Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Protecting the Routing Engine with a Packets-Per-Second Rate Limiting Filter

This example shows how to configure a packets-per-second based rate-limiting filter to improve security. It will be applied to the loopback interface in order to help protect the Routing Engine from denial of service attacks.

Best Practice:

This type of filter and policer combination is only one element in a multilayered approach that can be used to help protect the Routing Engine. Other layers of protection are needed in order to fully protect the Routing Engine. See Day One: Securing the Routing Engine on M, MX, and T Series for more information.

Requirements

No special configuration beyond device initialization is required before configuring this example.

Overview

In this example, you use a stateless firewall filter to set packets-per-second (pps) rate limits for any traffic destined for the Routing Engine through the loopback interface (lo0.0).

To activate a policer from within a stateless firewall filter configuration:

  1. Create a template for the policer by including the policer policer-name statement at the [edit firewall] hierarchy.

  2. Reference the policer in a filter term that specifies the policer in the policer policer-name nonterminating action.

You can also apply a policer by including the policer (input | output) policer-name statement in a logical interface configuration.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Configuring the Policer and the Stateless Firewall Filter

Step-by-Step Procedure

To configure the policer police_pps and stateless firewall filter my_pps_filter:

  1. Configure the policer template police_pps.

  2. Create the stateless firewall filter my_pps_filter.

  3. Configure a filter term that uses policer police_pps to rate limit traffic by protocol family.

Applying the Stateless Firewall Filter to the Loopback Logical Interface

Step-by-Step Procedure

To apply the filter my_pps_filter to the loopback interface:

  1. Configure the logical loopback interface to which you will apply the stateless firewall filter.

  2. Apply the stateless firewall filter to the loopback interface.

  3. Configure the interface address for the loopback interface.

Results

Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Confirm the configuration of the interface by entering the show interfaces lo0 configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the Operation of the Filter

Purpose

To confirm that the configuration is working properly, enter the show firewall filter my_pps_filter operational mode command.

Note:

The following output results from running a rapid ping from another host to the router under test. In order to show results in the output, a pps-limit setting of 50 and a packet-burst setting of 10 were used during the ping test.

Action