Creating a decent RE protection filter on a Juniper ACX5048 ACX5096

tl;dr We got our hands on a Juniper ACX5048. We were testing it as an access router for our new network and immideatly ran into trouble with. It turns out you cannot apply an input filter on lo0 interfaces. Witch is a huge problem for hardening the device it self with an RE (routing engine) protection filter. And there are some other issues you need to be aware of when deploying this router with multiple routing-instances. In this article I will go into getting around limitations of the ACX50xx in regard to RE protection.

The problem

One of the first things we noticed is the inability to apply an inpunt filter to lo0 interfaces. This is a probleem because you can only apply input filters to routing-options or physical interfaces. This means that you have to create a generic filter that singles out traffic going to the RE and filter this. All other traffic transiting the router has to be allowed. This can be a probleem if you have a router with a lot IP’s that can also change (ie. adding or removing customer subscriptions).

Autmagically creating prefix-lists with local adresses

So we have to have a couple of prefix-lists that contain al the routers IPv4 and IPv6 addresses. But we also want to have the chance of misconfiguring this prefix-list. The plan was to generate a prefix-list based on a commit script. Inspired by this thread:  https://lists.gt.net/nsp/juniper/57705. We modified the script suggested in the thread to a persistent change and added an IPv6 list. Resulting in this script:

[tekst]
version 1.0;
ns junos = “http://xml.juniper.net/junos/*/junos”;
ns xnm = “http://xml.juniper.net/xnm/1.1/xnm”;
ns jcs = “http://xml.juniper.net/junos/commit-scripts/1.0”;
import “../import/junos.xsl”;

match configuration {
{ {

{ “ifl-addr-v4”; for-each (interfaces/interface/unit/family/inet/address) { var $address = substring-before(name, “/”); { $address; } } } } { { “ifl-addr-v6”; for-each (interfaces/interface/unit/family/inet6/address) { var $address = substring-before(name, “/”); { $address; } } } } } } [/text] you can activate this commit script by adding this to the config:
{master:0}[edit system scripts]
user@device# show 
commit {
    file ifl-addr.slax;
}

Creating an RE-protection filter

firewall {
    family inet {
        filter re-protect-v4 {
            term tem-ssh-jtac {
                from {
                    source-address {
                        10.10.10.10/32;
                    }
                    destination-prefix-list {
                        ifl-addr-v4;
                    }
                    protocol tcp;
                    destination-port ssh;
                }
                then {
                    accept;
                }
            }
            ## Add other terms ie BGP etc
            ## Deny all other traffic to RE
            term everything-else-discard {
                from {
                    destination-prefix-list {
                        ifl-addr-v4;
                    }
                }
                then {
                    discard;
                }
            }
            ## Allow all transit traffic
            term all-else {
                then {
                    accept;
                }
            }
        }
    }
}

Now you can apply this filter to either every family inet interface on your router or to the forwarding options

tst> show configuration forwarding-options 
family inet {
    filter {
        input re-protect-v4;
    }
}

One more thing

If you think you are done. You are wrong. You need to apply this filter to every routing instance you are running on the box. But you can’t! Every filter can only be applied once. So you have to create an RE-protection filter for every routing-instance, or….do this:

## Create an apply group with the Generic RE protection
groups {
	re-protect-v4-apply {
	    firewall {
	        family inet {
	            filter <*> {
	                term { *all your terms here* }
	            }
	        }
	    }
	}
}

## Apply the same apply group to different firewall filters
firewall {
	family inet {
	    filter re-protect-v4-test1 {
	        apply-groups re-protect-v4-apply;
	    }
	    filter re-protect-v4-test2 {
	        apply-groups re-protect-v4-apply;
	    }
	}
}

## Apply the firewall filters appropriatly to every instance
tst> show configuration forwarding-options
family inet {
    filter {
        input re-protect-v4-test1;
    }
}
tst> show configuration routing-instances test2 forwarding-options
family inet {
    filter {
        input re-protect-v4-test2
    }
}

 

Sources:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB28893

https://lists.gt.net/nsp/juniper/57705