Host Protection using Control Plane Policing
This topic provides details about configuring Juniper Cloud-Native Router with host protection against DDoS attacks.
Note:
This is a Juniper Technology Preview feature.
Juniper Cloud-Native Router supports host protection against Distributed Denial of Service
(DDoS) Attacks. You can configure rate-limiting for host traffic based on protocol
classification on the loopback interface lo0.0 using layer 3 class of
service. See Layer-3 Class of Service (CoS) .
Here is a sample configlet to rate-limit BGP control plane traffic on the loopback
lo0.0 interface:
apiVersion: configplane.juniper.net/v1
kind: Configlet
metadata:
name: configlet-sample
namespace: jcnr
spec:
config: |-
set interfaces lo0.0 unit 0 family inet filter input f1
set firewall three-color-policer test action loss-priority high then discard
set firewall three-color-policer test two-rate color-blind
set firewall three-color-policer test two-rate committed-information-rate 50m
set firewall three-color-policer test two-rate committed-burst-size 70m
set firewall three-color-policer test two-rate peak-information-rate 2048
set firewall three-color-policer test two-rate peak-burst-size 2048
set firewall family inet filter f1 term t1 from source-port bgp
set firewall family inet filter f1 term t1 then accept
set firewall family inet filter f1 term t1 then count c1
set firewall family inet filter f1 term t1 then three-color-policer two-rate test
crpdSelector:
matchLabels:
node: worker See Layer-3 Class of Service (CoS) for more details.