Last active
August 13, 2024 11:04
-
-
Save tonusoo/efd9ab4fcf2bb5a45d34d5af5e3f3e0c to your computer and use it in GitHub Desktop.
j-nsp mailing list thread: https://puck.nether.net/pipermail/juniper-nsp/2018-July/036039.html
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| interfaces { | |
| lo0 { | |
| unit 0 { | |
| family inet { | |
| filter { | |
| input-list [ discard-ip-options discard-frags accept-single-hop-bfd-v4 accept-multi-hop-bfd-v4 accept-bgp-v4 accept-ospf2 accept-vrrpv3-v4 accept-established-v4 accept-common-services-v4 discard-all-v4 ]; | |
| } | |
| } | |
| family inet6 { | |
| filter { | |
| input-list [ discard-extension-headers accept-single-hop-bfd-v6 accept-multi-hop-bfd-v6 accept-bgp-v6 accept-ospf3 accept-vrrpv3-v6 accept-established-v6 accept-common-services-v6 discard-all-v6 ]; | |
| } | |
| } | |
| } | |
| } | |
| } | |
| policy-options { | |
| prefix-list ntp-servers-v4 { | |
| apply-path "system ntp server <*.*.*.*>"; | |
| } | |
| prefix-list ntp-servers-v6 { | |
| apply-path "system ntp server <*:*>"; | |
| } | |
| prefix-list ntp-peers-v4 { | |
| apply-path "system ntp peer <*.*.*.*>"; | |
| } | |
| prefix-list ntp-peers-v6 { | |
| apply-path "system ntp peer <*:*>"; | |
| } | |
| prefix-list dns-servers-v4 { | |
| apply-path "system name-server <*.*.*.*>"; | |
| } | |
| prefix-list dns-servers-v6 { | |
| apply-path "system name-server <*:*>"; | |
| } | |
| prefix-list snmp-client-lists-v4 { | |
| apply-path "snmp client-list <*> <*.*.*.*>"; | |
| } | |
| prefix-list snmp-client-lists-v6 { | |
| apply-path "snmp client-list <*> <*:*>"; | |
| } | |
| prefix-list snmp-community-clients-v4 { | |
| apply-path "snmp community <*> clients <*.*.*.*>"; | |
| } | |
| prefix-list snmp-community-clients-v6 { | |
| apply-path "snmp community <*> clients <*:*>"; | |
| } | |
| prefix-list mgnt-networks-v4 { | |
| 10.5.5.0/24; | |
| } | |
| prefix-list mgnt-networks-v6 { | |
| fd1f:1605:8b9d:99::/64; | |
| } | |
| prefix-list bgp-neighbors-v4 { | |
| apply-path "protocols bgp group <*-v4> neighbor <*.*.*.*>"; | |
| } | |
| prefix-list bgp-neighbors-v6 { | |
| apply-path "protocols bgp group <*-v6> neighbor <*:*>"; | |
| } | |
| prefix-list router-v6 { | |
| apply-path "interfaces <*> unit <*> family inet6 address <*>"; | |
| } | |
| prefix-list ipv6-link-local { | |
| fe80::/64; | |
| } | |
| prefix-list vrrpv3-v4 { | |
| 224.0.0.18/32; | |
| } | |
| prefix-list vrrpv3-v6 { | |
| ff02::12/128; | |
| } | |
| prefix-list ospfv3 { | |
| /* ALLSPFRouters */ | |
| ff02::5/128; | |
| /* ALLDRouters */ | |
| ff02::6/128; | |
| } | |
| prefix-list loopback-v6 { | |
| ::1/128; | |
| apply-path "interfaces lo0 unit <*> family inet6 address <*>"; | |
| } | |
| prefix-list router-v4 { | |
| apply-path "interfaces <*> unit <*> family inet address <*>"; | |
| } | |
| prefix-list ospfv2 { | |
| /* ALLSPFRouters */ | |
| 224.0.0.5/32; | |
| /* ALLDRouters */ | |
| 224.0.0.6/32; | |
| } | |
| prefix-list loopback-v4 { | |
| 127.0.0.1/32; | |
| apply-path "interfaces lo0 unit <*> family inet address <*>"; | |
| } | |
| } | |
| firewall { | |
| family inet { | |
| filter accept-bgp-v4 { | |
| term accept-bgp-v4 { | |
| from { | |
| source-prefix-list { | |
| bgp-neighbors-v4; | |
| } | |
| destination-prefix-list { | |
| router-v4; | |
| } | |
| protocol tcp; | |
| destination-port bgp; | |
| } | |
| then { | |
| count accept-bgp-v4; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-common-services-v4 { | |
| /* ensures that traceroute traffic from trusted networks does not share a policer with traceroute traffic from untrusted networks */ | |
| term accept-traceroute-v4-trusted { | |
| filter accept-traceroute-v4-trusted; | |
| } | |
| term accept-traceroute-v4-untrusted { | |
| filter accept-traceroute-v4-untrusted; | |
| } | |
| /* ensures that ICMP traffic from trusted networks does not share a policer with ICMP traffic from untrusted networks */ | |
| term accept-icmp-trusted { | |
| filter accept-icmp-trusted; | |
| } | |
| term accept-icmp-untrusted { | |
| filter accept-icmp-untrusted; | |
| } | |
| term accept-snmp-v4 { | |
| filter accept-snmp-v4; | |
| } | |
| term accept-ntp-v4 { | |
| filter accept-ntp-v4; | |
| } | |
| term accept-dns-v4 { | |
| filter accept-dns-v4; | |
| } | |
| term accept-ssh-v4 { | |
| filter accept-ssh-v4; | |
| } | |
| } | |
| filter accept-dns-v4 { | |
| term accept-dns-v4 { | |
| from { | |
| source-prefix-list { | |
| dns-servers-v4; | |
| } | |
| destination-prefix-list { | |
| router-v4; | |
| } | |
| protocol [ udp tcp ]; | |
| source-port domain; | |
| destination-port 49160-65535; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-dns-v4; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-established-v4 { | |
| /* allows router to establish SSH sessions to management network */ | |
| term accept-established-ssh-v4 { | |
| from { | |
| source-prefix-list { | |
| mgnt-networks-v4; | |
| } | |
| destination-prefix-list { | |
| router-v4; | |
| } | |
| protocol tcp; | |
| source-port ssh; | |
| destination-port 49160-65535; | |
| tcp-established; | |
| } | |
| then { | |
| policer re-protect-20m; | |
| count accept-established-ssh-v4; | |
| accept; | |
| } | |
| } | |
| /* allows router to establish BGP sessions with BGP neighbors */ | |
| term accept-established-bgp-v4 { | |
| from { | |
| source-prefix-list { | |
| bgp-neighbors-v4; | |
| } | |
| destination-prefix-list { | |
| router-v4; | |
| } | |
| protocol tcp; | |
| source-port bgp; | |
| destination-port 49160-65535; | |
| tcp-established; | |
| } | |
| then { | |
| count accept-established-bgp-v4; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-icmp-trusted { | |
| term accept-echo-request-trusted { | |
| from { | |
| source-prefix-list { | |
| mgnt-networks-v4; | |
| } | |
| protocol icmp; | |
| icmp-type echo-request; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-echo-request-trusted; | |
| accept; | |
| } | |
| } | |
| term accept-echo-reply-trusted { | |
| from { | |
| source-prefix-list { | |
| mgnt-networks-v4; | |
| } | |
| protocol icmp; | |
| icmp-type echo-reply; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-echo-reply-trusted; | |
| accept; | |
| } | |
| } | |
| term accept-icmp-error-messages-trusted { | |
| from { | |
| source-prefix-list { | |
| mgnt-networks-v4; | |
| } | |
| protocol icmp; | |
| icmp-type [ unreachable time-exceeded parameter-problem ]; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-icmp-error-messages-trusted; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-icmp-untrusted { | |
| term accept-echo-request-untrusted { | |
| from { | |
| protocol icmp; | |
| icmp-type echo-request; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-echo-request-untrusted; | |
| accept; | |
| } | |
| } | |
| term accept-echo-reply-untrusted { | |
| from { | |
| protocol icmp; | |
| icmp-type echo-reply; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-echo-reply-untrusted; | |
| accept; | |
| } | |
| } | |
| term accept-icmp-error-messages-untrusted { | |
| from { | |
| protocol icmp; | |
| icmp-type [ unreachable time-exceeded parameter-problem ]; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-icmp-error-messages-untrusted; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-multi-hop-bfd-v4 { | |
| term accept-multi-hop-bfd-v4 { | |
| from { | |
| source-prefix-list { | |
| bgp-neighbors-v4; | |
| } | |
| destination-prefix-list { | |
| router-v4; | |
| } | |
| protocol udp; | |
| source-port 49152-65535; | |
| destination-port 4784; | |
| } | |
| then { | |
| count accept-multi-hop-bfd-v4; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-ntp-v4 { | |
| term accept-ntp-v4 { | |
| from { | |
| source-prefix-list { | |
| ntp-servers-v4; | |
| ntp-peers-v4; | |
| } | |
| destination-prefix-list { | |
| router-v4; | |
| } | |
| protocol udp; | |
| source-port ntp; | |
| /* ntpd uses src port 123 for both the "client" and "symmetric active" type messages and thus the NTP server/peer replies to dst port 123 */ | |
| destination-port ntp; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-ntp-v4; | |
| accept; | |
| } | |
| } | |
| /* needed for "show ntp *" commands */ | |
| term accept-ntp-internal-v4 { | |
| from { | |
| source-prefix-list { | |
| loopback-v4; | |
| } | |
| destination-prefix-list { | |
| loopback-v4; | |
| } | |
| protocol udp; | |
| port ntp; | |
| } | |
| then { | |
| count accept-ntp-internal-v4; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-ospf2 { | |
| term accept-ospf2 { | |
| from { | |
| source-prefix-list { | |
| router-v4; | |
| } | |
| destination-prefix-list { | |
| /* OSPF Database Description packets are sent to the unicast addresses if OSPF interface type is "LAN" */ | |
| router-v4; | |
| ospfv2; | |
| } | |
| protocol ospf; | |
| } | |
| then { | |
| count accept-ospf2; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-single-hop-bfd-v4 { | |
| term accept-single-hop-bfd-v4 { | |
| from { | |
| source-prefix-list { | |
| router-v4; | |
| } | |
| destination-prefix-list { | |
| router-v4; | |
| } | |
| protocol udp; | |
| source-port 49152-65535; | |
| destination-port 3784-3785; | |
| /* RFC5881 5 */ | |
| ttl 255; | |
| } | |
| then { | |
| count accept-single-hop-bfd-v4; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-snmp-v4 { | |
| term accept-snmp-v4 { | |
| from { | |
| source-prefix-list { | |
| snmp-client-lists-v4; | |
| snmp-community-clients-v4; | |
| } | |
| destination-prefix-list { | |
| router-v4; | |
| } | |
| protocol udp; | |
| destination-port snmp; | |
| } | |
| then { | |
| policer re-protect-20m; | |
| count accept-snmp-v4; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-ssh-v4 { | |
| term accept-ssh-v4 { | |
| from { | |
| source-prefix-list { | |
| mgnt-networks-v4; | |
| } | |
| destination-prefix-list { | |
| router-v4; | |
| } | |
| protocol tcp; | |
| destination-port ssh; | |
| } | |
| then { | |
| policer re-protect-20m; | |
| count accept-ssh-v4; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-traceroute-v4-trusted { | |
| term accept-traceroute-udp-v4-trusted { | |
| from { | |
| destination-prefix-list { | |
| router-v4; | |
| } | |
| source-prefix-list { | |
| mgnt-networks-v4; | |
| } | |
| protocol udp; | |
| ttl 1; | |
| destination-port 33434-33529; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-traceroute-udp-v4-trusted; | |
| accept; | |
| } | |
| } | |
| term accept-traceroute-icmp-trusted { | |
| from { | |
| destination-prefix-list { | |
| router-v4; | |
| } | |
| source-prefix-list { | |
| mgnt-networks-v4; | |
| } | |
| protocol icmp; | |
| ttl 1; | |
| icmp-type echo-request; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-traceroute-icmp-trusted; | |
| accept; | |
| } | |
| } | |
| term accept-traceroute-tcp-v4-trusted { | |
| from { | |
| destination-prefix-list { | |
| router-v4; | |
| } | |
| source-prefix-list { | |
| mgnt-networks-v4; | |
| } | |
| protocol tcp; | |
| ttl 1; | |
| /* default TCP traceroute port only */ | |
| destination-port http; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-traceroute-tcp-v4-trusted; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-traceroute-v4-untrusted { | |
| term accept-traceroute-udp-v4-untrusted { | |
| from { | |
| destination-prefix-list { | |
| router-v4; | |
| } | |
| protocol udp; | |
| ttl 1; | |
| destination-port 33434-33529; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-traceroute-udp-v4-untrusted; | |
| accept; | |
| } | |
| } | |
| term accept-traceroute-icmp-untrusted { | |
| from { | |
| destination-prefix-list { | |
| router-v4; | |
| } | |
| protocol icmp; | |
| ttl 1; | |
| icmp-type echo-request; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-traceroute-icmp-untrusted; | |
| accept; | |
| } | |
| } | |
| term accept-traceroute-tcp-v4-untrusted { | |
| from { | |
| destination-prefix-list { | |
| router-v4; | |
| } | |
| protocol tcp; | |
| ttl 1; | |
| /* default TCP traceroute port only */ | |
| destination-port http; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-traceroute-tcp-v4-untrusted; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-vrrpv3-v4 { | |
| term accept-vrrpv3-v4 { | |
| from { | |
| source-prefix-list { | |
| router-v4; | |
| } | |
| destination-prefix-list { | |
| vrrpv3-v4; | |
| } | |
| protocol vrrp; | |
| /* RFC5798 5.1.1.3 */ | |
| ttl 255; | |
| } | |
| then { | |
| count accept-vrrpv3-v4; | |
| accept; | |
| } | |
| } | |
| } | |
| filter discard-all-v4 { | |
| term discard-all-v4 { | |
| then { | |
| count discard-all-v4; | |
| log; | |
| discard; | |
| } | |
| } | |
| } | |
| filter discard-frags { | |
| term deny-first-frags { | |
| from { | |
| first-fragment; | |
| } | |
| then { | |
| count deny-first-frags; | |
| discard; | |
| } | |
| } | |
| term deny-other-frags { | |
| from { | |
| is-fragment; | |
| } | |
| then { | |
| count deny-other-frags; | |
| discard; | |
| } | |
| } | |
| } | |
| /* On modern Trio platforms, the filter below will discard both the transit and RE-addressed packets with IP options header field - KB30719 */ | |
| filter discard-ip-options { | |
| term discard-ip-options { | |
| from { | |
| ip-options any; | |
| } | |
| then { | |
| count discard-ip-options; | |
| discard; | |
| } | |
| } | |
| } | |
| } | |
| family inet6 { | |
| filter accept-bgp-v6 { | |
| term accept-bgp-v6 { | |
| from { | |
| source-prefix-list { | |
| bgp-neighbors-v6; | |
| } | |
| destination-prefix-list { | |
| router-v6; | |
| } | |
| next-header tcp; | |
| destination-port bgp; | |
| } | |
| then { | |
| count accept-bgp-v6; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-common-services-v6 { | |
| /* ensures that traceroute traffic from trusted networks does not share a policer with traceroute traffic from untrusted networks */ | |
| term accept-traceroute-v6-trusted { | |
| filter accept-traceroute-v6-trusted; | |
| } | |
| term accept-traceroute-v6-untrusted { | |
| filter accept-traceroute-v6-untrusted; | |
| } | |
| /* ensures that ICMP6 traffic from trusted networks does not share a policer with ICMP6 traffic from untrusted networks */ | |
| term accept-icmp6-trusted { | |
| filter accept-icmp6-trusted; | |
| } | |
| term accept-icmp6-untrusted { | |
| filter accept-icmp6-untrusted; | |
| } | |
| term accept-snmp-v6 { | |
| filter accept-snmp-v6; | |
| } | |
| term accept-ntp-v6 { | |
| filter accept-ntp-v6; | |
| } | |
| term accept-dns-v6 { | |
| filter accept-dns-v6; | |
| } | |
| term accept-ssh-v6 { | |
| filter accept-ssh-v6; | |
| } | |
| } | |
| filter accept-dns-v6 { | |
| term accept-dns-v6 { | |
| from { | |
| source-prefix-list { | |
| dns-servers-v6; | |
| } | |
| destination-prefix-list { | |
| router-v6; | |
| } | |
| next-header [ udp tcp ]; | |
| source-port domain; | |
| destination-port 49160-65535; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-dns-v6; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-established-v6 { | |
| /* allows router to establish SSH sessions to management network */ | |
| term accept-established-ssh-v6 { | |
| from { | |
| source-prefix-list { | |
| mgnt-networks-v6; | |
| } | |
| destination-prefix-list { | |
| router-v6; | |
| } | |
| next-header tcp; | |
| source-port ssh; | |
| destination-port 49160-65535; | |
| tcp-established; | |
| } | |
| then { | |
| policer re-protect-20m; | |
| count accept-established-ssh-v6; | |
| accept; | |
| } | |
| } | |
| /* allows router to establish BGP sessions with BGP neighbors */ | |
| term accept-established-bgp-v6 { | |
| from { | |
| source-prefix-list { | |
| bgp-neighbors-v6; | |
| } | |
| destination-prefix-list { | |
| router-v6; | |
| } | |
| next-header tcp; | |
| source-port bgp; | |
| destination-port 49160-65535; | |
| tcp-established; | |
| } | |
| then { | |
| count accept-established-bgp-v6; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-icmp6-trusted { | |
| term accept-neighbor-discovery-trusted { | |
| from { | |
| next-header icmp6; | |
| icmp-type [ router-solicit router-advertisement neighbor-solicit neighbor-advertisement ]; | |
| /* ignore ND packets received from off-link senders - RFC4861 11.2 */ | |
| hop-limit 255; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-neighbor-discovery-trusted; | |
| accept; | |
| } | |
| } | |
| term accept-echo-request-trusted { | |
| from { | |
| source-prefix-list { | |
| mgnt-networks-v6; | |
| } | |
| next-header icmp6; | |
| icmp-type echo-request; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-echo-request-trusted; | |
| accept; | |
| } | |
| } | |
| term accept-echo-reply-trusted { | |
| from { | |
| source-prefix-list { | |
| mgnt-networks-v6; | |
| } | |
| next-header icmp6; | |
| icmp-type echo-reply; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-echo-reply-trusted; | |
| accept; | |
| } | |
| } | |
| term accept-icmp6-error-messages-trusted { | |
| from { | |
| source-prefix-list { | |
| mgnt-networks-v6; | |
| } | |
| next-header icmp6; | |
| icmp-type [ destination-unreachable packet-too-big time-exceeded parameter-problem ]; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-icmp6-error-messages-trusted; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-icmp6-untrusted { | |
| term accept-echo-request-untrusted { | |
| from { | |
| next-header icmp6; | |
| icmp-type echo-request; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-echo-request-untrusted; | |
| accept; | |
| } | |
| } | |
| term accept-echo-reply-untrusted { | |
| from { | |
| next-header icmp6; | |
| icmp-type echo-reply; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-echo-reply-untrusted; | |
| accept; | |
| } | |
| } | |
| term accept-icmp6-error-messages-untrusted { | |
| from { | |
| next-header icmp6; | |
| icmp-type [ destination-unreachable packet-too-big time-exceeded parameter-problem ]; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-icmp6-error-messages-untrusted; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-multi-hop-bfd-v6 { | |
| term accept-multi-hop-bfd-v6 { | |
| from { | |
| source-prefix-list { | |
| bgp-neighbors-v6; | |
| } | |
| destination-prefix-list { | |
| router-v6; | |
| } | |
| next-header udp; | |
| source-port 49152-65535; | |
| destination-port 4784; | |
| } | |
| then { | |
| count accept-multi-hop-bfd-v6; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-ntp-v6 { | |
| term accept-ntp-v6 { | |
| from { | |
| source-prefix-list { | |
| ntp-servers-v6; | |
| ntp-peers-v6; | |
| } | |
| destination-prefix-list { | |
| router-v6; | |
| } | |
| next-header udp; | |
| source-port ntp; | |
| /* ntpd uses src port 123 for both the "client" and "symmetric active" type messages and thus the NTP server/peer replies to dst port 123 */ | |
| destination-port ntp; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-ntp-v6; | |
| accept; | |
| } | |
| } | |
| term accept-ntp-internal-v6 { | |
| from { | |
| source-prefix-list { | |
| loopback-v6; | |
| } | |
| destination-prefix-list { | |
| loopback-v6; | |
| } | |
| next-header udp; | |
| port ntp; | |
| } | |
| then { | |
| count accept-ntp-internal-v6; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-ospf3 { | |
| term accept-ospf3 { | |
| from { | |
| /* RFC5340 2.5 */ | |
| source-prefix-list { | |
| ipv6-link-local; | |
| } | |
| /* RFC5340 4.2.1 */ | |
| destination-prefix-list { | |
| ospfv3; | |
| ipv6-link-local; | |
| } | |
| next-header ospf; | |
| } | |
| then { | |
| count accept-ospf3; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-single-hop-bfd-v6 { | |
| term accept-single-hop-bfd-v6 { | |
| from { | |
| source-prefix-list { | |
| router-v6; | |
| ipv6-link-local; | |
| } | |
| destination-prefix-list { | |
| router-v6; | |
| ipv6-link-local; | |
| } | |
| next-header udp; | |
| source-port 49152-65535; | |
| destination-port 3784-3785; | |
| /* RFC5881 5 */ | |
| hop-limit 255; | |
| } | |
| then { | |
| count accept-single-hop-bfd-v6; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-snmp-v6 { | |
| term accept-snmp-v6 { | |
| from { | |
| source-prefix-list { | |
| snmp-client-lists-v6; | |
| snmp-community-clients-v6; | |
| } | |
| destination-prefix-list { | |
| router-v6; | |
| } | |
| next-header udp; | |
| destination-port snmp; | |
| } | |
| then { | |
| policer re-protect-20m; | |
| count accept-snmp-v6; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-ssh-v6 { | |
| term accept-ssh-v6 { | |
| from { | |
| source-prefix-list { | |
| mgnt-networks-v6; | |
| } | |
| destination-prefix-list { | |
| router-v6; | |
| } | |
| next-header tcp; | |
| destination-port ssh; | |
| } | |
