Juniper EX交换机配置RE-Protect后，不能透传DHCP协议数据包（juniper sling）

Juniper EX交换机配置RE-Protect后，不能透传DHCP协议数据包（juniper sling）

MX作为DHCP Server，为终端用户分配IP地址，EX汇聚和EX接入交换机二层透传DHCP数据包给DHCP Server。

EX汇聚和EX接口因为某些攻击流量，导致交换机的CPU的使用100%，为了过滤异常流量，我开始在EX交换机上部署RE-Protech。因为二层交换机，不承载三层业务，只需要管理交换机即可。

RE保护配置如下：/ 开启交换机上的telnet管理功能 /set firewall family inet filter Protect-RE term telnet from protocol tcpset firewall family inet filter Protect-RE term telnet from destination-port 23set firewall family inet filter Protect-RE term telnet then accept/ 开启交换机上的icmp功能 /set firewall family inet filter Protect-RE term icmp from protocol icmpset firewall family inet filter Protect-RE term icmp then accept/ 开启交换机上的ftp功能 /set firewall family inet filter Protect-RE term ftp from protocol tcpset firewall family inet filter Protect-RE term ftp from destination-port ftpset firewall family inet filter Protect-RE term ftp from destination-port ftp-dataset firewall family inet filter Protect-RE term ftp then accept/ 其它所有的功能，视为不可信流量，全部丢弃/set firewall family inet filter Protect-RE term deny-all then discard

注：低端交换的RE保护不能配置，count，log等辅助功能；

/在loopback接口调用RE保护，在junos中lo0是PFE与RE之间的通道/set interfaces lo0 unit 0 family inet filter input Protect-RE

以上配置完成后，交换机的管理和业务测试正常。但是，过了半小时后，接到报障，所有DHCP的用户不能获取IP地址，也不能完成时间续租。

经过排查，因为EX交换机开启了DHCP Snooping的检测机制，交换机需要对DHCP数据包进行分析，RE保护中没有放行DHCP流量，导致用户无法DHCP协商。

修改如下配置，开启交换机对DHCP数据包的处理。set firewall family inet filter Protect-RE term dhcp from protocol udpset firewall family inet filter Protect-RE term dhcp from destination-portset firewall family inet filter Protect-RE term dhcp from destination-port 67set firewall family inet filter Protect-RE term dhcp from destination-port 68set firewall family inet filter Protect-RE term dhcp then accept

set firewall family inet filter Protect-RE term boot from protocol udpset firewall family inet filter Protect-RE term boot from destination-port bootpcset firewall family inet filter Protect-RE term boot then acceptset firewall family inet filter Protect-RE term boots from destination-port bootpsset firewall family inet filter Protect-RE term boots then accept

严谨的配置方式：set firewall family inet filter RE-protect term dhcp-client-accept from source-address 0.0.0.0/32set firewall family inet filter RE-protect term dhcp-client-accept from destination-address 255.255.255.255/32set firewall family inet filter RE-protect term dhcp-client-accept from protocol udpset firewall family inet filter RE-protect term dhcp-client-accept from source-port 68set firewall family inet filter RE-protect term dhcp-client-accept from destination-port 67set firewall family inet filter RE-protect term dhcp-client-accept then count dhcp-client-acceptset firewall family inet filter RE-protect term dhcp-client-accept then accept

set firewall family inet filter RE-protect term dhcp-server-accept from protocol udpset firewall family inet filter RE-protect term dhcp-server-accept from source-port 67set firewall family inet filter RE-protect term dhcp-server-accept from source-port 68set firewall family inet filter RE-protect term dhcp-server-accept from destination-port 67set firewall family inet filter RE-protect term dhcp-server-accept from destination-port 68set firewall family inet filter RE-protect term dhcp-server-accept then count dhcp-server-acceptset firewall family inet filter RE-protect term dhcp-server-accept then accept

配置增加后，DHCP用户可以从MX路由器上获取IP地址，正常的访问Internet。

EX交换机上查看DHCP Snooping状态：{master:0}admin@EX2200> show dhcp snooping binding DHCP Snooping Information:MAC address IP address Lease (seconds) Type VLAN Interface40:62:31:04:0A:40 10.33.81.227 542 dynamic vlan851 ge-0/0/45.008:10:75:D8:E9:E2 10.33.83.44 496 dynamic vlan853 ge-0/0/19.01C:39:47:C9:78:92 10.33.83.71 33 dynamic vlan853 ge-0/0/25.01C:AF:F7:D1:4E:AE 10.33.83.222 536 dynamic vlan853 ge-0/0/37.034:17:EB:DF:7F:5D 10.33.83.211 549 dynamic vlan853 ge-0/0/23.038:A2:8C:D9:FC:43 10.33.83.75 273 dynamic vlan853 ge-0/0/20.050:9A:4C:0D:28:17 10.33.83.100 322 dynamic vlan853 ge-0/0/4.058:D9:D5:47:01:08 10.33.83.68 554 dynamic vlan853 ge-0/0/5.098:90:96:AC:A4:3E 10.33.83.59 375 dynamic vlan853 ge-0/0/2.098:EE:CB:45:24:2E 10.33.83.50 490 dynamic vlan853 ge-0/0/6.098:EE:CB:69:EB:7D 10.33.83.243 315 dynamic vlan853 ge-0/0/7.0A4:93:3F:5B:0B:54 10.33.83.74 192 dynamic vlan853 ge-0/0/25.0FC:4D:D4:D7:D3:36 10.33.83.20 450 dynamic vlan853 ge-0/0/13.0

当Juniper设备配置了RE保护后，每开启一个新的协调，需要在RE保护中也放行，RE保护默认新增的策略最在最后，需要使用insert命令，结合after，before的调整每个term项的顺序。

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。