This article describes how to block Host bound traffic on versa FlexVNF.
Use Case
Occasionally, customer configures SNMP client on the LAN network. In order to do that, we need to allow client IP address and its corresponding interface under “system vnf-manager” hierarchy. This allows LAN host to access SSH/SNMP/Netconf on Branch device. This may not be feasible or acceptable for client.
admin@CPE1-cli> show configuration system vnf-manager
ip-addresses [ 171.10.10.2/32 172.1.1.1/32 ]; <<< 171.10.10.2 is SNMP client IP
vnf-mgmt-interfaces [ tvi-0/5.0 vni-0/1.0 ];
Solution
We cannot block host bound traffic using security access policies as traffic gets terminated on CPE itself. To achieve this, we can configure QoS policy to block desired traffic coming from client and destined to Branch device.
Topology
Configuration
Login to Versa Director and select the CPE and Organization where this change needs to be implemented
- Configure QoS policy
Navigate to Appliance > Configuration > Class of Service > QoS Policies and then click on + button.
There can be only one qos-policy. By default, there is ‘Default-Policy’ configured. If needed, user can just delete the default one and create new policy.
In this example, we create a new policy.
- Configure QoS policy rules.
Go to Appliance > Configuration > Class of Service> QoS Policies> Rules and then click on + button.
- Match source and destination. Here source zone is “Intf-LAN1-Zone” and destination zone is “host” implying host bound traffic.
- Now we need to match services which we want to block ( i.e. ssh and netconf ) for SNMP client under Headers/Schedule tab.
- Then navigate to the Enforce tab and select Deny for Action Setting. This action is applied to the specified QoS rule.
Validation
- Before applying QoS policy, SNMP client can do snmpwalk as well as SSH to Branch device.
Last login: Fri Jan 4 00:43:40 2019 from 10.144.2.0
[admin@versa-flexvnf: ~] # snmpwalk -v2c -c versa 171.10.10.1 .1.3.6.1.4.1.42359.2.2.1.1.1.1.3.0
iso.3.6.1.4.1.42359.2.2.1.1.1.1.3.0 = Gauge32: 49
[admin@versa-flexvnf: ~] # ssh admin@171.10.10.1
admin@171.10.10.1's password:
.---.,
( ``.
_ \ ) __ ________ _____ _____
( `. \ / \ \ / / ____| __ \ / ____| /\
\ `. ) / \ \ / /| |__ | |__) | (___ / \
\ | / \ \/ / | __| | _ / \___ \ / /\ \
\ | / \ / | |____| | \ \ ____) / ____ \
\ | / \/ |______|_| \_\_____/_/ \_\
\ | /
\_|/ ___ _ _____ ___ ___ _ ___
| __| | | __\ \/ | \ / / \| | __|
| _|| |__| _| > < \ V /| .` | _|
|_| |____|___/_/\_\ \_/ |_|\_|_|
Versa FlexVNF software
Release : 16.1R2 (S6)
Release date: 20181116
Package ID : 67da9db
- After applying QoS policy, SNMP client can only do snmpwalk. SSH access has been blocked.
[admin@versa-flexvnf: ~] # snmpwalk -v2c -c versa 171.10.10.1 .1.3.6.1.4.1.42359.2.2.1.1.1.1.3.0
iso.3.6.1.4.1.42359.2.2.1.1.1.1.3.0 = Gauge32: 50
[admin@versa-flexvnf: ~] # ssh admin@171.10.10.1
ssh: connect to host 171.10.10.1 port 22: Connection timed out
- QoS policy hit counts
[ok][2019-01-04 15:22:01]
admin@CPE1-cli> show orgs org-services AGR class-of-service qos-policies AGR-QoS-Policy rules qos-policy-stats Allow-SNMP_Only
QOS QOS QOS QOS QOS PPS PPS KBPS KBPS
QOS DROP DROP FORWARD FORWARD SESSION POLICER POLICER POLICER POLICER
HIT PACKET BYTE PACKET BYTE DENY PKTS BYTES PKTS BYTES
RULE NAME COUNT COUNT COUNT COUNT COUNT COUNT DROPPED DROPPED DROPPED DROPPED
------------------------------------------------------------------------------------------------------
Allow-SNMP_Only 5 0 0 0 0 5 0 0 0 0