Select Page

Control Plane Protection

All the functions of the control plane run on the Routing Engine (RE) whether you have a router, switch, or security platform running Junos.

The high-level design of the control plane consists of a set of modules, with clean interfaces between them, and an underlying kernel that controls the modules and manages all the needed communication back and forth among all the components.

The kernel also handles the RE communications with the Packet Forwarding Engine (PFE) and the services. Each of the different modules provides a different control process, such as control for the chassis components, Ethernet switching, routing protocols, interfaces, management, and so on.

Packet Forwarding plane of Junos NOS

The Packet Forwarding Engine (PFE) is the central processing element of the forwarding plane, systematically moving the packets in and out of the device. In the Junos OS, the PFE has a locally stored forwarding table.

The forwarding table is a synchronized copy of all the information from the RE that the forwarding plane needs to handle each packet, including outgoing interfaces, addresses, and so on. Storing a local copy of this information allows the PFE to get its job done without going to the control plane every time that it needs to process a packet.

Another benefit to having a local copy is that the PFE can continue forwarding packets, even when a disruption occurs to the control plane, such as when a routing or other process issue happens.

Control Plane Protection (CoPP) is a method of protecting processor unit, running services on your network device, against excessive flooding. Excessive flooding of traffic aimed towards your router/firewall processor, being that valid or malicious, is always undesirable and can also be dangerous. Applied To: loopback 0 interface.

# set interface lo0 unit 0 family inet filter input Local

/* Drop incoming ftp connections */

set firewall filter Local term FTP from protocol tcp destination-port ftp
set firewall filter Local term FTP then discard

/* Allow icmp traffic, but will be policed rated. */  /* Policed down to 128kb. */

set firewall filter Local term ICMP from protocol icmp
set firewall filter Local term ICMP then policer Pol128

/* Allow incoming Telnet connections only from network 1.1.1.0/24. */   /* Policed down to 256kb. */

set firewall filter Local term TELNET from protocol tcp destination-port telnet
set firewall filter Local term TELNET from source-address 1.1.1.0/24
set firewall filter Local term TELNET then policer Pol256

/* Deny and drop any other incoming telnet connections. */

set firewall filter Local term OTHER-TELNET from protocol tcp destination-port telnet
set firewall filter Local term OTHER-TELNET then discard

/* These are the Policers configuration. */

set firewall policer Pol128 filter-specific
set firewall policer Pol128 if-exceding bandwidth-limit 128000 burst-size-limit 1500
set firewall policer Pol128 then discard

set firewall policer Pol256 filter-specific
set firewall policer Pol256 if-exceding bandwidth-limit 256000 burst-size-limit 2560
set firewall policer Pol256 then discard

Create filters for critical, important, normal, and undesirable traffic.

set firewall filter CoPP_Policy term CRITICAL from protocol ospf
set firewall filter CoPP_Policy term CRITICAL from protocol pim
set firewall filter CoPP_Policy term CRITICAL from protocol tcp destination-port bgp
set firewall filter CoPP_Policy term CRITICAL from protocol tcp source-port bgp
set firewall filter CoPP_Policy term CRITICAL then policer CRITICAL_POLICER

set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port ssh
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port tacacs
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port snmp
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port ntp
set firewall filter CoPP_Policy term IMPORTANT then policer IMPORTANT_POLICER

set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-code ttl-eq-zero-during-transit
set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-code port-unreachable
set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-type echo-reply
set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-type echo-request
set firewall filter CoPP_Policy term NORMAL then policer NORMAL_POLICER

set firewall filter CoPP_Policy term UNDESIRABLE from protocol udp
set firewall filter CoPP_Policy term UNDESIRABLE then policer UNDESIRABLE_POLICER

set firewall filter CoPP_Policy term ALL-OTHER from address 0.0.0.0/0
set firewall filter CoPP_Policy term ALL-OTHER then policer ALL-OTHER_POLICER

Create policers for each traffic type to limit bandwidth.

set firewall policer CRITICAL_POLICER filter-specific
set firewall policer CRITICAL_POLICER if-exceeding bandwidth-limit 3000000 burst-size-limit 4000
set firewall policer CRITICAL_POLICER then discard

set firewall policer IMPORTANT_POLICER filter-specific
set firewall policer IMPORTANT_POLICER if-exceeding bandwidth-limit 400000 burst-size-limit 1500
set firewall policer IMPORTANT_POLICER then discard

set firewall policer NORMAL_POLICER filter-specific
set firewall policer NORMAL_POLICER if-exceeding bandwidth-limit 55000 burst-size-limit 150000
set firewall policer NORMAL_POLICER then discard

set firewall policer UNDESIRABLE_POLICER filter-specific
set firewall policer UNDESIRABLE_POLICER if-exceeding bandwidth-limit 32000 burst-size-limit 1500
set firewall policer UNDESIRABLE_POLICER then discard

set firewall policer ALL-OTHER_POLICER filter-specific
set firewall policer ALL-OTHER_POLICER if-exceeding bandwidth-limit 40000 burst-size-limit 1500
set firewall policer ALL-OTHER_POLICER then discard

Apply the CoPP policy to the loopback interface.

set interface lo0 unit 0 family inet filter input CoPP_Policy 

Ready to get started?

Get in touch, or create an account