ON THIS PAGE
Example: Protecting the Routing Engine with a Packets-Per-Second Rate Limiting Filter
This example shows how to configure a packets-per-second based rate-limiting filter to improve security. It will be applied to the loopback interface in order to help protect the Routing Engine from denial of service attacks.
This type of filter and policer combination is only one element in a multilayered approach that can be used to help protect the Routing Engine. Other layers of protection are needed in order to fully protect the Routing Engine. See Day One: Securing the Routing Engine on M, MX, and T Series for more information.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
In this example, you use a stateless firewall filter to set packets-per-second (pps) rate limits for any traffic destined for the Routing Engine through the loopback interface (lo0.0).
To activate a policer from within a stateless firewall filter configuration:
Create a template for the policer by including the
policer policer-name
statement at the[edit firewall]
hierarchy.Reference the policer in a filter term that specifies the policer in the
policer policer-name
nonterminating action.
You can also apply a policer by including the policer (input | output) policer-name
statement in a logical interface configuration.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
- CLI Quick Configuration
- Configuring the Policer and the Stateless Firewall Filter
- Applying the Stateless Firewall Filter to the Loopback Logical Interface
- Results
CLI Quick Configuration
To quickly configure this example, copy the following
commands, paste them into a text file, remove any line breaks, change
any details necessary to match your network configuration, and then
copy and paste the commands into the CLI at the [edit]
hierarchy
level.
set firewall policer police_pps if-exceeding-pps pps-limit 1k set firewall policer police_pps if-exceeding-pps packet-burst 150 set firewall policer police_pps then discard set firewall family inet filter my_pps_filter term term1 then policer police_pps set interfaces lo0 unit 0 family inet filter input my_pps_filter set interfaces lo0 unit 0 family inet address 127.0.0.1/32
Configuring the Policer and the Stateless Firewall Filter
Step-by-Step Procedure
To configure the policer police_pps
and stateless firewall filter my_pps_filter
:
Configure the policer template
police_pps
.[edit firewall] user@host# set policer police_pps if-exceeding-pps pps-limit 1k user@host# set policer police_pps if-exceeding-pps packet-burst 150 user@host# set policer police_pps then discard
Create the stateless firewall filter
my_pps_filter
.[edit] user@host# edit firewall family inet filter my_pps_filter
Configure a filter term that uses policer
police_pps
to rate limit traffic by protocol family.[edit firewall family inet filter my_pps_filter] user@host# set term term1 then policer police_pps
Applying the Stateless Firewall Filter to the Loopback Logical Interface
Step-by-Step Procedure
To apply the filter my_pps_filter
to the loopback
interface:
Configure the logical loopback interface to which you will apply the stateless firewall filter.
[edit] user@host# edit interfaces lo0 unit 0
Apply the stateless firewall filter to the loopback interface.
[edit interfaces lo0 unit 0] user@host# set family inet filter input my_pps_filter
Configure the interface address for the loopback interface.
[edit interfaces lo0 unit 0] user@host# set family inet address 127.0.0.1/32
Results
Confirm the configuration of the stateless firewall filter
by entering the show firewall
configuration mode command.
If the command output does not display the intended configuration,
repeat the instructions in this example to correct the configuration.
user@host# show firewall family inet{ filter my_pps_filter { term term1 { then policer police_pps; } } } policer police_pps { if-exceeding-pps { pps-limit 1k; packet-burst 150; } then discard; }
Confirm the configuration of the interface by entering
the show interfaces lo0
configuration mode command. If
the command output does not display the intended configuration, repeat
the instructions in this example to correct the configuration.
user@host# show interfaces lo0 unit 0 { family inet { filter { input my_pps_filter; } address 127.0.0.1/32; } }
If you are done configuring the device, enter commit from configuration mode.
user@host# commit
Verification
Verifying the Operation of the Filter
Purpose
To confirm that the configuration is working properly,
enter the show firewall filter my_pps_filter
operational mode command.
The following output results from running a rapid ping
from another host to the router under test. In order to show results
in the output, a pps-limit
setting of 50 and a packet-burst
setting of 10 were used during the ping test.
Action
user@host> show firewall filter my_pps_filter Filter: my_pps_filter Policers: Name Bytes Packets police_pps-term1 8704 17