Objectives Objectives: Implement filters on the access ports so that only frames using the expected source MAC addresses are permitted Discard and count frames sourced from any other MAC addresses Implement a filter on both VLANs to block frames destined to MAC address 01:80:c2:00:00:00 Discard and count frames destined to the referenced MAC address User A - (VLAN: v11) 172.23.11.100/24 MAC: 00:26:88:02:74:86 Switch-1 Access ports User B - (VLAN: v12) 172.23.12.100/24 MAC: 00:26:88:02:74:87 www.juniper.net 6-21

Case Study: Configuring the Filters (1 of 2) {master:0[edit firewall family ethernet-switching] user@switch-1# show filter limit-mac-ge006 term 1 { from { source-mac-address { 00:26:88:02:74:86; then accept; term 2 { then { discard; count ge006-invalid-mac; {master:0[edit firewall family ethernet-switching] user@switch-1# show filter limit-mac-ge007 term 1 { from { source-mac-address { 00:26:88:02:74:87; then accept; term 2 { then { discard; count ge007-invalid-mac; User A - (VLAN: v11) 172.23.11.100/24 MAC: 00:26:88:02:74:86 Switch-1 Access ports User B - (VLAN: v12) 172.23.12.100/24 MAC: 00:26:88:02:74:87 www.juniper.net 6-22

Case Study: Configuring the Filters (2 of 2) {master:0[edit firewall family ethernet-switching] user@switch-1# show filter block-dest-mac-01:80:c2:00:00:00 term 1 { from { destination-mac-address { 01:80:c2:00:00:00; then { discard; count block-stp-bpdus; term 2 { then accept; User A - (VLAN: v11) 172.23.11.100/24 MAC: 00:26:88:02:74:86 Switch-1 Access ports User B - (VLAN: v12) 172.23.12.100/24 MAC: 00:26:88:02:74:87 www.juniper.net 6-23

Case Study: Applying the Filters (1 of 2) {master:0[edit interfaces] user@switch-1# show ge-0/0/6 unit 0 { family ethernet-switching { vlan { members v11; filter { input limit-mac-ge006; {master:0[edit interfaces] user@switch-1# show ge-0/0/7 unit 0 { family ethernet-switching { vlan { members v12; filter { input limit-mac-ge007; User A - (VLAN: v11) 172.23.11.100/24 MAC: 00:26:88:02:74:86 Switch-1 Access ports User B - (VLAN: v12) 172.23.12.100/24 MAC: 00:26:88:02:74:87 www.juniper.net 6-24

Case Study: Applying the Filters (2 of 2) {master:0[edit vlans] user@switch-1# show v11 { vlan-id 11; filter { input block-dest-mac-01:80:c2:00:00:00; l3-interface vlan.11; v12 { vlan-id 12; filter { input block-dest-mac-01:80:c2:00:00:00; l3-interface vlan.12; User A - (VLAN: v11) 172.23.11.100/24 MAC: 00:26:88:02:74:86 Switch-1 Access ports User B - (VLAN: v12) 172.23.12.100/24 MAC: 00:26:88:02:74:87 www.juniper.net 6-25

Case Study: Monitoring Firewall Filters {master:0 user@switch-1> show firewall Filter: block-dest-mac-01:80:c2:00:00:00 Counters: Name Bytes Packets block-stp-bpdus 472 7 Filter: limit-mac-ge006 Counters: Name Bytes Packets ge006-invalid-mac 1148 12 Filter: limit-mac-ge007 Counters: Name Bytes Packets ge007-invalid-mac 842 9 User A - (VLAN: v11) 172.23.11.100/24 MAC: 00:26:88:02:74:86 Switch-1 Access ports User B - (VLAN: v12) 172.23.12.100/24 MAC: 00:26:88:02:74:87 www.juniper.net 6-26

Summary In this chapter, we: Described the storm control security feature Configured and monitored the storm control security feature Described firewall filter support for EX Series switches Implemented and monitored the effects of a firewall filter www.juniper.net 6-27

Review Questions 1. What is a traffic storm and how is it created? 2. What actions can be taken when a storm control level is exceeded? 3. Which types of firewall filters are supported on EX Series switches? Where are they applied? www.juniper.net 6-28

Lab 5: Storm Control and Firewall Filters Implement the storm control security feature. Configure and monitor firewall filters. www.juniper.net 6-29

Worldwide Education Services

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback