-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathjuniper-ex.config
87 lines (76 loc) · 6.93 KB
/
juniper-ex.config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# BGP Session Culling Example - Juniper Junos on EX Switches
# Culling type: Involuntary BGP Session Teardown
# This works on ex4550 on 15.1 code - when tcam isnt full
#
# Our default ingress filtering at the vlan level:
set firewall family ethernet-switching filter INGRESS_DEFAULTS term DISCARD_BOGONS_IPV4 from source-prefix-list BOGONS_IPV4
set firewall family ethernet-switching filter INGRESS_DEFAULTS term DISCARD_BOGONS_IPV4 then discard
set firewall family ethernet-switching filter INGRESS_DEFAULTS term DISCARD_BOGONS_IPV4 then count DISCARD_BOGONS_IPV4
set firewall family ethernet-switching filter INGRESS_DEFAULTS term LIMIT_ARP from ether-type arp
set firewall family ethernet-switching filter INGRESS_DEFAULTS term LIMIT_ARP then accept
set firewall family ethernet-switching filter INGRESS_DEFAULTS term LIMIT_ARP then forwarding-class NC_QUEUE_7
set firewall family ethernet-switching filter INGRESS_DEFAULTS term LIMIT_ARP then loss-priority low
set firewall family ethernet-switching filter INGRESS_DEFAULTS term LIMIT_ARP then count LIMIT_ARP
set firewall family ethernet-switching filter INGRESS_DEFAULTS term LIMIT_ARP then policer LIMIT_4M
set firewall family ethernet-switching filter INGRESS_DEFAULTS term TCP179_SOURCE from protocol tcp
set firewall family ethernet-switching filter INGRESS_DEFAULTS term TCP179_SOURCE from source-port 179
set firewall family ethernet-switching filter INGRESS_DEFAULTS term TCP179_SOURCE from source-prefix-list DICX_PUBLIC_PREFIX_IPV4
set firewall family ethernet-switching filter INGRESS_DEFAULTS term TCP179_SOURCE then accept
set firewall family ethernet-switching filter INGRESS_DEFAULTS term TCP179_SOURCE then forwarding-class NC_QUEUE_7
set firewall family ethernet-switching filter INGRESS_DEFAULTS term TCP179_SOURCE then loss-priority low
set firewall family ethernet-switching filter INGRESS_DEFAULTS term TCP179_SOURCE then count TCP179_SOURCE
set firewall family ethernet-switching filter INGRESS_DEFAULTS term TCP179_DEST from protocol tcp
set firewall family ethernet-switching filter INGRESS_DEFAULTS term TCP179_DEST from destination-port 179
set firewall family ethernet-switching filter INGRESS_DEFAULTS term TCP179_DEST from destination-prefix-list DICX_PUBLIC_PREFIX_IPV4
set firewall family ethernet-switching filter INGRESS_DEFAULTS term TCP179_DEST then accept
set firewall family ethernet-switching filter INGRESS_DEFAULTS term TCP179_DEST then forwarding-class NC_QUEUE_7
set firewall family ethernet-switching filter INGRESS_DEFAULTS term TCP179_DEST then loss-priority low
set firewall family ethernet-switching filter INGRESS_DEFAULTS term TCP179_DEST then count TCP179_DEST
set firewall family ethernet-switching filter INGRESS_DEFAULTS term PERMIT_REST then accept
set firewall family ethernet-switching filter INGRESS_DEFAULTS term PERMIT_REST then forwarding-class BE_QUEUE_0
set firewall family ethernet-switching filter INGRESS_DEFAULTS term PERMIT_REST then loss-priority low
set firewall family ethernet-switching filter INGRESS_DEFAULTS term PERMIT_REST then count PERMIT_REST
# if whole box maint, change TCP179 src/dest to discard
set firewall family ethernet-switching filter INGRESS_DEFAULTS term TCP179_SOURCE then discard
set firewall family ethernet-switching filter INGRESS_DEFAULTS term TCP179_DEST then discard
#
# if just single peer maint, apply the same at their port level
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term DISCARD_BOGONS_IPV4 from source-prefix-list BOGONS_IPV4
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term DISCARD_BOGONS_IPV4 then discard
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term DISCARD_BOGONS_IPV4 then count DISCARD_BOGONS_IPV4
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term LIMIT_ARP from ether-type arp
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term LIMIT_ARP then accept
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term LIMIT_ARP then forwarding-class NC_QUEUE_7
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term LIMIT_ARP then loss-priority low
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term LIMIT_ARP then count LIMIT_ARP
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term LIMIT_ARP then policer LIMIT_4M
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term TCP179_SOURCE from protocol tcp
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term TCP179_SOURCE from source-port 179
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term TCP179_SOURCE from source-prefix-list DICX_PUBLIC_PREFIX_IPV4
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term TCP179_SOURCE then discard
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term TCP179_SOURCE then forwarding-class NC_QUEUE_7
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term TCP179_SOURCE then loss-priority low
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term TCP179_SOURCE then count TCP179_SOURCE
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term TCP179_DEST from protocol tcp
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term TCP179_DEST from destination-port 179
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term TCP179_DEST from destination-prefix-list DICX_PUBLIC_PREFIX_IPV4
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term TCP179_DEST then discard
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term TCP179_DEST then forwarding-class NC_QUEUE_7
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term TCP179_DEST then loss-priority low
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term TCP179_DEST then count TCP179_DEST
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term PERMIT_REST then accept
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term PERMIT_REST then forwarding-class BE_QUEUE_0
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term PERMIT_REST then loss-priority low
set firewall family ethernet-switching filter INGRESS_DEFAULTS_<PEER> term PERMIT_REST then count PERMIT_REST
#
# additional config - prefix-list:
set policy-options prefix-list DICX_PUBLIC_PREFIX_IPV4 192.0.2.0/24
# additional config - apply to public peering VLAN (all members):
set vlans VLAN100 filter input INGRESS_DEFAULTS
# additional config - apply to single port (one member):
set groups <PEER> interfaces xe-0/0/12 unit 0 family ethernet-switching filter input INGRESS_DEFAULTS_<PEER>
#
# NOTE: yes, this is missing IPv6, because when we were looking at IPv6 ingress
# it affected traffic because it has to hold the packet so much longer
# also a bunch of IPv6 stuff is broken.
# Probably this works on EX4600 and QFX, but we have not tested yet.