Date created: 05/31/20 10:59:32. Last modified: 05/31/20 11:00:43

EX 2200 Lo0 Filter

Example EX2200 Lo0 filter, note that quite a lot of features aren't supported for Lo0 filters on an EX200!

 

# Test commands:
# show policy-options prefix-list pfx-local-loopback | display inheritance
# show firewall filter lo0.0-i
# show system connections
# show ntp status no-resolve
# #set date ntp - Force NTP update
#
# EX2200> start shell
# % vty fpc0
# show tcam vendor 1 rules
# show filter
# show filter index 10 prefix-count # Filter index number from previous command ^
# show filter hw 1 show_term_info
# show filter hw 1 show_terms_brcm # Might crash FPC


# NOTE BEFORE:
# "then policer x", "then count x", "then log", "from ttl x" and "from ip-options" are not support on EX2200!



###################
# IP Prefix Lists #
###################

# Local loopback0 IPv4 address - This PE only
set policy-options prefix-list pfx-local-loopback apply-path "interfaces lo0 unit 2047 family inet address <*>"

# Any local IPv4 address - Used to police traceroute
set policy-options prefix-list pfx-any-local-ipv4 apply-path "interfaces <*> unit <*> family inet address <*>"

# TACACS/ACS servers
set policy-options prefix-list pfx-tacacs-servers apply-path "system tacplus-server <*>"

# NTP Servers
set policy-options prefix-list pfx-ntp-servers 127.0.0.0/24
set policy-options prefix-list pfx-ntp-servers apply-path "system ntp server <*>"
# ^ Junos queries the NTPd on BSD not the remote NTP server directly!

# SNMP Servers
set policy-options prefix-list pfx-snmp-servers apply-path "snmp v3 target-address <*> address <*>"

# SSH JumpBox
set policy-options prefix-list pfx-ssh-jumpbox 192.0.40.19/32




##################
# DROP FRAGMENTS #
##################

# EX200 doesn't support "from first-fragment"
set firewall family inet filter lo0-filter term discard-frags from is-fragment
set firewall family inet filter lo0-filter term discard-frags then discard




###########################
# CONTROL PLANE PROTOCOLS #
###########################

# EX2200 can't use police so can't rate limit ARP or IGMP
#set firewall family ethernet-switching filter accept-core-arp term accept-arp from ether-type arp
#set firewall family ethernet-switching filter accept-core-arp term accept-arp then policer 1m
#set firewall family ethernet-switching filter accept-core-arp term accept-arp then count arp
#set firewall family ethernet-switching filter accept-core-arp term accept-arp then accept
#
#set firewall family ethernet-switching filter accept-cust-igmp term accept-igmp from protocol igmp
#set firewall family ethernet-switching filter accept-cust-igmp term accept-igmp then policer 1m
#set firewall family ethernet-switching filter accept-cust-igmp term accept-igmp then count igmp
#set firewall family ethernet-switching filter accept-cust-igmp term accept-igmp then accept




##############################
# MANAGEMENT PLANE PROTOCOLS #
##############################

# ICMP
set firewall family inet filter lo0-filter term accept-icmp from protocol icmp
set firewall family inet filter lo0-filter term accept-icmp from icmp-type echo-reply
set firewall family inet filter lo0-filter term accept-icmp from icmp-type echo-request
set firewall family inet filter lo0-filter term accept-icmp from icmp-type time-exceeded
set firewall family inet filter lo0-filter term accept-icmp from icmp-type unreachable
set firewall family inet filter lo0-filter term accept-icmp from icmp-type router-advertisement
set firewall family inet filter lo0-filter term accept-icmp then accept

# SNMP
set firewall family inet filter lo0-filter term accept-snmp from source-prefix-list pfx-snmp-servers
set firewall family inet filter lo0-filter term accept-snmp from destination-prefix-list pfx-local-loopback
set firewall family inet filter lo0-filter term accept-snmp from protocol udp
set firewall family inet filter lo0-filter term accept-snmp from destination-port snmp
set firewall family inet filter lo0-filter term accept-snmp then accept

# TACACS/ACS
set firewall family inet filter lo0-filter term accept-tacacs from source-prefix-list pfx-tacacs-servers
set firewall family inet filter lo0-filter term accept-tacacs from destination-prefix-list pfx-local-loopback
set firewall family inet filter lo0-filter term accept-tacacs from protocol udp
set firewall family inet filter lo0-filter term accept-tacacs from protocol tcp
set firewall family inet filter lo0-filter term accept-tacacs from source-port tacacs
set firewall family inet filter lo0-filter term accept-tacacs then accept

# NTP (Junos queries the NTPd running on BSD not the remote NTP server directly)
set firewall family inet filter lo0-filter term accept-ntp from source-prefix-list pfx-ntp-servers
set firewall family inet filter lo0-filter term accept-ntp from source-prefix-list pfx-local-loopback
set firewall family inet filter lo0-filter term accept-ntp from destination-prefix-list pfx-local-loopback
set firewall family inet filter lo0-filter term accept-ntp from protocol udp
set firewall family inet filter lo0-filter term accept-ntp then accept
# EX2200 doesn't support "port ntp" must be "source-port" or "destination-port"

# SSH
set firewall family inet filter lo0-filter term accept-ssh from source-prefix-list pfx-ssh-jumpbox
set firewall family inet filter lo0-filter term accept-ssh from destination-prefix-list pfx-local-loopback
set firewall family inet filter lo0-filter term accept-ssh from protocol tcp
set firewall family inet filter lo0-filter term accept-ssh from destination-port ssh
set firewall family inet filter lo0-filter term accept-ssh then accept




########################
# DATA PLANE PROTOCOLS #
########################

# Traceroute - EX2200 doesn't supplrt "ttl"
set firewall family inet filter lo0-filter term accept-traceroute-udp from destination-prefix-list pfx-any-local-ipv4
set firewall family inet filter lo0-filter term accept-traceroute-udp from protocol udp
set firewall family inet filter lo0-filter term accept-traceroute-udp from destination-port 33435-33655
set firewall family inet filter lo0-filter term accept-traceroute-udp then accept

set firewall family inet filter lo0-filter term accept-traceroute-icmp from destination-prefix-list pfx-any-local-ipv4
set firewall family inet filter lo0-filter term accept-traceroute-icmp from protocol icmp
set firewall family inet filter lo0-filter term accept-traceroute-icmp from icmp-type echo-request
set firewall family inet filter lo0-filter term accept-traceroute-icmp then accept




################
# DEFAULT DROP #
################

set firewall family inet filter lo0-filter term discard then discard


#########
# APPLY #
#########

set interfaces lo0 unit 2047 family inet filter input lo0-filter

Previous page: NNI QoS Examples
Next page: MX Loopback0 Filter Notes