| then { | |
| policer re-protect-20m; | |
| count accept-ssh-v6; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-traceroute-v6-trusted { | |
| term accept-traceroute-udp-v6-trusted { | |
| from { | |
| destination-prefix-list { | |
| router-v6; | |
| } | |
| source-prefix-list { | |
| mgnt-networks-v6; | |
| } | |
| next-header udp; | |
| destination-port 33434-33529; | |
| hop-limit 1; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-traceroute-udp-v6-trusted; | |
| accept; | |
| } | |
| } | |
| term accept-traceroute-icmp6-trusted { | |
| from { | |
| destination-prefix-list { | |
| router-v6; | |
| } | |
| source-prefix-list { | |
| mgnt-networks-v6; | |
| } | |
| next-header icmp6; | |
| icmp-type echo-request; | |
| hop-limit 1; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-traceroute-icmp6-trusted; | |
| accept; | |
| } | |
| } | |
| term accept-traceroute-tcp-v6-trusted { | |
| from { | |
| destination-prefix-list { | |
| router-v6; | |
| } | |
| source-prefix-list { | |
| mgnt-networks-v6; | |
| } | |
| next-header tcp; | |
| hop-limit 1; | |
| /* default TCP traceroute port only */ | |
| destination-port http; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-traceroute-tcp-v6-trusted; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-traceroute-v6-untrusted { | |
| term accept-traceroute-udp-v6-untrusted { | |
| from { | |
| destination-prefix-list { | |
| router-v6; | |
| } | |
| next-header udp; | |
| destination-port 33434-33529; | |
| hop-limit 1; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-traceroute-udp-v6-untrusted; | |
| accept; | |
| } | |
| } | |
| term accept-traceroute-icmp6-untrusted { | |
| from { | |
| destination-prefix-list { | |
| router-v6; | |
| } | |
| next-header icmp6; | |
| icmp-type echo-request; | |
| hop-limit 1; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-traceroute-icmp6-untrusted; | |
| accept; | |
| } | |
| } | |
| term accept-traceroute-tcp-v6-untrusted { | |
| from { | |
| destination-prefix-list { | |
| router-v6; | |
| } | |
| next-header tcp; | |
| hop-limit 1; | |
| /* default TCP traceroute port only */ | |
| destination-port http; | |
| } | |
| then { | |
| policer re-protect-1m; | |
| count accept-traceroute-tcp-v6-untrusted; | |
| accept; | |
| } | |
| } | |
| } | |
| filter accept-vrrpv3-v6 { | |
| term accept-vrrpv3-v6 { | |
| from { | |
| /* RFC5798 5.1.2.1 */ | |
| source-prefix-list { | |
| ipv6-link-local; | |
| } | |
| /* RFC5798 5.1.2.2 */ | |
| destination-prefix-list { | |
| vrrpv3-v6; | |
| } | |
| next-header vrrp; | |
| /* RFC5798 5.1.2.3 */ | |
| hop-limit 255; | |
| } | |
| then { | |
| count accept-vrrpv3-v6; | |
| accept; | |
| } | |
| } | |
| } | |
| filter discard-all-v6 { | |
| term discard-all-v6 { | |
| then { | |
| count discard-all-v6; | |
| log; | |
| discard; | |
| } | |
| } | |
| } | |
| filter discard-extension-headers { | |
| term discard-extension-headers { | |
| from { | |
| next-header-except [ icmp6 ospf tcp udp vrrp ]; | |
| } | |
| then { | |
| count discard-extension-headers; | |
| discard; | |
| } | |
| } | |
| } | |
| } | |
| policer re-protect-1m { | |
| if-exceeding { | |
| bandwidth-limit 1m; | |
| burst-size-limit 625k; | |
| } | |
| then discard; | |
| } | |
| policer re-protect-20m { | |
| if-exceeding { | |
| bandwidth-limit 20m; | |
| burst-size-limit 625k; | |
| } | |
| then discard; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment