Date created: Sunday, May 31, 2020 11:09:33 AM. Last modified: Sunday, May 31, 2020 11:09:33 AM

MX104 Lo0 Filter Example

Example MX104 Lo0 Filter:

 

# Test commands:
# show policy-options prefix-list pfx-local-loopback | display inheritance
# show firewall filter lo0.0-i
# show bfd sessions
# show bgp summary
# show ospf neighbor
# show ldp neighbor
# show pim neighbors
# show ntp status no-resolve # set date ntp - Force NTP update




###################
# IP Prefix Lists #
###################

# Local loopback0 IPv4 address - This PE only
set policy-options prefix-list pfx-local-loopback apply-path "interfaces lo0 unit 0 family inet address <*>"

# Loopback subnet for all PEs - Used for iBGP
set policy-options prefix-list pfx-pe-loopbacks 192.0.41.0/29

# Any local IPv4 address - Used to police traceroute
set policy-options prefix-list pfx-any-local-ipv4 apply-path "interfaces <*> unit <*> family inet address <*>"

# Core GRT PtP interfaces - Used for OSPF, LDP, PIM etc
set policy-options prefix-list pfx-core-ptp 192.0.41.16/28

# Core OSPF link-local multicast
set policy-options prefix-list pfx-ospf-multicast 224.0.0.5/32
# ^ OSPF All SFP Routers
set policy-options prefix-list pfx-ospf-multicast 224.0.0.6/32
# ^ OSPF All Routers

# LDP link-local multicast
set policy-options prefix-list pfx-ldp-multicast 224.0.0.2/32
# ^ Multicast All Routers

# PIM Multicast
set policy-options prefix-list pfx-pim-multicast 224.0.0.13/32
# ^ All PIM Routers

# IGMP
#set policy-options prefix-list pfx-igmp-multicast 224.0.0.1/32
# ^ Multicast All Systems

# TACACS/ACS servers
set policy-options prefix-list pfx-tacacs-servers apply-path "system tacplus-server <*>"

# NTP Servers
set policy-options prefix-list pfx-ntp-servers apply-path "system ntp server <*>"
set policy-options prefix-list pfx-ntp-servers 128.0.0.0/24
# ^ Junos queries the NTPd on BSD not the remote NTP server directly!

# SNMP Servers
set policy-options prefix-list pfx-snmp-servers apply-path "snmp v3 target-address <*> address <*>"

# SSH JumpBox
set policy-options prefix-list pfx-ssh-jumpbox 192.0.40.19

# PE to CE BFD Sessions
# set policy-options prefix-list pfx-pe-to-ce apply-path "routing-instances <*> interface <*> unit <*> family inet address <*>"
# ^ This expands to nothing - IPs aren't configured under the routing-instance
set policy-options prefix-list pfx-pe-to-ce-vrf 172.31.128.0/17

# PE to CE eBGP sessions - VRFs
set policy-options prefix-list pfx-pe-to-ce-ebgp-vrf apply-path "routing-instances <*> protocols bgp group <*> neighbor <*>"

# PE to CE eBGP sessions - MGMT/GRT
set policy-options prefix-list pfx-pe-to-ce-ebgp-mgmt apply-path "protocols bgp group <CUST-*> neighbor <*>"

# PE to CE eBGP subnets - MGMT/GRT
set policy-options prefix-list pfx-pe-to-ce-ebgp-grt 192.0.40.0/22

# PE to CE PIM sessions
#set policy-options prefix-list pfx-pe-to-ce-pim apply-path "routing-instances PIM_VRF_NAME interfaces <*> unit <*> family inet address <*>"
# Multicast VRF unknown at present!


##########################
# CONTROL PLANE POLICERS #
##########################

# Core 1m Policer - Used for OSPF, BFD, iBGP, LDP, PIM
set firewall policer core-ctrl-1m if-exceeding bandwidth-limit 1m
set firewall policer core-ctrl-1m if-exceeding burst-size-limit 625k
set firewall policer core-ctrl-1m then discard

# Customer 1m Policer - Used for BFD, eBGP, PIM, IGMP
set firewall policer cust-ctrl-1m if-exceeding bandwidth-limit 1m
set firewall policer cust-ctrl-1m if-exceeding burst-size-limit 625k
set firewall policer cust-ctrl-1m then discard




###########################
# CONTROL PLANE PROTOCOLS #
###########################

# Core OSPF Filter
set firewall family inet filter accept-core-ospf term accept-ospf from source-prefix-list pfx-core-ptp
set firewall family inet filter accept-core-ospf term accept-ospf from source-prefix-list pfx-ospf-multicast
set firewall family inet filter accept-core-ospf term accept-ospf from destination-prefix-list pfx-core-ptp
set firewall family inet filter accept-core-ospf term accept-ospf from destination-prefix-list pfx-ospf-multicast
set firewall family inet filter accept-core-ospf term accept-ospf from protocol ospf
set firewall family inet filter accept-core-ospf term accept-ospf then policer core-ctrl-1m
set firewall family inet filter accept-core-ospf term accept-ospf then count accept-core-ospf
set firewall family inet filter accept-core-ospf term accept-ospf then accept

# Core BFD Filter
set firewall family inet filter accept-core-bfd term accept-bfd from source-prefix-list pfx-core-ptp
set firewall family inet filter accept-core-bfd term accept-bfd from destination-prefix-list pfx-core-ptp
set firewall family inet filter accept-core-bfd term accept-bfd from protocol udp
set firewall family inet filter accept-core-bfd term accept-bfd from source-port 49152-65535
set firewall family inet filter accept-core-bfd term accept-bfd from destination-port 3784-3785
set firewall family inet filter accept-core-bfd term accept-bfd then policer core-ctrl-1m
set firewall family inet filter accept-core-bfd term accept-bfd then count accept-core-bfd
set firewall family inet filter accept-core-bfd term accept-bfd then accept

# Core iBGP Filter
set firewall family inet filter accept-core-ibgp term accept-ibgp from source-prefix-list pfx-pe-loopbacks
set firewall family inet filter accept-core-ibgp term accept-ibgp from destination-prefix-list pfx-local-loopback
set firewall family inet filter accept-core-ibgp term accept-ibgp from protocol tcp
set firewall family inet filter accept-core-ibgp term accept-ibgp from port bgp
set firewall family inet filter accept-core-ibgp term accept-ibgp then policer core-ctrl-1m
set firewall family inet filter accept-core-ibgp term accept-ibgp then count accept-core-ibgp
set firewall family inet filter accept-core-ibgp term accept-ibgp then accept

# Core LDP Filter
set firewall family inet filter accept-core-ldp term accept-ldp-discover from source-prefix-list pfx-core-ptp
set firewall family inet filter accept-core-ldp term accept-ldp-discover from destination-prefix-list pfx-ldp-multicast
set firewall family inet filter accept-core-ldp term accept-ldp-discover from protocol udp
set firewall family inet filter accept-core-ldp term accept-ldp-discover from source-port ldp
set firewall family inet filter accept-core-ldp term accept-ldp-discover from destination-port ldp
set firewall family inet filter accept-core-ldp term accept-ldp-discover then policer core-ctrl-1m
set firewall family inet filter accept-core-ldp term accept-ldp-discover then count accept-core-ldp
set firewall family inet filter accept-core-ldp term accept-ldp-discover then accept

# Core Target LDP
set firewall family inet filter accept-core-ldp term accept-tldp from source-prefix-list pfx-pe-loopbacks
set firewall family inet filter accept-core-ldp term accept-tldp from destination-prefix-list pfx-local-loopback
set firewall family inet filter accept-core-ldp term accept-tldp from protocol tcp
set firewall family inet filter accept-core-ldp term accept-tldp from protocol udp
set firewall family inet filter accept-core-ldp term accept-tldp from port ldp
set firewall family inet filter accept-core-ldp term accept-tldp then policer core-ctrl-1m
set firewall family inet filter accept-core-ldp term accept-tldp then count accept-core-tldp
set firewall family inet filter accept-core-ldp term accept-tldp then accept

# Core PIM Filter
set firewall family inet filter accept-core-pim term accept-pim from source-prefix-list pfx-core-ptp
set firewall family inet filter accept-core-pim term accept-pim from destination-prefix-list pfx-pim-multicast
set firewall family inet filter accept-core-pim term accept-pim from protocol pim
set firewall family inet filter accept-core-pim term accept-pim then policer core-ctrl-1m
set firewall family inet filter accept-core-pim term accept-pim then count accept-core-pim
set firewall family inet filter accept-core-pim term accept-pim then accept

# Customer BFD Filter
set firewall family inet filter accept-cust-bfd term accept-bfd from source-prefix-list pfx-pe-to-ce-vrf
set firewall family inet filter accept-cust-bfd term accept-bfd from destination-prefix-list pfx-pe-to-ce-vrf
set firewall family inet filter accept-cust-bfd term accept-bfd from protocol udp
set firewall family inet filter accept-cust-bfd term accept-bfd from source-port 49152-65535
set firewall family inet filter accept-cust-bfd term accept-bfd from destination-port 3784-3785
set firewall family inet filter accept-cust-bfd term accept-bfd then policer cust-ctrl-1m
set firewall family inet filter accept-cust-bfd term accept-bfd then count accept-cust-bfd
set firewall family inet filter accept-cust-bfd term accept-bfd then accept

