TOP:
MX作爲DHCP Server,爲終端用戶分配IP地址,EX匯聚和EX接入交換機二層透傳DHCP數據包給DHCP Server。
EX匯聚和EX接口因爲某些***流量,導致交換機的CPU的使用100%,爲了過濾異常流量,我開始在EX交換機上部署RE-Protech。因爲二層交換機,不承載三層業務,只需要管理交換機即可。
RE保護配置如下:
/ 開啓交換機上的telnet管理功能 /
set firewall family inet filter Protect-RE term telnet from protocol tcp
set firewall family inet filter Protect-RE term telnet from destination-port 23
set firewall family inet filter Protect-RE term telnet then accept
/ 開啓交換機上的icmp功能 /
set firewall family inet filter Protect-RE term icmp from protocol icmp
set firewall family inet filter Protect-RE term icmp then accept
/ 開啓交換機上的ftp功能 /
set firewall family inet filter Protect-RE term ftp from protocol tcp
set firewall family inet filter Protect-RE term ftp from destination-port ftp
set firewall family inet filter Protect-RE term ftp from destination-port ftp-data
set firewall family inet filter Protect-RE term ftp then accept
/ 其它所有的功能,視爲不可信流量,全部丟棄/
set firewall family inet filter Protect-RE term deny-all then discard
注:低端交換的RE保護不能配置,count,log等輔助功能;
/在loopback接口調用RE保護,在junos中lo0是PFE與RE之間的通道/
set interfaces lo0 unit 0 family inet filter input Protect-RE
以上配置完成後,交換機的管理和業務測試正常。但是,過了半小時後,接到報障,所有DHCP的用戶不能獲取IP地址,也不能完成時間續租。
經過排查,因爲EX交換機開啓了DHCP Snooping的檢測機制,交換機需要對DHCP數據包進行分析,RE保護中沒有放行DHCP流量,導致用戶無法DHCP協商。
修改如下配置,開啓交換機對DHCP數據包的處理。
set firewall family inet filter Protect-RE term dhcp from protocol udp
set firewall family inet filter Protect-RE term dhcp from destination-port
set firewall family inet filter Protect-RE term dhcp from destination-port 67
set firewall family inet filter Protect-RE term dhcp from destination-port 68
set firewall family inet filter Protect-RE term dhcp then accept
set firewall family inet filter Protect-RE term boot from protocol udp
set firewall family inet filter Protect-RE term boot from destination-port bootpc
set firewall family inet filter Protect-RE term boot then accept
set firewall family inet filter Protect-RE term boots from destination-port bootps
set firewall family inet filter Protect-RE term boots then accept
嚴謹的配置方式:
set firewall family inet filter RE-protect term dhcp-client-accept from source-address 0.0.0.0/32
set firewall family inet filter RE-protect term dhcp-client-accept from destination-address 255.255.255.255/32
set firewall family inet filter RE-protect term dhcp-client-accept from protocol udp
set firewall family inet filter RE-protect term dhcp-client-accept from source-port 68
set firewall family inet filter RE-protect term dhcp-client-accept from destination-port 67
set firewall family inet filter RE-protect term dhcp-client-accept then count dhcp-client-accept
set firewall family inet filter RE-protect term dhcp-client-accept then accept
set firewall family inet filter RE-protect term dhcp-server-accept from protocol udp
set firewall family inet filter RE-protect term dhcp-server-accept from source-port 67
set firewall family inet filter RE-protect term dhcp-server-accept from source-port 68
set firewall family inet filter RE-protect term dhcp-server-accept from destination-port 67
set firewall family inet filter RE-protect term dhcp-server-accept from destination-port 68
set firewall family inet filter RE-protect term dhcp-server-accept then count dhcp-server-accept
set firewall family inet filter RE-protect term dhcp-server-accept then accept
配置增加後,DHCP用戶可以從MX路由器上獲取IP地址,正常的訪問Internet。
EX交換機上查看DHCP Snooping狀態:
{master:0}
admin@EX2200> show dhcp snooping binding
DHCP Snooping Information:
MAC address IP address Lease (seconds) Type VLAN Interface
40:62:31:04:0A:40 10.33.81.227 542 dynamic vlan851 ge-0/0/45.0
08:10:75:D8:E9:E2 10.33.83.44 496 dynamic vlan853 ge-0/0/19.0
1C:39:47:C9:78:92 10.33.83.71 33 dynamic vlan853 ge-0/0/25.0
1C:AF:F7:D1:4E:AE 10.33.83.222 536 dynamic vlan853 ge-0/0/37.0
34:17:EB:DF:7F:5D 10.33.83.211 549 dynamic vlan853 ge-0/0/23.0
38:A2:8C:D9:FC:43 10.33.83.75 273 dynamic vlan853 ge-0/0/20.0
50:9A:4C:0D:28:17 10.33.83.100 322 dynamic vlan853 ge-0/0/4.0
58:D9:D5:47:01:08 10.33.83.68 554 dynamic vlan853 ge-0/0/5.0
98:90:96:AC:A4:3E 10.33.83.59 375 dynamic vlan853 ge-0/0/2.0
98:EE:CB:45:24:2E 10.33.83.50 490 dynamic vlan853 ge-0/0/6.0
98:EE:CB:69:EB:7D 10.33.83.243 315 dynamic vlan853 ge-0/0/7.0
A4:93:3F:5B:0B:54 10.33.83.74 192 dynamic vlan853 ge-0/0/25.0
FC:4D:D4:D7:D3:36 10.33.83.20 450 dynamic vlan853 ge-0/0/13.0
當Juniper設備配置了RE保護後,每開啓一個新的協調,需要在RE保護中也放行,RE保護默認新增的策略最在最後,需要使用insert命令,結合after,before的調整每個term項的順序。