home

Supported platforms

Getting startedOverviewArchitectureSupported platformsRelease notesWhite papers
Getting startedOverviewArchitectureSupported platformsRelease notesWhite papers

Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

Show On this page:

thumbnailSupported platforms

Firewall overview

Control plane policing for zone-based firewalls

Control plane policing (CPP) allows you to protect Vyatta routers from excessive flooding. CPP filters control plane packet types.

Control plane packets normally do not use much bandwidth. If the router is bombarded with unusually large amounts of control plane traffic, it is probably due to a denial-of-service (DoS) attack or a malfunction of a neighboring device.

If you are using zone-based firewalls, you can use the local-zone keyword to designate CPP as follows:

  • You can designate only one zone as the local zone.
  • You must specify rule sets for traffic from other zones to the local zone.
  • (Optional) You can specify rule sets from traffic from the local zone to other zones.
  • Traffic from the local zone is dropped only if an explicit block rule is matched.

Additional points about control plane traffic coming into the router:

  • If the ingress interface is not included in a zone, then control plane traffic is not filtered regardless of the presence or absence of the local zone.
  • If the local zone is not specified , then control plane traffic is not filtered regardless of whether the ingress interface is included in a zone or not.
  • If the ingress interface is included in a zone and a local zone is specified , then control plane traffic is dropped unless explicitly allowed by a rule set.

Additional points about control plane traffic originating from the router:

  • If the local zone is not specified , then control plane traffic is not filtered regardless of whether the egress interface is included in a zone or not.
  • If the local zone is specified and the egress interface is not included in a zone, then control plane traffic from the router is not filtered.
  • If the egress interface is included in a zone and a local zone is specified , then control plane traffic is dropped unless explicitly allowed by a rule set.

To configure a local zone, use the following commands:

  • To designate one zone as the local zone: set security zone-policy zone LOCAL local-zone
  • To specify a rule set for traffic from the PRIVATE zone to the local zone: set security zone-policy zone PRIVATE to LOCAL PRIV_TO_LOCAL
  • Specify a rule set for traffic from the PUBLIC zone to the local zones: set security zone-policy zone PUBLIC to LOCAL PUB_TO_LOCAL

Last updated: February 23, 2022