# Customer eBGP Filter - VRFs
set firewall family inet filter accept-cust-ebgp-vrf term accept-ebgp-vrf from source-prefix-list pfx-pe-to-ce-ebgp-vrf
set firewall family inet filter accept-cust-ebgp-vrf term accept-ebgp-vrf from destination-prefix-list pfx-pe-to-ce-vrf
set firewall family inet filter accept-cust-ebgp-vrf term accept-ebgp-vrf from protocol tcp
set firewall family inet filter accept-cust-ebgp-vrf term accept-ebgp-vrf from port bgp
set firewall family inet filter accept-cust-ebgp-vrf term accept-ebgp-vrf then policer cust-ctrl-1m
set firewall family inet filter accept-cust-ebgp-vrf term accept-ebgp-vrf then count accept-cust-ebgp
set firewall family inet filter accept-cust-ebgp-vrf term accept-ebgp-vrf then accept

# Customer eBGP Filter - MGMT/GRT
set firewall family inet filter accept-cust-ebgp-grt term accept-ebgp-grt from source-prefix-list pfx-pe-to-ce-ebgp-mgmt
set firewall family inet filter accept-cust-ebgp-grt term accept-ebgp-grt from destination-prefix-list pfx-pe-to-ce-ebgp-grt
set firewall family inet filter accept-cust-ebgp-grt term accept-ebgp-grt from protocol tcp
set firewall family inet filter accept-cust-ebgp-grt term accept-ebgp-grt from port bgp
set firewall family inet filter accept-cust-ebgp-grt term accept-ebgp-grt then policer cust-ctrl-1m
set firewall family inet filter accept-cust-ebgp-grt term accept-ebgp-grt then count accept-cust-ebgp
set firewall family inet filter accept-cust-ebgp-grt term accept-ebgp-grt then accept

# Customer PIM Filter
#set firewall family inet filter accept-cust-pim term accept-pim from source-prefix-list pfx-pe-to-ce-pim
#set firewall family inet filter accept-cust-pim term accept-pim from destination-prefix-list pfx-pim-multicast
#set firewall family inet filter accept-cust-pim term accept-pim from protocol pim
#set firewall family inet filter accept-cust-pim term accept-pim then policer cust-ctrl-1m
#set firewall family inet filter accept-cust-pim term accept-pim then count accept-cust-pim
#set firewall family inet filter accept-cust-pim term accept-pim then accept

# Customer IGMP
#set firewall family inet filter accept-cust-igmp term accept-igmp from source-prefix-list pfx-core-ptp
#set firewall family inet filter accept-cust-igmp term accept-igmp from destination-prefix-list pfx-igmp-multicast
#set firewall family inet filter accept-cust-igmp term accept-igmp from protocol igmp
#set firewall family inet filter accept-cust-igmp term accept-igmp then policer cust-ctrl-1m
#set firewall family inet filter accept-cust-igmp term accept-igmp then count accept-cust-igmp
#set firewall family inet filter accept-cust-igmp term accept-igmp then accept

# Control plane filters
set firewall family inet filter ctrl-plane-services term accept-core-ospf filter accept-core-ospf
set firewall family inet filter ctrl-plane-services term accept-core-bfd filter accept-core-bfd
set firewall family inet filter ctrl-plane-services term accept-core-ibgp filter accept-core-ibgp
set firewall family inet filter ctrl-plane-services term accept-core-ldp filter accept-core-ldp
set firewall family inet filter ctrl-plane-services term accept-core-pim filter accept-core-pim
set firewall family inet filter ctrl-plane-services term accept-cust-bfd filter accept-cust-bfd
set firewall family inet filter ctrl-plane-services term accept-cust-ebgp-vrf filter accept-cust-ebgp-vrf
set firewall family inet filter ctrl-plane-services term accept-cust-ebgp-grt filter accept-cust-ebgp-grt
#set firewall family inet filter ctrl-plane-services term accept-cust-pim filter accept-cust-pim
#set firewall family inet filter ctrl-plane-services term accept-cust-ctrl filter accept-cust-igmp




#############################
# MANAGEMENT PLANE POLICERS #
#############################

# Management 1m Policer - Used for ICMP, TACACS+, NTP, Syslog, SNMP
set firewall policer core-mgmt-1m if-exceeding bandwidth-limit 1m
set firewall policer core-mgmt-1m if-exceeding burst-size-limit 625k
set firewall policer core-mgmt-1m then discard

# Management 5m Policer - Used for SSH
set firewall policer core-mgmt-5m if-exceeding bandwidth-limit 5m
set firewall policer core-mgmt-5m if-exceeding burst-size-limit 625k
set firewall policer core-mgmt-5m then discard




##############################
# MANAGEMENT PLANE PROTOCOLS #
##############################

# ICMP
set firewall family inet filter accept-icmp term no-icmp-fragments from is-fragment
set firewall family inet filter accept-icmp term no-icmp-fragments from protocol icmp
set firewall family inet filter accept-icmp term no-icmp-fragments then count discard-icmp-fragments
set firewall family inet filter accept-icmp term no-icmp-fragments then log
set firewall family inet filter accept-icmp term no-icmp-fragments then discard

set firewall family inet filter accept-icmp term accept-icmp from protocol icmp
set firewall family inet filter accept-icmp term accept-icmp from icmp-type echo-reply
set firewall family inet filter accept-icmp term accept-icmp from icmp-type echo-request
set firewall family inet filter accept-icmp term accept-icmp from icmp-type time-exceeded
set firewall family inet filter accept-icmp term accept-icmp from icmp-type unreachable
set firewall family inet filter accept-icmp term accept-icmp from icmp-type router-advertisement
set firewall family inet filter accept-icmp term accept-icmp then policer core-mgmt-1m
set firewall family inet filter accept-icmp term accept-icmp then count accept-icmp
set firewall family inet filter accept-icmp term accept-icmp then accept

# SNMP
set firewall family inet filter accept-snmp term accept-snmp from source-prefix-list pfx-snmp-servers
set firewall family inet filter accept-snmp term accept-snmp from destination-prefix-list pfx-local-loopback
set firewall family inet filter accept-snmp term accept-snmp from protocol udp
set firewall family inet filter accept-snmp term accept-snmp from destination-port snmp
set firewall family inet filter accept-snmp term accept-snmp then policer core-mgmt-1m
set firewall family inet filter accept-snmp term accept-snmp then count accept-snmp
set firewall family inet filter accept-snmp term accept-snmp then accept

# TACACS/ACS
set firewall family inet filter accept-tacacs term accept-tacacs from source-prefix-list pfx-tacacs-servers
set firewall family inet filter accept-tacacs term accept-tacacs from destination-prefix-list pfx-local-loopback
set firewall family inet filter accept-tacacs term accept-tacacs from protocol udp
set firewall family inet filter accept-tacacs term accept-tacacs from protocol tcp
set firewall family inet filter accept-tacacs term accept-tacacs from source-port tacacs
set firewall family inet filter accept-tacacs term accept-tacacs then policer core-mgmt-1m
set firewall family inet filter accept-tacacs term accept-tacacs then count accept-tacacs
set firewall family inet filter accept-tacacs term accept-tacacs then accept

# NTP (Junos queries the NTPd running on BSD not the remote NTP server directly)
set firewall family inet filter accept-ntp term accept-ntp from source-prefix-list pfx-ntp-servers
set firewall family inet filter accept-ntp term accept-ntp from source-prefix-list pfx-local-loopback
set firewall family inet filter accept-ntp term accept-ntp from destination-prefix-list pfx-local-loopback
set firewall family inet filter accept-ntp term accept-ntp from protocol udp
set firewall family inet filter accept-ntp term accept-ntp from port ntp
set firewall family inet filter accept-ntp term accept-ntp then policer core-mgmt-1m
set firewall family inet filter accept-ntp term accept-ntp then count accept-ntp
set firewall family inet filter accept-ntp term accept-ntp then accept

# SSH
set firewall family inet filter accept-ssh term accept-ssh from source-prefix-list pfx-ssh-jumpbox
set firewall family inet filter accept-ssh term accept-ssh from destination-prefix-list pfx-local-loopback
set firewall family inet filter accept-ssh term accept-ssh from protocol tcp
set firewall family inet filter accept-ssh term accept-ssh from destination-port ssh
set firewall family inet filter accept-ssh term accept-ssh then policer core-mgmt-5m
set firewall family inet filter accept-ssh term accept-ssh then count accept-ssh
set firewall family inet filter accept-ssh term accept-ssh then accept

# Management plane filters
set firewall family inet filter mgmt-plane-services term accept-icmp filter accept-icmp
set firewall family inet filter mgmt-plane-services term accept-snmp filter accept-snmp
set firewall family inet filter mgmt-plane-services term accept-tacacs filter accept-tacacs
set firewall family inet filter mgmt-plane-services term accept-ntp filter accept-ntp
set firewall family inet filter mgmt-plane-services term accept-ssh filter accept-ssh




#######################
# DATA PLANE POLICERS #
#######################

# Data 1m Policer - Traceroute (UDP + ICMP)
set firewall policer data-plane-1m if-exceeding bandwidth-limit 1m
set firewall policer data-plane-1m if-exceeding burst-size-limit 625k
set firewall policer data-plane-1m then discard




########################
# DATA PLANE PROTOCOLS #
########################

# Traceroute
set firewall family inet filter accept-traceroute-udp term accept-traceroute-udp from destination-prefix-list pfx-any-local-ipv4
set firewall family inet filter accept-traceroute-udp term accept-traceroute-udp from ttl 1
set firewall family inet filter accept-traceroute-udp term accept-traceroute-udp from protocol udp
set firewall family inet filter accept-traceroute-udp term accept-traceroute-udp from destination-port 33435-33655
set firewall family inet filter accept-traceroute-udp term accept-traceroute-udp then policer data-plane-1m
set firewall family inet filter accept-traceroute-udp term accept-traceroute-udp then count accept-traceroute-udp
set firewall family inet filter accept-traceroute-udp term accept-traceroute-udp then accept

set firewall family inet filter accept-traceroute-icmp term accept-traceroute-icmp from destination-prefix-list pfx-any-local-ipv4
set firewall family inet filter accept-traceroute-icmp term accept-traceroute-icmp from ttl 1
set firewall family inet filter accept-traceroute-icmp term accept-traceroute-icmp from protocol icmp
set firewall family inet filter accept-traceroute-icmp term accept-traceroute-icmp from icmp-type echo-request
set firewall family inet filter accept-traceroute-icmp term accept-traceroute-icmp then policer data-plane-1m
set firewall family inet filter accept-traceroute-icmp term accept-traceroute-icmp then count accept-traceroute-icmp
set firewall family inet filter accept-traceroute-icmp term accept-traceroute-icmp then accept

# Data plane filters
set firewall family inet filter data-plane-services term accept-traceroute-udp filter accept-traceroute-udp
set firewall family inet filter data-plane-services term accept-traceroute-icmp filter accept-traceroute-icmp




################
# DEFAULT DROP #
################

set firewall family inet filter discard-all term discard-ip-options from ip-options any
set firewall family inet filter discard-all term discard-ip-options then count discard-ip-options
set firewall family inet filter discard-all term discard-ip-options then log
set firewall family inet filter discard-all term discard-ip-options then discard

set firewall family inet filter discard-all term discard-tcp from protocol tcp
set firewall family inet filter discard-all term discard-tcp then count discard-tcp
set firewall family inet filter discard-all term discard-tcp then log
set firewall family inet filter discard-all term discard-tcp then discard

set firewall family inet filter discard-all term discard-udp from protocol udp
set firewall family inet filter discard-all term discard-udp then count discard-udp
set firewall family inet filter discard-all term discard-udp then log
set firewall family inet filter discard-all term discard-udp then discard

set firewall family inet filter discard-all term discard-icmp from protocol icmp
set firewall family inet filter discard-all term discard-icmp then count discard-icmp
set firewall family inet filter discard-all term discard-icmp then log
set firewall family inet filter discard-all term discard-icmp then discard

set firewall family inet filter discard-all term discard-unknown then count discard-unknown
set firewall family inet filter discard-all term discard-unknown then log
set firewall family inet filter discard-all term discard-unknown then discard




##################
# DROP FRAGMENTS #
##################

set firewall family inet filter discard-frags term discard-1st-frag from first-fragment
set firewall family inet filter discard-frags term discard-1st-frag then count discard-frags
set firewall family inet filter discard-frags term discard-1st-frag then log
set firewall family inet filter discard-frags term discard-1st-frag then discard

set firewall family inet filter discard-frags term discard-frags from is-fragment
set firewall family inet filter discard-frags term discard-frags then count discard-frags
set firewall family inet filter discard-frags term discard-frags then log
set firewall family inet filter discard-frags term discard-frags then discard




#########
# APPLY #
#########

set interfaces lo0 unit 0 family inet filter input-list discard-frags
set interfaces lo0 unit 0 family inet filter input-list ctrl-plane-services
set interfaces lo0 unit 0 family inet filter input-list mgmt-plane-services
set interfaces lo0 unit 0 family inet filter input-list data-plane-services
set interfaces lo0 unit 0 family inet filter input-list discard-all