示例:配置单播 RPF(在路由器上)
此示例说明如何在客户边缘接口上配置单播 RPF 以过滤传入流量,从而帮助保护入口接口免受拒绝服务 (DoS) 和分布式拒绝服务 (DDoS) 攻击。
要求
除了设备初始化之外,不需要特殊配置。
概述
在此示例中,设备 A 使用 OSPF 为连接到设备 D 的链路通告前缀。设备 B 配置了单播 RPF。在设备 B 和设备 C 之间的链路以及设备 A 和设备 C 之间的链路上启用 OSPF,但在设备 A 和设备 B 之间的链路上未启用。因此,设备 B 通过设备 C 了解到设备 D 的路由。
如果在使用 DHCP 或 BOOTP 的环境中使用入口过滤,则应确保允许源地址为 0.0.0.0 且目标地址为 255.255.255.255 的数据包在适当时到达路由器中的中继代理。
此示例还包括一个故障筛选器。当数据包未通过单播 RPF 检查时,将评估故障过滤器以确定是否仍应接受该数据包。此示例中的故障过滤器允许设备 B 的接口接受动态主机配置协议 (DHCP) 数据包。过滤器接受源地址为 0.0.0.0、目标地址为 255.255.255.255 的所有数据包。
配置
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改与您的网络配置匹配所需的任何详细信息,然后将命令复制并粘贴到层次结构级别的 CLI [edit]
中。
设备 A
set interfaces fe-1/2/0 unit 1 family inet address 10.0.0.1/30 set interfaces fe-0/0/2 unit 5 family inet address 10.0.0.5/30 set interfaces fe-0/0/1 unit 17 family inet address 10.0.0.17/30 set interfaces fe-0/1/1 unit 25 family inet address 10.0.0.25/30 set interfaces fe-1/1/1 unit 29 family inet address 10.0.0.29/30 set protocols ospf export send-direct set protocols ospf area 0.0.0.0 interface fe-0/1/1.25 set protocols ospf area 0.0.0.0 interface fe-1/1/1.29 set policy-options policy-statement send-direct from protocol direct set policy-options policy-statement send-direct from route-filter 10.0.0.16/30 exact set policy-options policy-statement send-direct then accept
设备 B
set interfaces fe-1/2/0 unit 2 family inet rpf-check fail-filter rpf-special-case-dhcp set interfaces fe-1/2/0 unit 2 family inet address 10.0.0.2/30 set interfaces fe-1/1/1 unit 6 family inet rpf-check fail-filter rpf-special-case-dhcp set interfaces fe-1/1/1 unit 6 family inet address 10.0.0.6/30 set interfaces fe-0/1/1 unit 9 family inet rpf-check fail-filter rpf-special-case-dhcp set interfaces fe-0/1/1 unit 9 family inet address 10.0.0.9/30 set interfaces fe-0/1/0 unit 13 family inet rpf-check fail-filter rpf-special-case-dhcp set interfaces fe-0/1/0 unit 13 family inet address 10.0.0.13/30 set protocols ospf area 0.0.0.0 interface fe-0/1/1.9 set protocols ospf area 0.0.0.0 interface fe-0/1/0.13 set routing-options forwarding-table unicast-reverse-path active-paths set firewall filter rpf-special-case-dhcp term allow-dhcp from source-address 0.0.0.0/32 set firewall filter rpf-special-case-dhcp term allow-dhcp from destination-address 255.255.255.255/32 set firewall filter rpf-special-case-dhcp term allow-dhcp then count rpf-dhcp-traffic set firewall filter rpf-special-case-dhcp term allow-dhcp then accept set firewall filter rpf-special-case-dhcp term default then log set firewall filter rpf-special-case-dhcp term default then reject
设备 C
set interfaces fe-1/2/0 unit 10 family inet address 10.0.0.10/30 set interfaces fe-0/0/2 unit 14 family inet address 10.0.0.14/30 set interfaces fe-1/0/2 unit 21 family inet address 10.0.0.21/30 set interfaces fe-1/2/2 unit 26 family inet address 10.0.0.26/30 set interfaces fe-1/2/1 unit 30 family inet address 10.0.0.30/30 set protocols ospf area 0.0.0.0 interface fe-1/2/0.10 set protocols ospf area 0.0.0.0 interface fe-0/0/2.14 set protocols ospf area 0.0.0.0 interface fe-1/2/2.26 set protocols ospf area 0.0.0.0 interface fe-1/2/1.30
设备 D
set interfaces fe-1/2/0 unit 18 family inet address 10.0.0.18/30
设备 E
set interfaces fe-1/2/0 unit 22 family inet address 10.0.0.22/30
配置设备 A
分步过程
以下示例要求您在配置层次结构中导航各个级别。有关导航 CLI 的信息,请参阅 在配置模式下使用 CLI 编辑器。
要配置设备 A:
配置接口。
[edit interfaces] user@A# set fe-1/2/0 unit 1 family inet address 10.0.0.1/30 user@A# set fe-0/0/2 unit 5 family inet address 10.0.0.5/30 user@A# set fe-0/0/1 unit 17 family inet address 10.0.0.17/30 user@A# set fe-0/1/1 unit 25 family inet address 10.0.0.25/30 user@A# set fe-1/1/1 unit 29 family inet address 10.0.0.29/30
配置 OSPF。
[edit protocols ospf] user@A# set export send-direct user@A# set area 0.0.0.0 interface fe-0/1/1.25 user@A# set area 0.0.0.0 interface fe-1/1/1.29
配置路由策略。
[edit policy-options policy-statement send-direct] user@A# set from protocol direct user@A# set from route-filter 10.0.0.16/30 exact user@A# set then accept
如果已完成设备 A 的配置,请提交配置。
[edit] user@A# commit
配置设备 B
分步过程
以下示例要求您在配置层次结构中导航各个级别。有关导航 CLI 的信息,请参阅 在配置模式下使用 CLI 编辑器。
要配置设备 B:
配置接口。
[edit interfaces] user@B# set fe-1/2/0 unit 2 family inet address 10.0.0.2/30 user@B# set fe-1/1/1 unit 6 family inet address 10.0.0.6/30 user@B# set fe-0/1/1 unit 9 family inet address 10.0.0.9/30 user@B# set fe-0/1/0 unit 13 family inet address 10.0.0.13/30
配置 OSPF。
[edit protocols ospf area 0.0.0.0] user@B# set interface fe-0/1/1.9 user@B# set interface fe-0/1/0.13
配置单播 RPF,并应用可选的故障过滤器。
[edit interfaces] user@B# set fe-1/2/0 unit 2 family inet rpf-check fail-filter rpf-special-case-dhcp user@B# set fe-1/1/1 unit 6 family inet rpf-check fail-filter rpf-special-case-dhcp user@B# set fe-0/1/1 unit 9 family inet rpf-check fail-filter rpf-special-case-dhcp user@B# set fe-0/1/0 unit 13 family inet rpf-check fail-filter rpf-special-case-dhcp
(可选)配置在数据包未通过 RPF 检查时进行评估的故障过滤器。
[edit firewall filter rpf-special-case-dhcp] user@B# set term allow-dhcp from source-address 0.0.0.0/32 user@B# set term allow-dhcp from destination-address 255.255.255.255/32 user@B# set term allow-dhcp then count rpf-dhcp-traffic user@B# set term allow-dhcp then accept user@B# set term default then log user@B# set term default then reject
(可选)仅配置要在 RPF 检查中考虑的活动路径。
这是默认行为。
[edit routing-options forwarding-table] user@B# set unicast-reverse-path active-paths
如果已完成设备 B 的配置,请提交配置。
[edit] user@B# commit
结果
通过发出 show firewall
、 show interfaces
、 show routing-options
show protocols
和 show policy-options
命令来确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明以更正配置。
设备 A
