Configure Control and Management Plane Protection
For supported software information, click here.
The Versa Operating SystemTM (VOSTM) basic solution tier subscription has features that protect critical functions of the control and management planes against surges in traffic volume. Surge protection prevents unnecessary traffic from overwhelming the control and management plane processes, thus preventing this traffic from affecting the normal functioning of the system.
Control plane processes include ARP, multicast, BGP, DHCP, DNS, and OSPF. Management plane processes include FTP, NTP, SNMP, SSH, and TFTP. Typically, traffic that a VOS device receives over network interfaces, such as LAN and WAN interfaces, is categorized as either control and management plane traffic or as data plane traffic. Any traffic not handled by the control and management plane processes is considered to be data plane traffic and is handled by the VOS network and security functions.
The standard VOS zone protection and denial-of-service (DoS) features, which are part of the VOS firewall services, protect against surges in data plane traffic, such as DoS attacks, preventing the data traffic from passing to the end VOS devices.
This article primarily discusses how VOS devices process control plane traffic and how this processing impacts the security of the VOS device.
As a security-hardening measure, control plane services are not enabled on VOS devices by default. This means that, by default, all traffic categorized as control plane traffic is dropped immediately. You must explicitly enable any desired control plane services, such as a DHCP server or relay, BGP, or OSPF, so that VOS devices allow that particular type of control plane traffic. For the control plane services that you enable, you can configure them to protect against traffic surges. For example, a DoS attack can cause a spike in control plane utilization. While the VOS device can manage high CPU conditions using the self-protection features provided by the Linux kernel, the response of the device may slow down. So, to protect the VOS control plane services against DoS attacks, and for additional control and management plane protection, you can configure class of service (CoS) to prioritize traffic so that more important traffic is handled with a higher priority. For more information, see Configuration Example for Control Plane and Management Plane Protection below.
By default, VOS devices implement a deny-all approach, and only ports that are essential for a configured service are kept open. This strategy also applies to traffic inbound to the host. For example, UDP ports 67 and 68 are open only when you configure a DHCP service. For a LAN device on which you enable a DHCP server or configure DHCP relay, the two UDP ports are used to assign IP addresses to LAN users. For a WAN device, the ports are used by DHCP to assign IP addresses. This traffic limiting also applies to other services. For example, if you configure DNS proxy, TCP, or UDP, port 53 is opened on the LAN side. You do not have to create a QoS deny policy on the VOS device to block unauthorized inbound host traffic, because the VOS device does not respond if a service is not configured.
To prevent traffic from overwhelming the control and management planes, and to fully protect VOS devices, you can use policers to limit the rate of inbound host traffic for the following protocols: BFD, BGP, DHCP, DNS, ICMP, NTP, OSPF, SSH, and VRRP. Choosing the policer rate for each protocol depends on multiple factors, including the network infrastructure and configuration, the number of users on a particular segment, VOS device hardware, and the services used. For example, for a small branch, the policer rate can include an observation period to check whether the threshold is crossed on the CoS policer. Periodic verifications can reveal whether the policer rate is too high to allow for normal operations, or whether the root cause of a traffic issue is a transient problem. Based on these results, you can change or optimize the policer rate. Note, however, that policers for control and management traffic are not widely deployed and so control and management plane protection mainly relies on the default built-in protections described above. For more information, see Policing Ingress Traffic.
Configure Control Plane and Management Plane Protection
To configure control plane and management plane rate-limiting protection:
- Configure a QoS profile to limit traffic:
- In Director view:
- Select the Configuration tab in the top menu bar.
- Select Devices > Devices in the horizontal menu bar.
- Select an organization in the left menu bar.
- Select a Controller node in the main pane. The view changes to Appliance view.
- Select the Configuration tab in the top menu bar.
- Select Networking > Class of Service > QoS Profiles in the left menu bar.
- Click the Add icon to add a QoS profile. The Add QoS Profile window displays.
- Enter a name for the QoS profile (here, Low-Bandwidth).
- Enter values for Peak Rate (Kbps) and Peak Burst Size (Bytes).
- For information about configuring the other fields, see Configure QoS Profiles.
- Click OK.
- In Director view:
- Configure a QoS policy rule to associate with the QoS profile. You can also configure additional match criteria, as required. In this example, ICMP and destination IP address zone (host) are configureed.
- In Director view:
- Select the Configuration tab in the top menu bar.
- Select Devices > Devices in the horizontal menu bar.
- Select an organization in the left menu bar.
- Select a Controller node in the main pane. The view changes to Appliance view.
- Select the Configuration tab in the top menu bar.
- Select Networking > Class of Service > QoS Policies in the left menu bar.
- Select the Rules tab in the horizontal menu bar.
- Click the Add icon to add a QoS policy rule. The Add Rule popup window displays.
- Select the General tab.
- Add a name for the QoS rule (here, ICMP-Policer).
- Select the Destination tab.
- In the Destination Zone table, click the Add icon, and select a host from the options to protect ICMP traffic to the host. You can also select IP addresses to protect from traffic. For more information, see Configure Address Objects.
- Click + New Zone to add a zone. For more information, see Configure Zones and Zone Protection Profiles.
- Select the Headers/Schedule tab.
- In the Services table, click the Add icon, and select ICMP from the predefined list. You can also select OSPF or BGP from the predefined list. To combine two service objects, such as ICMP and BGP in a QoS rule, select both the services from the predefined list. For example:
- Click + New Service to add a new service. For more information, see Configure Service Objects.
- Click the Enforce tab to associate the rule with the QoS profile.
- In the QoS Profile field, select the QoS profile that you configured in Step 1.
- For more information about configuring other fields, see Configure QoS Policies.
- Click OK to configure a QoS rule for control plane and management plane protection.
- In Director view:
You can also configure QoS policy rules for control and management plane protection using broadcast or multicast packet floods by setting traffic limits:
- In the Add QoS Rule popup window, select the Layer 2 tab.
- In the MAC Address Type field, select broadcast or multicast in the MAC Address Type field.
- For more information about configuring the other fields, see Configure QoS Policies.
- Click OK.
Monitor QoS Profiles and Policer Statistics
You monitor the policer statistics for QoS policies, checking the packets per second (pps) policer configured for ICMP traffic towards the host. For more information, see Monitor Device Services.
To monitor QoS profiles:
- Select the Administration tab in the top menu bar.
- Select Appliances in the left menu bar.
- Select a device name in the main pane. The view changes to Appliance view.
- Select the Monitor tab in the top menu bar.
- Select the organization or tenant in the left menu bar.
- Select Networking > CoS, and click the QoS Policies tab.
- Select a policy from the drop-down list. The QoS policy statistics displays information such as the number of dropped packets and bytes.
Supported Software Information
Releases 20.2 and later support all content described in this article.