Control Plane Security Configuration
Secure Control Plane Traffic via Protocol ACLs
This section details the configuration options for control plane traffic that is redirected to the CPU using protocol ACLs. These ACLs are generated automatically by the protocols and do not require, nor can they be, manually configured. For instance, configuring a routing protocol such as BGP automatically creates the necessary ACLs to match BGP packets and forward them to the control plane.
Configuring the Control Plane Security Feature
Control plane security is active by default, utilizing the _DEFAULT_POLICER_50_MB to cap traffic across most of the protocol ACLs at 50 Mbps. This bandwidth is shared among all protocols using this policer. While protocols share a single policer by default, separate policers can be configured for specific protocols or groups.
Although enabled by default, control plane security can be deactivated, allowing all control plane traffic to be sent to the CPU without any rate limits.
set forwarding-options control-plane-security state disable
| Disabling control-plane security is not recommended. |
Configuring Protocol ACL Options
This section describes how to configure policers per protocol and configure a match on IPv4 ToS or IPv6 TC fields for protocol ACLs.
Syntax:
| Option | Description |
|---|---|
|
Name of the protocol. You can configure individual protocols or all protocols using the 'all' keyword. The protocol-specific configurations will take priority over 'all' configuration. |
|
Configure IPv6 TC value. The range is 0 to 254. |
|
Configure IPv4 ToS value. The range is 0 to 254. |
|
Configure the policer name. |
While all protocols share the same policer by default, it is possible to configure dedicated policers for individual protocols or groups of protocols. Protocols referencing the same policer identified by name will share the same bandwidth limit. If you require separate policers for individual protocols or groups of protocols, even with identical rates, you must assign each a unique name.
Example policer configuration for BGP with 100 Mbps:
set forwarding-options class-of-service policer bgp-global set forwarding-options class-of-service policer bgp-global flags color-blind set forwarding-options class-of-service policer bgp-global level1-rates cir 100000 set forwarding-options class-of-service policer bgp-global level1-rates cbs 10000 set forwarding-options class-of-service policer bgp-global level1-rates pir 100000 set forwarding-options class-of-service policer bgp-global level1-rates pbs 10000 set forwarding-options class-of-service policer bgp-global levels 1 set forwarding-options class-of-service policer bgp-global type two-rate-three-color set forwarding-options class-of-service policer bgp-global mode single-level
Assign the policer to BGP protocol ACL:
set forwarding-options control-plane-security protocol bgp policer bgp-global
Other protocols can be similarly protected by either assigning a dedicated policer to each protocol or grouping several protocols under a single policer. We recommend a maximum of 200 Mbps for any single policer, a value that might only be necessary for BGP on certain peering routers. For all other protocols, up to 50 Mbps is typically sufficient.
To enhance system protection, the match-tos and match-tc options can be used to filter protocol traffic, ensuring only correctly marked packets are processed. This adds a layer of security by assuming an attacker would be unable to send traffic with these specific markings.
# accept BGP only with TOS 192 set forwarding-options control-plane-security protocol bgp match-tc 192 # send BGP with TOS 192 set forwarding-options class-of-service control-plane-qos outbound-marking protocol bgp tos codepoint 192
Secure Control Plane Traffic via Route Lookup
This section details the configuration for control plane traffic that is redirected to the CPU via route lookup, which refers to traffic sent to a router’s IP address (referred to as "my IP") that lacks an existing Access Control List (ACL). This behavior applies to IP addresses configured on any interface, including loopback interfaces. By default, this type of traffic is neither restricted nor rate-limited.
Configuring ACLs
In RFBS, ACLs are applied globally and do not require explicit attachment. Rule names serve as configuration handles and do not need to be referenced. However, it is advisable to use distinct rule names for different topics, as counter names are derived from them. For example, use "myip-icmp" and "myip-icmpv6" for rules with dedicated counters.
To secure the control plane, you must apply ACLs and policers through configuration. You do not need to account for protocol traffic already handled by automatically generated protocol ACLs. Instead, you only need to define rules for other traffic sent to "my IP." In the simplest scenario, you can deny all other traffic. Typically, however, you will want to allow specific additional traffic, such as ICMP with a rate limit, while denying everything else. Alternatively, you could allow all traffic but apply a small policer rate.
Syntax:
| Option | Description |
|---|---|
|
ACL configuration for IPv4 |
|
ACL configuration for IPv6 |
|
Name of the ACL rule |
|
Number of the configuration entry. Please note that the order of the configuration entries (ordinals) does not determine the processing. |
|
Set match conditions such as source and destination prefixes, prefix lists, ports, and protocols. When multiple match conditions are specified within the same ordinal, they are combined as a logical AND, meaning all conditions must be met. |
|
Set action like permit, drop, or policer-name. |
|
Configure the ACL entry priority. Lower values take precedence, with the default set to 500. RBFS utilizes TCAM-based ACLs to enable parallel evaluation of all rules, which allows for high-speed processing and efficient matching. When multiple rules match a given packet, the highest priority rule (lowest value) is applied. |
RBFS supports the match conditions destination-ipv4-local and destination-ipv6-local. These options are converted internally into a prefix list that includes all interface addresses. As a result, any rule using these match options is installed multiple times, once for each interface address.
The following rule is an example rule that drops all traffic with a destination one of the router IP addresses, but since the priority of 2000 is higher than the protocol priority of 50, the protocol traffic, like BGP, is not dropped, since the BGP protocol rule also matches and is prioritized.
set forwarding-options acl l3v4 rule myip-discard set forwarding-options acl l3v4 rule myip-discard ordinal 2000 set forwarding-options acl l3v4 rule myip-discard ordinal 2000 match direction ingress set forwarding-options acl l3v4 rule myip-discard ordinal 2000 match destination-ipv4-local true set forwarding-options acl l3v4 rule myip-discard ordinal 2000 action drop true set forwarding-options acl l3v4 rule myip-discard ordinal 2000 action statistics true set forwarding-options acl l3v4 rule myip-discard ordinal 2000 priority 2000
When designing security ACLs to protect "my IP", you may don’t want to completely block all unwanted traffic. Instead, you might allow and rate-limit specific necessary traffic, such as ICMP. It’s important to remember that you do not need to consider protocol traffic already handled by the protocol ACL when creating these security ACLs.
In environments with thousands of logical interfaces and multiple rules, an alternative approach to reduce ACL usage could be employing custom prefix lists with aggregate prefixes of interface addresses or other match criteria. This is why these ACLs are not automatically generated, as each environment is unique and may require different rules. The configuration section provides common best practices that are applicable to many networks or can serve as a foundation for modifications based on specific requirements.
Restricting In-Band Management Access
Enabling in-band management, such as SSH, automatically creates protocol ACLs. These ACLs are configured to match the enabled protocols, directing management traffic to the control plane. By default, this traffic is not restricted by source IP addresses. To further enhance security, in-band management access can be restricted to trusted IP addresses by applying a source prefix list, which adds an extra match condition to the in-band management protocol ACLs.
| This prefix list must contain /32 only! Any other prefix length is not supported! |
set forwarding-options prefix-list trusted-ssh ipv4-prefix 10.10.10.1/32 set forwarding-options prefix-list trusted-ssh ipv4-prefix 10.10.10.2/32 set inband-management instance default ssh true set inband-management instance default source-prefix-list trusted-ssh
By default, in-band management traffic is limited by control-plane-security to 20 Mbps using the _DEFAULT_POLICER_20_MB policer. This policer can be changed as previously explained using the protocol inband, as well in-band can also be optionally limited to only match if a given tos/tc marking is set.
set forwarding-options class-of-service policer inband-global flags color-blind set forwarding-options class-of-service policer inband-global level1-rates set forwarding-options class-of-service policer inband-global level1-rates cir 100000 set forwarding-options class-of-service policer inband-global level1-rates cbs 10000 set forwarding-options class-of-service policer inband-global level1-rates pir 100000 set forwarding-options class-of-service policer inband-global level1-rates pbs 10000 set forwarding-options class-of-service policer inband-global levels 1 set forwarding-options class-of-service policer inband-global type two-rate-three-color set forwarding-options class-of-service policer inband-global mode single-level set forwarding-options control-plane-security protocol inband policer inband-global set forwarding-options control-plane-security protocol inband match-tos 128
Marking Outbound Control Plane Traffic
RBFS offers a flexible configuration of TOS, TC, or VLAN P-BIT markings for outbound control plane traffic.
These settings can be applied per protocol and, in some cases, individually per interface. While both Layer 2 (P-BIT) and Layer 3 (TOS) markings are configurable for all protocols, support for each marking type may vary, with some protocols supporting only one and others supporting both.
| Protocol | Markings | IFP-based | IFL-based |
|---|---|---|---|
l2-all |
p-bit |
NO |
NO |
l3-all |
tos |
NO |
NO |
BGP |
tos |
NO |
YES |
OSPF |
tos |
NO |
YES |
LDP |
tos |
NO |
YES |
ISIS |
p-bit |
NO |
YES |
PIM |
tos |
NO |
YES |
DHCP Relay |
p-bit |
NO |
YES |
RADIUS |
tos |
NO |
YES |
IPoE |
tos |
NO |
NO |
PPPoE |
tos/p-bit |
YES(p-bit only) |
NO |
IGMP |
tos/p-bit |
YES(p-bit only) |
NO |
L2TP |
tos |
NO |
YES |
ARP/ND |
p-bit |
NO |
YES |
CFM |
p-bit |
NO |
NO |
MPLS-OAM |
tos |
NO |
NO |
Settings are prioritized as follows: IFP/IFL (highest), protocol level, and l2-all/l3-all (lowest). For example, if a user configures the p-bit for both the ARP protocol and "l2-all," the ARP protocol setting takes precedence. If the ARP p-bit is then removed, the "l2-all" configuration will be applied.
| Redundancy-related control traffic can be marked with a specific tos value with the L3-all option. |
Example:
set forwarding-options class-of-service control-plane-qos outbound-marking protocol arp p-bit codepoint 6 set forwarding-options class-of-service control-plane-qos outbound-marking protocol arp p-bit ifl ifl-0/0/0/0 codepoint 5 set forwarding-options class-of-service control-plane-qos outbound-marking protocol l3-all tos codepoint 128 set forwarding-options class-of-service control-plane-qos outbound-marking protocol radius tos codepoint 192 set forwarding-options class-of-service control-plane-qos outbound-marking protocol ppp p-bit codepoint 6 set forwarding-options class-of-service control-plane-qos outbound-marking protocol ppp tos codepoint 192
The command show qos control-plane displays QoS remarking types, interface names, and codepoints for all or specified protocols.
op> show qos control-plane protocol ppp
Protocol Remark Type Interface Codepoint
ppp p-bit all 5
ifp-0/0/1 3
ifp-0/0/2 4
Reference Configurations
My-IP Discard
The following example demonstrates a basic configuration that should be suitable for many setups. It allows ICMP traffic but limits it to 10 Mbps using dedicated policers for ICMPv4 and ICMPv6. All other traffic not previously accepted by any protocol ACL is then discarded. If ICMP is not required, these rules can be removed.
set forwarding-options acl l3v4 rule myip-icmp ordinal 1500 match direction ingress set forwarding-options acl l3v4 rule myip-icmp ordinal 1500 match ip-protocol icmp set forwarding-options acl l3v4 rule myip-icmp ordinal 1500 match destination-ipv4-local true set forwarding-options acl l3v4 rule myip-icmp ordinal 1500 action policer-name icmp-global set forwarding-options acl l3v4 rule myip-icmp ordinal 1500 priority 1500 set forwarding-options acl l3v4 rule myip-discard ordinal 2000 match direction ingress set forwarding-options acl l3v4 rule myip-discard ordinal 2000 match destination-ipv4-local true set forwarding-options acl l3v4 rule myip-discard ordinal 2000 action drop true set forwarding-options acl l3v4 rule myip-discard ordinal 2000 action statistics true set forwarding-options acl l3v4 rule myip-discard ordinal 2000 priority 2000 set forwarding-options acl l3v6 rule myipv6-icmpv6 ordinal 1500 match direction ingress set forwarding-options acl l3v6 rule myipv6-icmpv6 ordinal 1500 match ip-protocol ipv6_icmp set forwarding-options acl l3v6 rule myipv6-icmpv6 ordinal 1500 match destination-ipv6-local true set forwarding-options acl l3v6 rule myipv6-icmpv6 ordinal 1500 action policer-name icmpv6-global set forwarding-options acl l3v6 rule myipv6-icmpv6 ordinal 1500 priority 1500 set forwarding-options acl l3v6 rule myipv6-discard ordinal 2000 match direction ingress set forwarding-options acl l3v6 rule myipv6-discard ordinal 2000 match destination-ipv6-local true set forwarding-options acl l3v6 rule myipv6-discard ordinal 2000 action drop true set forwarding-options acl l3v6 rule myipv6-discard ordinal 2000 action statistics true set forwarding-options acl l3v6 rule myipv6-discard ordinal 2000 priority 2000 set forwarding-options class-of-service policer icmp-global flags color-blind set forwarding-options class-of-service policer icmp-global level1-rates set forwarding-options class-of-service policer icmp-global level1-rates cir 10000 set forwarding-options class-of-service policer icmp-global level1-rates cbs 1000 set forwarding-options class-of-service policer icmp-global level1-rates pir 10000 set forwarding-options class-of-service policer icmp-global level1-rates pbs 1000 set forwarding-options class-of-service policer icmp-global levels 1 set forwarding-options class-of-service policer icmp-global type two-rate-three-color set forwarding-options class-of-service policer icmp-global mode single-level set forwarding-options class-of-service policer icmpv6-global flags color-blind set forwarding-options class-of-service policer icmpv6-global level1-rates set forwarding-options class-of-service policer icmpv6-global level1-rates cir 10000 set forwarding-options class-of-service policer icmpv6-global level1-rates cbs 1000 set forwarding-options class-of-service policer icmpv6-global level1-rates pir 10000 set forwarding-options class-of-service policer icmpv6-global level1-rates pbs 1000 set forwarding-options class-of-service policer icmpv6-global levels 1 set forwarding-options class-of-service policer icmpv6-global type two-rate-three-color set forwarding-options class-of-service policer icmpv6-global mode single-level
Protocol Policers
This example demonstrates the configuration of user-defined policers. BGP traffic is limited to 100 Mbps, while ISIS and PPPoE traffic are each capped at 50 Mbps using dedicated policers.
set forwarding-options class-of-service policer bgp-global flags color-blind set forwarding-options class-of-service policer bgp-global level1-rates set forwarding-options class-of-service policer bgp-global level1-rates cir 100000 set forwarding-options class-of-service policer bgp-global level1-rates cbs 10000 set forwarding-options class-of-service policer bgp-global level1-rates pir 100000 set forwarding-options class-of-service policer bgp-global level1-rates pbs 10000 set forwarding-options class-of-service policer bgp-global levels 1 set forwarding-options class-of-service policer bgp-global type two-rate-three-color set forwarding-options class-of-service policer bgp-global mode single-level set forwarding-options control-plane-security protocol bgp policer bgp-global set forwarding-options class-of-service policer isis-global flags color-blind set forwarding-options class-of-service policer isis-global level1-rates set forwarding-options class-of-service policer isis-global level1-rates cir 50000 set forwarding-options class-of-service policer isis-global level1-rates cbs 5000 set forwarding-options class-of-service policer isis-global level1-rates pir 50000 set forwarding-options class-of-service policer isis-global level1-rates pbs 5000 set forwarding-options class-of-service policer isis-global levels 1 set forwarding-options class-of-service policer isis-global type two-rate-three-color set forwarding-options class-of-service policer isis-global mode single-level set forwarding-options control-plane-security protocol isis policer isis-global set forwarding-options class-of-service policer pppoe-global flags color-blind set forwarding-options class-of-service policer pppoe-global level1-rates set forwarding-options class-of-service policer pppoe-global level1-rates cir 50000 set forwarding-options class-of-service policer pppoe-global level1-rates cbs 5000 set forwarding-options class-of-service policer pppoe-global level1-rates pir 50000 set forwarding-options class-of-service policer pppoe-global level1-rates pbs 5000 set forwarding-options class-of-service policer pppoe-global levels 1 set forwarding-options class-of-service policer pppoe-global type two-rate-three-color set forwarding-options class-of-service policer pppoe-global mode single-level set forwarding-options control-plane-security protocol pppoe policer pppoe-global