7 mins read
Protect RE – Common Network Protocols
Protect RE (Routing Engine) is a Juniper Networks security best practice that uses a stateless firewall filter on the loopback interface (lo0) to secure the control plane. It restricts management traffic (SSH, SNMP) to trusted sources and protects the CPU from malicious traffic or resource exhaustion (e.g., DoS attacks).
Key Aspects of Protect RE on Juniper MX:
- Function: It protects the RE (the “brain” of the router) by filtering incoming management traffic (SSH, SNMP) and control plane traffic (BGP, OSPF, NTP).
- Implementation: A
filteris applied to thelo0.0interface, usually acting as the last line of defense for the control plane. - Traffic Management: It allows necessary traffic (like BGP, SSH from trusted IPs) and drops unauthorized packets before they consume CPU resources.
- Rate Limiting: It often includes policers to limit TCP and ICMP traffic (e.g., to 100 Kbps) to prevent flooding.
- Best Practice: It is highly recommended to configure this to prevent DoS attacks from impacting network stability.
On the job, or for the JNCIE exam, it is important to know the details about common protocols that communicate with the RE. We must know details like protocol purpose, how they work, how they encapsulation (TCP, UPD or other), port numbers, best practices, how to quickly configure the filter for each, and other relevant details.
Next, for quick reference, find a list with the most common protocols that a network engineer can encounter on a daily basis or on the JNCIE exam:
| Protocol | Encapsulation | Port Number | Notes |
|---|---|---|---|
| SSH | IP(6), TCP | ssh (22) | |
| Telnet | IP(6), TCP | telnet (23) | |
| FTP | IP(6), TCP | ftp (21), ftp-data (20) | |
| TFTP | IP(17), UDP | tftp (69) | |
| SFTP / SCP | IP(6), TCP | 22 | SCP uses Secure Shell (SSH) for data transfer and uses the same mechanisms for authentication. <https://en.wikipedia.org/wiki/Secure_copy_protocol> |
| Netconf | IP(6), TCP | 830 | |
| DNS | IP(17), UDP | domain (53) | The Domain Name System originally used UDP as transport over IP. Reliability, security, and privacy concerns spawned the use of TCP as well as numerous other protocol developments. <https://en.wikipedia.org/wiki/Domain_Name_System> While the use of UDP in DNS is the default, the use of TCP is becoming increasingly more common. |
| RADIUS | IP(17), UDP | radius (1812,1813) | RADIUS is transported over UDP/IP on ports 1812 (authentication) and 1813 (authorization). <https://en.wikipedia.org/wiki/RADIUS> Historic versions with (1645, 1646) |
| TACACS | IP(6), TCP | tacacs (49) | |
| NTP | IP(17), UDP | ntp (123) | |
| SNMP | IP(17), UDP | snmp (161) snmptrap (162) | Ports: 161, 162 (Trap) <https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol> |
| AH | IP(51 ?), AH | – | |
| BFD | IP(17), UDP | 3784, 3785 4784 -> multihop 6784 -> micro BFD 7784 -> seamless BFD 49152-65535 (source) | UDP ports 3784 and 3785 are reserved for BFD. Port 3785 is used for BFD echo function. Here you can use only port 3784 used for normal BFD function for the sender and responder. IANA has allocated 6784 as the UDP destination port for micro-BFD. <https://www.juniper.net/documentation/us/en/software/junos/high-availability/topics/topic-map/bfd.html> The source port MUST be in the range of 49152 through 65535. <https://supportportal.juniper.net/s/article/FAQ-for-Bidirectional-Forwarding-Detection-BFD?language=en_US> |
| VRRP | IP(112), VRRP | – | |
| RIP | IP(17), UDP | rip (520) ripng (521) | RIP uses the User Datagram Protocol (UDP) as its transport protocol, and is assigned the reserved port number 520. From <https://en.wikipedia.org/wiki/Routing_Information_Protocol> RIPng is a UDP-based protocol and uses UDP port 521. <RIP and RIPng Overview | Junos OS | Juniper Networks> |
| OSPF | IP(89), OSPF | – | |
| ISIS | Ethernet, ISIS | – | IS-IS was originally developed by DEC for CLNS, not for IP. So, IS-IS rides directly on top of an Ethernet header, using its own header format. ISIS it’s not encapsulated in an IP packet. |
| BGP | IP(6), TCP | bgp (179) | |
| LDP | IP(17), UPD IP(6), TCP | ldp (646) | The Label Distribution Protocol LDP uses port 646 over UDP and TCP. The UDP protocol is used for transporting hello discovery messages, whereas TCP is used for label exchange. LDP and tLDP discovery runs on UDP port 646 and the session is built on TCP port 646. <https://en.wikipedia.org/wiki/Label_Distribution_Protocol> |
| RSVP | IP(46), RSVP | – | |
| PIM | IP(103), PIM | – | |
| IGMP | IP(2), IGMP | – | |
| MSDP | IP(6), TCP | msdp (639) | In a peering relationship, one Multicast Source Discovery Protocol (MSDP) peer listens for new TCP connections on the well-known port 639. <https://en.wikipedia.org/wiki/Multicast_Source_Discovery_Protocol> |
| ICMP | IP(1), ICMP | – | |
| TRACERT | IP(17), UDP IP(1), ICMP | 33434–33534 (for UDP) | Junos uses UDP for tracert (tested with pcap in VMM). On Unix-like operating systems, traceroute sends, by default, a sequence of User Datagram Protocol (UDP) packets, with destination port numbers ranging from 33434 to 33534; On Windows, tracert sends ICMP Echo Request packets, rather than the UDP packets traceroute sends by default. <https://en.wikipedia.org/wiki/Traceroute> Like Linux, Cisco uses UDP for traceroute. |
| LSP PING | IP(17), UDP | 3503 8503 | <https://supportportal.juniper.net/s/article/Junos-Failing-to-allow-MPLS-LSP-self-ping-may-cause-LSP-to-not-follow-the-optimized-path> |
Protocol```````` | Encapsulation```````````` | Port Number`````````````````` | Notes````` |
Note – how to read the Encapsulation Column
For Example: number 6 in “IP(6), TCP” is the 8-bit field in the IP header. It identifies the type of protocol that is encapsulated inside the IP packet. This helps the receiving device know which upper-layer protocol should process the data. The protocol has a specific number, for example:
- 1 for ICMP (Internet Control Message Protocol)
- 6 for TCP (Transmission Control Protocol)
- 17 for UDP (User Datagram Protocol).
Even thought the JunOS CLI can help you when configuring the protect-re filter (notice the JunOS predefined names for ports used by the well-known protocols), you still must be familiar will the common protocols that are running on the network.
root@R1# set firewall family inet filter TEST term 1 from protocol ?
Possible completions:
<range> Range of values
[ Open a set of values
ah IP Security authentication header
dstopts IPv6 destination options
egp Exterior gateway protocol
esp IPSec Encapsulating Security Payload
fragment IPv6 fragment header
gre Generic routing encapsulation
hop-by-hop IPv6 hop by hop options
icmp Internet Control Message Protocol
icmp6 Internet Control Message Protocol Version 6
igmp Internet Group Management Protocol
ipip IP in IP
ipv6 IPv6 in IP
no-next-header IPv6 no next header
ospf Open Shortest Path First
pim Protocol Independent Multicast
routing IPv6 routing header
rsvp Resource Reservation Protocol
sctp Stream Control Transmission Protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
vrrp Virtual Router Redundancy Protocol
root@R1# set firewall family inet filter TEST term 1 from port ?
Possible completions:
<range> Range of values
[ Open a set of values
afs AFS
bgp Border Gateway Protocol
biff Biff/Comsat
bootpc Bootstrap protocol client
bootps Bootstrap protocol server
cmd UNIX rsh
cvspserver CVS pserver
dhcp Dynamic Host Configuration Protocol
domain Domain Name System (DNS)
eklogin Encrypted Kerberos rlogin
ekshell Encrypted Kerberos rsh
exec UNIX rexec
finger Finger
ftp FTP
ftp-data FTP data
http Hypertext Transfer Protocol
https Secure HTTP
ident Ident
imap Internet Message Access Protocol
kerberos-sec Kerberos Security
klogin Kerberos rlogin
kpasswd Kerberos passwd
krb-prop Kerberos database propagation
krbupdate Kerberos database update
kshell Kerberos rsh
ldap Lightweight Directory Access Protocol
ldp Label Distribution Protocol
login UNIX rlogin
mobileip-agent Mobile IP agent
mobilip-mn Mobile IP MN
msdp Multicast Source Discovery Protocol
netbios-dgm NetBIOS DGM
netbios-ns NetBIOS name service
netbios-ssn NetBIOS session service
nfsd Network File System
nntp Network News Transport Protocol
ntalk New Talk
ntp Network Time Protocol
pop3 Post Office Protocol 3
pptp Point-to-Point Tunneling Protocol
printer Printer
radacct RADIUS accounting
radius RADIUS authentication
rip Routing Information Protocol
rkinit Kerberos remote kinit
smtp Simple Mail Transfer Protocol
snmp Simple Network Management Protocol
snmptrap SNMP traps
snpp Simple paging protocol
socks Socks
ssh Secure shell
sunrpc Sun Microsystems remote procedure call
syslog System log
tacacs TACACS or TACACS+
tacacs-ds TACACS-DS
talk UNIX Talk
telnet Telnet
tftp Trivial FTP
timed UNIX time daemon
who UNIX rwho
xdmcp X Display Manager Control Protocol
zephyr-clt Zephyr serv-hm connection
zephyr-hm Zephyr hostmanager
zephyr-srv Zephyr serverYou can also check out the “Configuring the Protect-RE filter” post, where the focus is on the actual configuration of the Protect RE firewall filter.
External Resources: