Rate-Limiting Traffic Flow to the Routing Engine

Problem

You need to ensure the availability of the Routing Engine during times of heavy traffic.

Solution

Configure policers to use with the firewall filter that you apply to the Routing Engine. First, create policers for control and low-priority traffic. The first policer is for SSH connections to the Routing Engine:

[edit firewall] aviva@RouterF# set policer ssh if-exceeding bandwidth-limit 1m aviva@RouterF# set policer ssh if-exceeding burst-size-limit 100k aviva@RouterF# set policer ssh then discard

Two additional policers limit ICMP and TCP traffic:

[edit firewall] aviva@RouterF# set policer icmp if-exceeding bandwidth-limit 1m aviva@RouterF# set policer icmp if-exceeding burst-size-limit 100k aviva@RouterF# set policer icmp then discard aviva@RouterF# set policer tcp if-exceeding bandwidth-limit 1m aviva@RouterF# set policer tcp if-exceeding burst-size-limit 100k aviva@RouterF# set policer tcp then discard

A final policer affects various background applications, including SNMP, NTP, and RADIUS:

[edit firewall] aviva@RouterF# set policer utility if-exceeding bandwidth-limit 3m aviva@RouterF# set policer utility if-exceeding burst-size-limit 300k aviva@RouterF# set policer utility then discard

Then, apply the policers in the then clause of the firewall terms that affect TCP, SSH, ICMP, SNMP, NTP, and RADIUS packets:

[edit firewall filter protect-RE2 ] aviva@RouterF# set term tcp from source-prefix-list ssh-prefixes aviva@RouterF# set term tcp from source-prefix-list bgp-prefixes aviva@RouterF# set term tcp from protocol tcp aviva@RouterF# set term tcp from tcp-flags "(syn & !ack) | fin | rst" aviva@RouterF# set term tcp then policer tcp aviva@RouterF# set term tcp then accept aviva@RouterF# set term ssh from prefix-list ssh-prefixes aviva@RouterF# set term ssh from protocol tcp aviva@RouterF# set term ssh from destination-port ssh aviva@RouterF# set term ssh then policer ssh aviva@RouterF# set term ssh then accept aviva@RouterF# set term utility from source-prefix-list utility-prefixes aviva@RouterF# set term utility from protocol udp aviva@RouterF# set term utility from port [ snmp ntp radius ] aviva@RouterF# set term utility then policer utility aviva@RouterF# set term utility then accept aviva@RouterF# set term icmp from protocol icmp aviva@RouterF# set term icmp from icmp-type [ echo-request echo-reply unreachable time-exceeded source-quench ] aviva@RouterF# set term icmp then policer icmp aviva@RouterF# set term icmp then accept

A final term in the filter counts and discards all remaining traffic:

[edit firewall filter protect-RE2 ] aviva@RouterF# set term final-term then count discarded-packets aviva@RouterF# set term final-term then discard

To have the filter take effect, apply it to the router's lo0 interface:

[edit interfaces] aviva@RouterF# set lo0 unit 0 family inet filter input protect-RE2

Discussion

It is considered good practice to apply policers to Routing Engine firewall filter terms to keep unwanted traffic and possible attacks from overwhelming the routing-protocol software, which runs on the Routing Engine. You want to police control traffic and traffic that is not time-dependent and you don't want to police critical traffic, such as BGP protocol exchanges. This section provides a second example of a Routing Engine firewall filter that includes policers. It is based on a JUNOS secure template publicly available from Team Cymru at http://www.cymru.com.

First, create policers for control and low-priority traffic. The first policer, configured with the set policer ssh commands, discards all SSH traffic when the bandwidth exceeds 1 MB or when the traffic burst size is greater than 100 Kbps. The second and third policers provide similar limits for ICMP and TCP traffic.

The terms of the first three policers are the same, so you might wonder why you should bother creating separate policers. You could use just one, which is fine if you know that you will always want to use the same bandwidth and burst-size limits for these three types of traffic. However, if you think you might need to tweak the policers individually, this will be easier to do if you create separate policers initially. When you change the values, you will just need to reconfigure the policer. Otherwise, you will have to reconfigure both the policer and the firewall term in which the policer is used.

The last policer in this recipe, configured with the set policer utility commands, is for background applications, including SNMP, NTP, and RADIUS. This policer drops traffic when the bandwidth is greater than 3 MB or a traffic burst exceeds 300 Kbps.

You then apply the policers in the then clause of the firewall terms. You need a term for each type of traffic. The first term, configured with the set term tcp commands, accepts TCP control traffic only from trusted sources and rate-limits this traffic. The first two commands match prefix lists defined in the [edit policy] section of the configuration. As with the routing-policy prefix lists, you use these to keep a single list of IP addresses in one place in the configuration. The ssh-prefixes list has all the SSH servers in your network, and the bgp-prefixes list has all your BGP peers. The last from clause command matches bits found in TCP control traffic. The first option, (syn & !ack), matches TCP synchronize packets that are being used to establish connections. For connections that are already established and operating normally, these packets also have the ACK bit set, so we exclude these packets from the policer limits. The RST option is present in packets resetting a TCP session, and FIN indicates that a session has closed and there is no more data from the sender. You must enclose the bits in quotation marks so the CLI interprets them correctly. The final two commands in this term configure the action. The first command applies the tcp policer, and the second accepts the packets.

After the tcp term, you should add the following filter term to accept BGP traffic from trusted sources:

[edit firewall filter protect-RE2 ] aviva@RouterF# set term bgp from source-prefix-list bgp-prefixes aviva@RouterF# set term bgp from protocol tcp aviva@RouterF# set term bgp from port bgp aviva@RouterF# set term bgp then accept

The first three commands match packets from a prefix list configured in the [edit policy] section that lists the router's BGP peers, and this traffic is TCP protocol traffic sent from the BGP port. The then clause accepts these packets. You don't rate-limit BGP traffic, because it must be received and handled by the Routing Engine.

The ssh, utility, and icmp terms in the filter are similar, accepting and rate-limiting SSH, SNMP, NTP, RADIUS, and ICMP packets. The last term, final-term, counts and discards all remaining traffic.

Finally, to have the filter take effect, apply it to the lo0 interface.