user@A# show interfaces fe-1/2/0 { unit 1 { family inet { address 10.0.0.1/30; } } } fe-0/0/2 { unit 5 { family inet { address 10.0.0.5/30; } } } fe-0/0/1 { unit 17 { family inet { address 10.0.0.17/30; } } } fe-0/1/1 { unit 25 { family inet { address 10.0.0.25/30; } } } fe-1/1/1 { unit 29 { family inet { address 10.0.0.29/30; } } }
user@A# show protocols ospf { export send-direct; area 0.0.0.0 { interface fe-0/1/1.25; interface fe-1/1/1.29; } }
user@A# show policy-options policy-statement send-direct { from { protocol direct; route-filter 10.0.0.16/30 exact; } then accept; }
设备 B
user@B# show firewall filter rpf-special-case-dhcp { term allow-dhcp { from { source-address { 0.0.0.0/32; } destination-address { 255.255.255.255/32; } } then { count rpf-dhcp-traffic; accept; } } term default { then { log; reject; } } } user@B# show interfaces fe-1/2/0 { unit 2 { family inet { rpf-check fail-filter rpf-special-case-dhcp; address 10.0.0.2/30; } } } fe-1/1/1 { unit 6 { family inet { rpf-check fail-filter rpf-special-case-dhcp; address 10.0.0.6/30; } } } fe-0/1/1 { unit 9 { family inet { rpf-check fail-filter rpf-special-case-dhcp; address 10.0.0.9/30; } } } fe-0/1/0 { unit 13 { family inet { rpf-check fail-filter rpf-special-case-dhcp; address 10.0.0.13/30; } } }
user@B# show protocols ospf { area 0.0.0.0 { interface fe-0/1/1.9; interface fe-0/1/0.13; } }
user@B# show routing-options forwarding-table { unicast-reverse-path active-paths; }
输入设备 C、设备 D 和设备 E 上的配置,如 CLI 快速配置中所示。
验证
确认配置工作正常。
确认已启用单播 RPF
目的
确保设备 B 上的接口已启用单播 RPF。
行动
user@B> show interfaces fe-0/1/0.13 extensive Logical interface fe-0/1/0.13 (Index 73) (SNMP ifIndex 553) (Generation 208) Flags: SNMP-Traps 0x4000 Encapsulation: ENET2 Traffic statistics: Input bytes : 999390 Output bytes : 1230122 Input packets: 12563 Output packets: 12613 Local statistics: Input bytes : 998994 Output bytes : 1230122 Input packets: 12563 Output packets: 12613 Transit statistics: Input bytes : 396 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Protocol inet, MTU: 1500, Generation: 289, Route table: 22 Flags: Sendbcast-pkt-to-re, uRPF RPF Failures: Packets: 0, Bytes: 0 Addresses, Flags: Is-Preferred Is-Primary Destination: 10.0.0.12/30, Local: 10.0.0.13, Broadcast: 10.0.0.15, Generation: 241
意义
uRPF 标志确认此接口上已启用单播 RPF。
确认源地址已被阻止
目的
使用该 ping
命令可确保设备 B 阻止来自意外源地址的流量。
行动
在设备 A 中,使用 10.0.0.17 作为源地址对设备 B 的接口执行 ping 操作。
user@A> ping 10.0.0.6 source 10.0.0.17 PING 10.0.0.6 (10.0.0.6): 56 data bytes ^C --- 10.0.0.6 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss
意义
正如预期的那样,ping 操作失败。
确认源地址已解锁
目的
使用该 ping
命令可确保设备 B 在停用 RPF 检查时不会阻止流量。
行动
停用其中一个接口上的 RPF 检查。
重新运行 ping 操作。
user@B> deactivate interfaces fe-1/1/1.6 family inet rpf-check user@A> ping 10.0.0.6 source 10.0.0.17 PING 10.0.0.2 (10.0.0.2): 56 data bytes 64 bytes from 10.0.0.2: icmp_seq=0 ttl=63 time=1.316 ms 64 bytes from 10.0.0.2: icmp_seq=1 ttl=63 time=1.263 ms ^C --- 10.0.0.2 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.263/1.289/1.316/0.027 ms
意义
正如预期的那样,ping 操作成功。