Upload
lenhu
View
222
Download
0
Embed Size (px)
Citation preview
© 2011 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Chapter 6: Device Security and
Firewall Filters
Junos Enterprise Switching
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-2Worldwide Education Services
Chapter Objectives
After successfully completing this chapter, you will be
able to:
•Describe the storm control security feature
•Configure and monitor the storm control security feature
•Describe firewall filter support for EX Series switches
•Implement and monitor the effects of a firewall filter
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-3Worldwide Education Services
Agenda: Device Security and Firewall Filters
Storm Control
Firewall Filters
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-4Worldwide Education Services
Traffic Storms
Some traffic types, such as broadcast and unknown
unicast, can continuously propagate through a LAN
consuming resources and affecting performance
Switch-1 Switch-2
Switch-3
User A
MAC: 00:26:88:02:74:86
User B
MAC: 00:26:88:02:74:87
User C
MAC: 00:26:88:02:74:88
User D
MAC: 00:26:88:02:74:89
User E
MAC: 00:26:88:02:74:90
User F
MAC: 00:26:88:02:74:91
Flood Flood
Flood
User A initiates traffic to a destination MAC
address not known or located in the network
Traffic
Storm
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-5Worldwide Education Services
Storm control monitors traffic levels and drops traffic
when the threshold (storm control level) is exceeded
•Prevents traffic from proliferating and degrading the LAN
Traffic
Storm
Introducing Storm Control
Switch-1
The storm control feature ensures traffic storms do not degrade LAN performance
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-6Worldwide Education Services
Storm Control Configuration
Storm control is enabled by default on EX switches
•Default storm control level is 80 percent for all interfaces
•You can modify the default configuration settings at the
[edit ethernet-switching-options] hierarchy
Switch-1
{master:0}[edit]
user@Switch-1# load factory-default
warning: activating factory configuration
{master:0}[edit]
user@Switch-1# show ethernet-switching-options
storm-control {
interface all;
}
Note: Using the default configuration, all broadcast , multicast, and unknown unicast traffic in excess of 80 percent is dropped.
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-8Worldwide Education Services
Changing the Default Configuration
Before modifying the default configuration, monitor
broadcast, multicast, and unknown unicast traffic
levels in LAN under normal operating conditions
•Use benchmark data to determine acceptable traffic levels
•Configure storm control to set the level at which you want to
drop broadcast traffic, multicast traffic, unknown unicast
traffic, or all three.
Default Storm Control Level Is acceptable?
Is too high?
Is too low?
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-9Worldwide Education Services
Storm Control Actions
When the storm control level is exceeded, the switch
can either drop offending traffic (default) or shut down
the interface through which the traffic is passing
{master:0}[edit ethernet-switching-options]
user@Switch-1# show
storm-control {
interface all;
}
{master:0}[edit ethernet-switching-options]
user@Switch-1# show
storm-control {
action-shutdown;
interface all;
}
Bit Bucket
Traffic is discarded
Interface is disabledUse the action-shutdown
option to alter the default behavior
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-10Worldwide Education Services
Automatic Error Condition Recovery
By default, when the action-shutdown option is
used and the storm control level is exceeded the
interface is shut down until it is manually re-enabled
Alternatively, you can automate error condition recovery
using the port-error-disable option:
{master:0}[edit ethernet-switching-options]
user@Switch-1# show
port-error-disable {
disable-timeout 300;
}
storm-control {
action-shutdown;
interface all;
}
Specify a disable timeout value
between 10 and 3600 seconds
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-11Worldwide Education Services
Monitoring Automatic Recovery
You can monitor the automatic recovery process by:
•Using show ethernet-switching interfaces to
view interface state details:
•Using show log messages to view violation details:
{master:0}
user@Switch-1> show ethernet-switching interfaces
Interface State VLAN members Tag Tagging Blocking
ge-0/0/6.0 up v11 11 untagged unblocked
ge-0/0/8.0 up v11 11 tagged unblocked
ge-0/0/9.0 down v11 11 tagged Storm control in effect
(00:03:57) remaining
me0.0 up mgmt untagged unblocked
{master:0}
user@Switch-1> show log messages | match storm | match ge-0/0/9
Jul 29 09:38:23 Switch-1 eswd[856]: ESWD_ST_CTL_ERROR_DISABLED: ge-0/0/9.0: storm control
disabled port
Jul 29 09:43:23 Switch-1 eswd[856]: ESWD_ST_CTL_ERROR_ENABLED: ge-0/0/9.0: storm control
enabled port
Interface was re-enabled after disable timeout period (5 minutes)
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-12Worldwide Education Services
Clearing Violations Manually
Use clear ethernet-switching port-error
interface to clear violations manually:{master:0}
user@Switch-1> show ethernet-switching interfaces
Interface State VLAN members Tag Tagging Blocking
ge-0/0/6.0 up v11 11 untagged unblocked
ge-0/0/8.0 up v11 11 tagged unblocked
ge-0/0/9.0 down v11 11 tagged Storm control in effect
(00:04:17) remaining
me0.0 up mgmt untagged unblocked
{master:0}
user@Switch-1> clear ethernet-switching port-error interface ge-0/0/9
{master:0}
user@Switch-1> show ethernet-switching interfaces
Interface State VLAN members Tag Tagging Blocking
ge-0/0/6.0 up v11 11 untagged unblocked
ge-0/0/8.0 up v11 11 tagged unblocked
ge-0/0/9.0 up v11 11 tagged unblocked
me0.0 up mgmt untagged unblocked
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-13Worldwide Education Services
Agenda: Device Security and Firewall Filters
Storm Control
Firewall Filters
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-14Worldwide Education Services
Firewall filters control the traffic entering and leaving
a networking device in a stateless fashion:
•Processes every packet independently
•Used to filter and monitor network traffic
Firewall Filters: A Review
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-15Worldwide Education Services
Firewall filter types include:
Filter Type Application Description
Port-based Applied to Layer 2 switch ports in ingress and egress directions
VLAN-based Applied to Layer 2 VLANs in the ingress and egress directions
Router-based Applied to Layer 3 routed interfaces in ingress and egress
directions
{master:0}[edit firewall]
user@Switch-1# edit family ?
Possible completions:
> any Protocol-independent filter
> ethernet-switching Protocol family Ethernet Switching for firewall filter
> inet Protocol family IPv4 for firewall filter
> inet6 Protocol family IPv6 for firewall filter
Port-based and VLAN-based filters use family ethernet-switching option while router-
based filters use family inet or family inet6 depending on the traffic type
Firewall Filter Types
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-16Worldwide Education Services
Processing Order of Firewall Filters
Processing order considerations:•Ingress processing order is port, VLAN, then router
•Egress processing is performed in the reverse order
•A router-based filter applied to an RVI does not apply to
switched packets in the same VLAN
Rx Packet
Input
Port Filter
VLAN Filter
Router Filter
Tx Packet
Output
Port Filter
VLAN Filter
Router Filter
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-17Worldwide Education Services
Building Blocks of Firewall Filters
no match
no match
term secondterm
term Default
term firstterm
match
thenfrom
match
my-filterFirewall filters consist of one or
more terms; the software evaluates
terms sequentially until it reaches a
terminating action
then statements describe the
actions to take if a match with the
from statement occurs
User-defined filter
and term names
discardDefault action for packets not
explicitly allowed
Note: Ordering matters! If you must reorder terms within a filter, consider using the insert CLI command.
from statements describe
match conditionsthenfrom
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-18Worldwide Education Services
Can match based on most header fields:
Match conditions categories include:•Numeric range
•Address
•Bit field
Common Match Criteria
The from statements
describe match conditions
term firstterm
matchthenfrom
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-20Worldwide Education Services
Common actions in firewall filters:
•Terminating actions:
• accept
• discard
• reject
•Action modifiers:
• analyzer, count, log, and syslog
• forwarding-class and loss-priority
• policer
Firewall Filter Actions
The then statements
describe actions to take
Note: The software discards all traffic not explicitly allowed!
term firstterm
matchthenfrom
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-21Worldwide Education Services
Objectives:
•Implement filters on the access ports so that only frames
using the expected source MAC addresses are permitted
• Discard and count frames sourced from any other MAC addresses
•Implement a filter on both VLANs to block frames destined
to MAC address 01:80:c2:00:00:00
• Discard and count frames destined to the referenced MAC address
Case Study: Topology and Objectives
Switch-1
User B - (VLAN: v12)
172.23.12.100/24
MAC: 00:26:88:02:74:87
User A - (VLAN: v11)
172.23.11.100/24
MAC: 00:26:88:02:74:86
Access ports
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-22Worldwide Education Services
Case Study: Configuring the Filters (1 of 2)
{master:0}[edit firewall family ethernet-switching]
user@Switch-1# show filter limit-MAC-ge006
term 1 {
from {
source-mac-address {
00:26:88:02:74:86;
}
}
then accept;
}
term 2 {
then {
discard;
count ge006-invalid-MAC;
}
}
{master:0}[edit firewall family ethernet-switching]
user@Switch-1# show filter limit-MAC-ge007
term 1 {
from {
source-mac-address {
00:26:88:02:74:87;
}
}
then accept;
}
term 2 {
then {
discard;
count ge007-invalid-MAC;
}
}
Switch-1
User B - (VLAN: v12)
172.23.12.100/24
MAC: 00:26:88:02:74:87
User A - (VLAN: v11)
172.23.11.100/24
MAC: 00:26:88:02:74:86
Access ports
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-23Worldwide Education Services
Case Study: Configuring the Filters (2 of 2)
{master:0}[edit firewall family ethernet-switching]
user@Switch-1# show filter block-dest-MAC-01:80:c2:00:00:00
term 1 {
from {
destination-mac-address {
01:80:c2:00:00:00;
}
}
then {
discard;
count block-stp-bpdus;
}
}
term 2 {
then accept;
}
Switch-1
User B - (VLAN: v12)
172.23.12.100/24
MAC: 00:26:88:02:74:87
User A - (VLAN: v11)
172.23.11.100/24
MAC: 00:26:88:02:74:86
Access ports
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-24Worldwide Education Services
Case Study: Applying the Filters (1 of 2)
{master:0}[edit interfaces]
user@Switch-1# show ge-0/0/6
unit 0 {
family ethernet-switching {
vlan {
members v11;
}
filter {
input limit-MAC-ge006;
}
}
}
{master:0}[edit interfaces]
user@Switch-1# show ge-0/0/7
unit 0 {
family ethernet-switching {
vlan {
members v12;
}
filter {
input limit-MAC-ge007;
}
}
}
Switch-1
User B - (VLAN: v12)
172.23.12.100/24
MAC: 00:26:88:02:74:87
User A - (VLAN: v11)
172.23.11.100/24
MAC: 00:26:88:02:74:86
Access ports
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-25Worldwide Education Services
Case Study: Applying the Filters (2 of 2)
{master:0}[edit vlans]
user@Switch-1# show
v11 {
vlan-id 11;
filter {
input block-dest-MAC-01:80:c2:00:00:00;
}
l3-interface vlan.11;
}
v12 {
vlan-id 12;
filter {
input block-dest-MAC-01:80:c2:00:00:00;
}
l3-interface vlan.12;
}
Switch-1
User B - (VLAN: v12)
172.23.12.100/24
MAC: 00:26:88:02:74:87
User A - (VLAN: v11)
172.23.11.100/24
MAC: 00:26:88:02:74:86
Access ports
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-26Worldwide Education Services
Case Study: Monitoring Firewall Filters
{master:0}
user@Switch-1> show firewall
Filter: block-dest-MAC-01:80:c2:00:00:00
Counters:
Name Bytes Packets
block-stp-bpdus 472 7
Filter: limit-MAC-ge006
Counters:
Name Bytes Packets
ge006-invalid-MAC 1148 12
Filter: limit-MAC-ge007
Counters:
Name Bytes Packets
ge007-invalid-MAC 842 9
Switch-1
User B - (VLAN: v12)
172.23.12.100/24
MAC: 00:26:88:02:74:87
User A - (VLAN: v11)
172.23.11.100/24
MAC: 00:26:88:02:74:86
Access ports
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-27Worldwide Education Services
Summary
In this chapter, we:
•Described the storm control security feature
•Configured and monitored the storm control security feature
•Described firewall filter support for EX Series switches
•Implemented and monitored the effects of a firewall filter
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-28Worldwide Education Services
Review Questions
1. What is a traffic storm and how is it created?
2. What actions can be taken when a storm control
level is exceeded?
3. Which types of firewall filters are supported on
EX Series switches? Where are they applied?
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6-29Worldwide Education Services
Lab 5: Storm Control and Firewall Filters
Implement the storm control security feature.
Configure and monitor firewall filters.