On Fri, Feb 13, 2009 at 8:49 PM, Marlon Duksa <mdu...@gmail.com> wrote: > Hi - does anyone know if it is possible on Junos to install a policers on > logical interfaces to prevent DoS attacks so that control plane as a whole > is identified in a filter rule? > Right now I see a default ARP policer is installed on every interface. > I want to customize this so that all traffic is policed (on 100s of my > logical interfaces). How do you identify control plane in such filter? I > have a bunch of loopback addresses in my box and do not want to specify each > IP address in my filter.
If you want to filter control plane traffic destined for the RE (as opposed to transit traffic) the easiest way to accomplish this would to apply a firewall-filter on the lo0.0 interface. Of course you can always protect it by applying the filter on the requisite incoming interfaces, but if you have a large number of interfaces you are faced with the dilemma as you suggest. Other options would be to use apply-groups and apply those filters to a large number of interfaces using wildcard matching. The Secure JUNOS template made available from the lovely folks at Team Cymru has lot's of good information on applying firewall-filters and protecting the control plane of your routers - http://www.cymru.com/gillsr/documents/junos-template.pdf. -- Stefan Fouant Yesterday it worked. Today it is not working. Windows is like that. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp