Juniper JNCIA JN0-103 – Routing Policy and Firewall Filters Part 5

10. Configuring Firewall Filters

Welcome back. In this lecture we’ll talk about configuring firewall filters, all those concepts that we discussed in the previous lecture. We are going to apply all of those concepts on a Juno’s device. Let’s begin. Before we get onto a Juno’s device, some quick information on how to apply firewall filters. So, firewall filters can be applied to all interfaces.

This will allow you to filter traffic that is entering or exiting the interfaces. They can also be applied to the loopback interface, which is lo zero. This will help you to filter traffic, which is designed for the system. We can use the input command to filter inbound traffic and output command to filter outbound traffic. An IPV six filter cannot be applied to an IPV four interface. The protocol family of the firewall filter and interface must match. I have an example on the screen which shows an interface configuration.

So interfaces fe one unit zero family in it, which is IPV four. And then you have a filter applied. The input keyword is used to filter inbound traffic. The output keyword is used to filter outbound traffic. This is how you do it. And we’ll take a look at this on the Juno’s device as well. Okay, so now we’re going to understand how to configure firewall filters. And I have a couple of exercises that we’re going to perform. Number one, we are going to configure a firewall filter to deny all telnet traffic.

Number two, we’re going to configure a firewall filter to deny ICMP from external sources. Let’s dive into the device and take a look at it. All right, so I’m at a Juno’s device. I’m first going to enter configuration mode. Next, I’m going to see what filters I have right now under the Edit Firewall Iraqi.

As you can see right now, I do not have anything configured, which means right now I should be able to tell net into my device. Let’s verify that first. Before we configure a firewall filter to deny telnet traffic, I’m going to open up a new tab and I’m going to try and tell it my device IP address.

I’m going to say, oh, for open. And the IP address is 1921-6811. And straight away you can see that I am connected to my device, which means if I know the credentials, I can log in. Now, the goal is to deny telnet traffic completely. Nobody should be allowed to telnet into the device. Let’s see how we can do this. Back over here. I’m first going to start configuring a firewall filter.

So I’m going to say edit firewall filter. Let’s do a question mark. And first of all, we have to provide a name. I’m going to call this one as System Services. Hit Enter. So now we are in the edit firewall filter system Services hierarchy. We first need to configure a term.

So I’m going to say edit term and let’s give it a name. Let’s call it as block telnet. All right, now we need to specify the match conditions. So I’m going to say set from let’s start with a question mark. You can see there’s a bunch of things against which we can try and match. We can be completely flexible with this one. So I’m going to say set from protocol.

Let’s do a question mark. The protocol in this case will be TCP because telnet is on TCP port 23. So I’m going to say set from protocol TCP. But we are looking for telenet traffic which works on port number 23. So I’m going to say set from this time. I’m going to match on the port number. Let’s do a question mark. There’s a couple of ways in which we can do this. Number one, I can use this keyword over here called port, which will match TCP and UDP source or destination port. Or I could also use just the destination port because telnet traffic is always designed for port 23, so we can use any one of them. I’m going to say set from port question mark. And here we should have the option called telnet. If I do a spacebar, you can see that we have telnet over here.

So I’m going to say set from port telnet. Let’s do a show first. All right, so the match condition looks good. What has to be the action? So we have to define the then part. So I’m going to say set, then I’m going to do a reject. And as we understood in the last lecture, with the reject, we can also specify a message type. So if I did a question mark over here, you can see that we have the option to select the message. Right now. I’m not going to select that. I’m just going to enter. I’m also going to add one more action, which is log. So I’m going to say set, then log. Let’s do a show. So we are trying to match traffic of protocol TCP on the telnet port. If that is the case, we are going to log the request and we are going to reject the packet. I can save right now, but if I save right now, I’m going to end up in a big trouble. Like we understood in the last lecture.

At the end of every filter is a default term which rejects or discards all packets that were not allowed. Which means if I save it right now, the implicit term will drop all the remaining packets as well because nothing has been allowed. So what I need to do is I need to create one more term which allows the remaining traffic, right? So I’m going to do up and I’m going to create one more term edit term, and I’m going to say allow all. And I’m just going to say set, then accept, enter. Let’s do up and let’s do a show. Okay, so now we have two terms. The first one matches telenet traffic and drops that. The second one matches all other traffic and accepts that. All right, let’s do commit. All right, commit complete. Let’s try to verify this. So I’m going to go back over here and over here. Let’s close this and let me do a control C to exit out. And let’s try the same command again, telnet.

And let’s do O for open 1921-6811. Hit Enter. And you notice that right now telenet traffic is still being allowed. I did this on purpose. So you realize where the mistake is. We have created a firewall filter, but we have not applied the firewall filter. If we don’t apply the filter on an interface, it’s of no use, right? So we need to apply that. Let’s go back, back over here. I’m going to apply that on a loopback interface. So let’s do top and I’m going to say edit interfaces lo, zero, which is loadback, hit Enter. Let’s do a show first. All right, so let’s do this. Edit unit zero, family in it, hit Enter.

I’ll do a show first. Nothing over here. Let’s do this. Set space, question mark. This is the option that we are looking for filter. So set filter, question mark. We are looking for inbound telnet traffic. So we’re going to use this option over here. Input space, question mark. And this is the one that we’re going to apply. System services. Hit enter. Let’s now do a commit. All right, that’s done. Let’s go back to this tab over here. Let me do a control C or maybe I can hit Enter.

Looks like it’s frozen. And I believe the reason is because telnet is already being denied. So what I’m going to do is I’m going to close this tab over here and I’m going to open up another tab. And let’s try from here, telenet over, open 192, 116 one. Let’s try it now. Straight away you’ll notice it says connection refused, unable to connect to the remote host. So now our filter is actually working. There’s a way to check this from the device also.

Let’s go back over here. Let’s exit out first. Exit one more time, one more time. And let’s do this. Show firewall log. And you’ll see over here the traffic that was blocked right now, you can see the action was reject on the inside interface, which is Fe 10. This is my IP address, 198-21-6812, destined for the Juno’s device. Isn’t this cool? We can actually control the traffic that is designed for the Juno’s interface. I find this really exciting. Let’s do one more example. Let’s try to block all ICMP traffic coming from outside or external sources. Let’s do a controlled see. First of all, I’m going to check my interface IP address. So let’s do show interfaces terse, hit Enter. And you can see over here, this is my public IP address. I’m going to copy that and I’m going to try and ping this IP address from the internet.

One way to do that is using this website called Ping EU. The interface is super simple, very easy to use. I’m going to use this one over here called Ping and I’m going to put my IP address and let’s do go. You can see that responses are coming back, which means ping is working. So we need to make sure that nobody from outside is allowed to ping. But if the ping is coming from inside or internal addresses, it should still work. Let’s see how we can do this. Back over here. Controlc. Let’s enter configuration mode edit and let’s go to the firewall filter. Edit firewall filter system services. Let’s do a show first. Okay, let’s create one more term, edit term and let’s give it a nice name. Let’s call it as block ICMP. Maybe ploc block ICMP. Hit enter. Now we need to filter the traffic.

One way to identify traffic that is coming from outside is the interface. Anything that hits the outside interface is traffic that is coming from outside. So we are looking for ICMP traffic on the outside interface. So two things to match ICMP protocol and the outside interface. So let’s do that set from. Let’s do a question mark and I’m looking at this one over here which is called as protocol. Protocol. Let’s do a question mark. So we are looking for this one over here, ICMP set from protocol ICMP and we also need to match the outside interface. So set from and let’s start with a question mark. We are looking for this one over here. Match interface name.

So set from interface. And my outside interface is PP zero. Hit enter. How did I get that interface? Well, we can do run show interfaces. Terse I’m going to match 175, 100, 138 dot 236, which is my IP address. There you go. You can see that the interface is PP zero zero. So let me do a show again. All right. Protocol ICMP interface PP zero. The action should be to reject this traffic. So set then let’s do log and let’s also do set then reject enter. We’ll do a show to verify everything. All right, looks good. From protocol ICMP interface PP zero then reject then log. Let’s do a commit. Alright, commit complete. Let’s now verify this. So I’m going to go back to my browser. Back over here. Let’s try to ping. Let’s hit the go button over here and right now it is still working. The filter has been created. The filter has been applied on the lowback interface. Why is it still working? Let’s try to troubleshoot this.

Let’s go back to the terminal. Back over here. I’m going to go one level up and let’s do a show. So we have the first term called block telnet. We have the second term called allow all. And we have the third term called block ICMP. Why do you think is ICMP still being permitted? Remember from the last lecture we said that the order of the terms is also very important. What happens when you ping is it tries to match this term over here. It does not match that traffic, and then it tries to match here. Over here, it matches anything that has not matched over here. Because we don’t have a firm condition, everything is considered as a match, that traffic is accepted and nothing actually hits this term over here. That means we need to move this term above this one over here.

So we need to use the insert command. Let’s try that. Insert question mark, term, question mark. We are trying to insert block ICMP. Let’s do a question mark again. We are looking for this one before question mark. Term is the keyword question mark. And we want to insert that before this one over here, which is called as allow all. So before term allow all, let’s do enter and let’s verify with a show command. Now everything looks okay. We have block telnet, we have block ICMP, and if these two do not match, it matches this one over here, which allows everything. When you’re working with firewall filters, I’m going to highly recommend that you do not straightaway commit your configuration, especially if you’re on a remote session. Maybe you’re configuring your device from office or from home. You’re not sitting in front of the device. It’s always a good idea to do commit confirmed. Firewall filters can block you out of the device if they have not been properly configured. So make sure that you always use commit confirmed.

We’ve discussed about commit confirmed in the lecture called the commit model, the Juno’s commit model. Let’s do top over here. And first I’m going to do commit confirmed. Hit enter. All right, commit has been completed and now I have 10 minutes to verify that everything is working okay. If everything looks good, I can follow it up with a commit statement. First of all, let’s verify it back over here. I’m first going to do go to verify if it is working and straight away you’ll notice it says packet filtered, which means my filter is now working, but our testing has not yet completed. The requirement was that I want to block ICMP from external sources, not internal sources. So if I try to ping from my laptop, which is internally connected to the device, I should still be able to ping back over here. I’m going to go to this tab over here and let’s do quit to exit telnet.

And let’s try to ping ping. 192, 168. One, one. Let’s try it. Perfect. It is now working. So I can ping from inside and nobody is allowed to ping from outside. Everything is working well. I’m going to go back to the device and finally I’m going to issue a commit statement to make my changes permanent. Right, let’s go back to the slides. All right, everybody, so that’s all the topics for this lecture. I hope you found this an interesting one. If you have any questions, please let me in the discussions area. In the next lecture, we’ll look at a topic called Policer. I’d like to thank you for watching and I’ll catch you in the next lecture. Thank you.

11. Traffic Policing

Hello and welcome back. In this lecture we’ll talk about traffic policing. Let’s begin. All right, so what do we mean by traffic policing? Traffic policing, also known as rate limiting, is an essential component of network access security that is designed to thwart denial of service attacks. Traffic police policing enables you to control the maximum rate of IP traffic sent or received on an interface. Traffic policer can be applied on inbound or outbound. Traffic policing inbound traffic helps to conserve resources by dropping traffic that does not need to be routed through a network. While policing, outbound traffic controls the bandwidth used. So traffic policing is essentially a method to control the rate of packets going in or out of the device.

Traffic policing employs an algorithm known as the Token Bucket algorithm, which enforces a limit on the average bandwidth while allowing bursts up to a maximum specified value. So essentially, traffic policing allows you to configure an average bandwidth value at the same time. We can also configure bursts which are allowed beyond the average bandwidth value. So we can configure two rate limits for the traffic. Number one is bandwidth and number two is maximum burst size. Bandwidth means the number of bits per second permitted on average, while maximum burst size means the total number of bytes. The system allows inverse of data that exceed the given bandwidth limit. This is very important to understand. The bandwidth value is configured in bits per second, while the maximum burst size is configured in bytes. Let’s take a look at an example.

The preferred method for determining the maximum burst size is to multiply the speed of the interface by the amount of time bursts that you want to allow at that bandwidth level. I know that sounds confusing. Let’s see an example, for example, to allow bursts of up to three milliseconds on a fast Ethernet interface, this is how we need to compute that. We now know that fast Ethernet gives you a speed of 100 megabits per second, which is equal to 100 into 1000 Kbps, which is equal to 100 into 1000 into 1000 bits per second. The burst size equal to speed multiplied by the allowed burst time. The speed in this case is 100 into 1000 into 1000 bits per second.

Multiply that with three milliseconds, which is three divided by 1000 seconds. We now know the birth size is not specified in bits but in bytes. And we know eight bits make up a byte. So 300 bits. When you divide that by eight, we have the burst size equals 37,500 bytes. So in this case, the bandwidth which is specified in bits is 100 into 1000 into 1000 bits per second. And the birth size is 37,500 bytes. I have an example configuration on the screen police is are configured under the edit Firewall Iraqi. So under the Firewall Iraqi I have a police called as drop excess. The configuration says if exceeding the bandwidth limit of ten megs. The example that we looked at was 100 megs. The configuration over here is for ten megs. So the average bandwidth in this case is ten megs and the burst size limit is 37,500 bytes. If that matches, we then apply a forwarding class. A forwarding class determines how Junos handles the excess traffic. We have four different forwarding classes.

We don’t have to worry about each one of them right now. But the forwarding class applied in this case is best effort, which means Juno’s will try its best to forward traffic that exceeds the police. Once the police has been configured, it can then be applied in a firewall filter term, or it can also be applied on an interface on the screen. Right now, I have an example of how it can be applied on a firewall filter term. So we have a term called policer which tries to match all traffic of type TCP. If it matches, we apply the policer called drop excess, and then we accept that traffic. Let’s talk about applying policers traffic.

Policer can be configured within firewall filters, or they can also be directly applied to the logical unit of a particular interface. Interface based policers operate without the need for calling firewall filters. When a packet matches a term that has a policer in the then clause, the system first determines if the packet exceeds the police. If the packet does not exceed the policer, the system performs the actions in the firewall filter’s then clause as if you left the policer out of the configuration. This is very critical, guys. The policer comes into action only if the packet is exceeding the allowed bandwidth. Otherwise it behaves as if there was no policer at all. If the packet does exceed the police, the system takes the Actions in the Police’then clause.

If the police’then clause does not result in the software discarding the packet, the system takes the remainder of the actions in the firewall filters then clause. This means if the packet is exceeding the allowed bandwidth, we apply the policer. When we apply the policer, we first look at the then clause of the policer. If the then clause of the police does not discard the traffic, then we take the remainder of the action which was defined in the firewall filters then clause. Let me take you onto the device and show you how we can configure one. All right, I’m back at the terminal. I’m first going to enter the configuration mode with the edit command and let’s try to configure a policer. So I’m going to say edit firewall policer. We need to start by giving it a name.

Let’s do a question mark first. So we’ll give it a name. Let’s call it as drop excess. Hit enter. I’m going to do set space question mark, and we are looking at this option over here, if exceeding. So let’s do that set if exceeding, let’s do a question mark and we already know a couple of options from here, bandwidth limit and burst size limit. Notice that the bandwidth limit can also be specified as a percentage. Right now we’re going to use the first option called bandwidth limit. Let’s do a question mark. We need to specify the bandwidth in bits per second, but right now I’m going to do ten megs that will automatically convert that into bits per second. Hit enter. And I’m also going to do set if exceeding question mark. This option over here called burst size limit. Burst size limit. Notice that it has to be put in bytes. So I’m going to say 37,500. Hit enter, let’s do a show first.

Okay, so the if exceeding part has been configured. Let’s now configure the Venn clause. Set then question mark. Notice that we can also discard the packet, but right now I’m going to apply a forwarding class. Set then forwarding class, question mark. You’ll notice there are four options over here. Like I said earlier, at the JNCIA level, we do not need to worry about the functionalities or the differences between the different forwarding classes. The forwarding class determines how does Juno handle the packet that exceeds the police, right? So set then forwarding class. Right now I’m going to say best effort, which means Juno’s will take the best effort possible to deliver that packet. Hit enter, let’s do a show.

All right, so we have a police are called drop excess and we have said that if the packet is exceeding the bandwidth limit of ten megs, the burst size is 37,500 bytes. If that is the case, we apply a forwarding class, which is best effort. I’m going to go one level up and let me show you how we can apply these policers. These policers can be applied in firewall filters or directly at the interface. So if I did something like this, set filter, space, question mark. Notice that I’m right now already in edit firewall, which is why I just said set filter. So set filter, space, question mark. The existing filter name is System Services question mark. Let’s get into one of those terms, term space question mark. And let’s go with the first one. Allow all question mark. The policer needs to be applied in the then clause. So then space, question mark. You’ll notice that we can now apply a policer, so we can do policer space question mark. And you’ll notice that we can call the policer over here.

Next, I’m going to erase the command with control. U. Let’s go to the top of the configuration and I’m going to do Set interfaces and I’m going to get into Fe zero family in it. Let’s do a question mark first. And you’ll notice that we can apply a policer over here. Let’s do that. Policer space, question mark. We can apply the policer on inbound traffic and outbound traffic, right? So for example, I’m going to say input space, question mark. And you’ll notice that we can apply the policer over here as well. So that means policers can be applied under firewall filters or they can be applied directly on the interfaces as well. All right, so that’s it for this lecture. In the next lecture, we are going to talk about anti spoofing filters. I’d like to thank you for watching, and I’ll catch you in the next lecture. Thank you.