- play_arrow Understanding and Configuring Junos Routing Policies
- play_arrow Overview
- Policy Framework Overview
- Comparison of Routing Policies and Firewall Filters
- Prefix Prioritization Overview
- FIB Prefix Prioritization
- Accounting of the Policer Overhead Attribute at the Interface Level
- Configuring the Accounting of Policer Overhead in Interface Statistics
- Understanding Routing Policies
- Protocol Support for Import and Export Policies
- Example: Applying Routing Policies at Different Levels of the BGP Hierarchy
- Default Routing Policies
- Example: Configuring a Conditional Default Route Policy
- play_arrow Evaluating Routing Policies Using Match Conditions, Actions, Terms, and Expressions
- How a Routing Policy Is Evaluated
- Categories of Routing Policy Match Conditions
- Routing Policy Match Conditions
- Route Filter Match Conditions
- Actions in Routing Policy Terms
- Summary of Routing Policy Actions
- Example: Configuring a Routing Policy to Advertise the Best External Route to Internal Peers
- Example: Configuring BGP to Advertise Inactive Routes
- Example: Using Routing Policy to Set a Preference Value for BGP Routes
- Example: Enabling BGP Route Advertisements
- Example: Rejecting Known Invalid Routes
- Example: Using Routing Policy in an ISP Network
- Understanding Policy Expressions
- Understanding Backup Selection Policy for OSPF Protocol
- Configuring Backup Selection Policy for the OSPF Protocol
- Configuring Backup Selection Policy for IS-IS Protocol
- Example: Configuring Backup Selection Policy for the OSPF or OSPF3 Protocol
- play_arrow Evaluating Complex Cases Using Policy Chains and Subroutines
- play_arrow Configuring Route Filters and Prefix Lists as Match Conditions
- Understanding Route Filters for Use in Routing Policy Match Conditions
- Understanding Route Filter and Source Address Filter Lists for Use in Routing Policy Match Conditions
- Understanding Load Balancing Using Source or Destination IP Only
- Configuring Load Balancing Using Source or Destination IP Only
- Walkup for Route Filters Overview
- Configuring Walkup for Route Filters to Improve Operational Efficiency
- Example: Configuring Route Filter Lists
- Example: Configuring Walkup for Route Filters Globally to Improve Operational Efficiency
- Example: Configuring Walkup for Route Filters Locally to Improve Operational Efficiency
- Example: Configuring a Route Filter Policy to Specify Priority for Prefixes Learned Through OSPF
- Example: Configuring the MED Using Route Filters
- Example: Configuring Layer 3 VPN Protocol Family Qualifiers for Route Filters
- Understanding Prefix Lists for Use in Routing Policy Match Conditions
- Example: Configuring Routing Policy Prefix Lists
- Example: Configuring the Priority for Route Prefixes in the RPD Infrastructure
- Configuring Priority for Route Prefixes in RPD Infrastructure
- play_arrow Configuring AS Paths as Match Conditions
- Understanding AS Path Regular Expressions for Use as Routing Policy Match Conditions
- Example: Using AS Path Regular Expressions
- Understanding Prepending AS Numbers to BGP AS Paths
- Example: Configuring a Routing Policy for AS Path Prepending
- Understanding Adding AS Numbers to BGP AS Paths
- Example: Advertising Multiple Paths in BGP
- Improve the Performance of AS Path Lookup in BGP Policy
- play_arrow Configuring Communities as Match Conditions
- Understanding BGP Communities, Extended Communities, and Large Communities as Routing Policy Match Conditions
- Understanding How to Define BGP Communities and Extended Communities
- How BGP Communities and Extended Communities Are Evaluated in Routing Policy Match Conditions
- Example: Configuring Communities in a Routing Policy
- Example: Configuring Extended Communities in a Routing Policy
- Example: Configuring BGP Large Communities
- Example: Configuring a Routing Policy Based on the Number of BGP Communities
- Example: Configuring a Routing Policy That Removes BGP Communities
- play_arrow Increasing Network Stability with BGP Route Flapping Actions
- play_arrow Tracking Traffic Usage with Source Class Usage and Destination Class Usage Actions
- Understanding Source Class Usage and Destination Class Usage Options
- Source Class Usage Overview
- Guidelines for Configuring SCU
- System Requirements for SCU
- Terms and Acronyms for SCU
- Roadmap for Configuring SCU
- Roadmap for Configuring SCU with Layer 3 VPNs
- Configuring Route Filters and Source Classes in a Routing Policy
- Applying the Policy to the Forwarding Table
- Enabling Accounting on Inbound and Outbound Interfaces
- Configuring Input SCU on the vt Interface of the Egress PE Router
- Mapping the SCU-Enabled vt Interface to the VRF Instance
- Configuring SCU on the Output Interface
- Associating an Accounting Profile with SCU Classes
- Verifying Your SCU Accounting Profile
- SCU Configuration
- SCU with Layer 3 VPNs Configuration
- Example: Grouping Source and Destination Prefixes into a Forwarding Class
- play_arrow Avoiding Traffic Routing Threats with Conditional Routing Policies
- Conditional Advertisement and Import Policy (Routing Table) with certain match conditions
- Conditional Advertisement Enabling Conditional Installation of Prefixes Use Cases
- Example: Configuring a Routing Policy for Conditional Advertisement Enabling Conditional Installation of Prefixes in a Routing Table
- play_arrow Protecting Against DoS Attacks by Forwarding Traffic to the Discard Interface
- play_arrow Improving Commit Times with Dynamic Routing Policies
- play_arrow Testing Before Applying Routing Policies
-
- play_arrow Configuring Traffic Policers
- play_arrow Understanding Traffic Policers
- Policer Implementation Overview
- ARP Policer Overview
- Example: Configuring ARP Policer
- Understanding the Benefits of Policers and Token Bucket Algorithms
- Determining Proper Burst Size for Traffic Policers
- Control Network Access Using Traffic Policing Overview
- Traffic Policer Types
- Order of Policer and Firewall Filter Operations
- Understanding the Frame Length for Policing Packets
- Supported Standards for Policing
- Hierarchical Policer Configuration Overview
- Understanding Enhanced Hierarchical Policers
- Packets-Per-Second (pps)-Based Policer Overview
- Guidelines for Applying Traffic Policers
- Policer Support for Aggregated Ethernet Interfaces Overview
- Example: Configuring a Physical Interface Policer for Aggregate Traffic at a Physical Interface
- Firewall and Policing Differences Between PTX Series Packet Transport Routers and T Series Matrix Routers
- Hierarchical Policers on ACX Series Routers Overview
- Guidelines for Configuring Hierarchical Policers on ACX Series Routers
- Hierarchical Policer Modes on ACX Series Routers
- Processing of Hierarchical Policers on ACX Series Routers
- Actions Performed for Hierarchical Policers on ACX Series Routers
- Configuring Aggregate Parent and Child Policers on ACX Series Routers
- play_arrow Configuring Policer Rate Limits and Actions
- play_arrow Configuring Layer 2 Policers
- Hierarchical Policers
- Configuring a Policer Overhead
- Two-Color and Three-Color Policers at Layer 2
- Layer 2 Traffic Policing at the Pseudowire Overview
- Configuring a Two-Color Layer 2 Policer for the Pseudowire
- Configuring a Three-Color Layer 2 Policer for the Pseudowire
- Applying the Policers to Dynamic Profile Interfaces
- Attaching Dynamic Profiles to Routing Instances
- Using Variables for Layer 2 Traffic Policing at the Pseudowire Overview
- Configuring a Policer for the Complex Configuration
- Creating a Dynamic Profile for the Complex Configuration
- Attaching Dynamic Profiles to Routing Instances for the Complex Configuration
- Verifying Layer 2 Traffic Policers on VPLS Connections
- Understanding Policers on OVSDB-Managed Interfaces
- Example: Applying a Policer to OVSDB-Managed Interfaces
- play_arrow Configuring Two-Color and Three-Color Traffic Policers at Layer 3
- Two-Color Policer Configuration Overview
- Basic Single-Rate Two-Color Policers
- Bandwidth Policers
- Prefix-Specific Counting and Policing Actions
- Policer Overhead to Account for Rate Shaping in the Traffic Manager
- Three-Color Policer Configuration Overview
- Applying Policers
- Three-Color Policer Configuration Guidelines
- Basic Single-Rate Three-Color Policers
- Basic Two-Rate Three-Color Policers
- Example: Configuring a Two-Rate Three-Color Policer
- play_arrow Configuring Logical and Physical Interface Traffic Policers at Layer 3
- play_arrow Configuring Policers on Switches
- Overview of Policers
- Traffic Policer Types
- Understanding the Use of Policers in Firewall Filters
- Understanding Tricolor Marking Architecture
- Configuring Policers to Control Traffic Rates (CLI Procedure)
- Configuring Tricolor Marking Policers
- Understanding Policers with Link Aggregation Groups
- Understanding Color-Blind Mode for Single-Rate Tricolor Marking
- Understanding Color-Aware Mode for Single-Rate Tricolor Marking
- Understanding Color-Blind Mode for Two-Rate Tricolor Marking
- Understanding Color-Aware Mode for Two-Rate Tricolor Marking
- Example: Using Two-Color Policers and Prefix Lists
- Example: Using Policers to Manage Oversubscription
- Assigning Forwarding Classes and Loss Priority
- Configuring Color-Blind Egress Policers for Medium-Low PLP
- Configuring Two-Color and Three-Color Policers to Control Traffic Rates
- Verifying That Two-Color Policers Are Operational
- Verifying That Three-Color Policers Are Operational
- Troubleshooting Policer Configuration
- Troubleshooting Policer Configuration
-
- play_arrow Configuration Statements and Operational Commands
- play_arrow Troubleshooting
- play_arrow Knowledge Base
-
Stateless Firewall Filter Overview
Packet Flow Control
To influence which packets are allowed to transit the system and to apply special actions to packets as necessary, you can configure stateless firewall filters. A stateless firewall specifies a sequence of one or more packet-filtering rules, called filter terms. A filter term specifies match conditions to use to determine a match and actions to take on a matched packet. A stateless firewall filter enables you to manipulate any packet of a particular protocol family, including fragmented packets, based on evaluation of Layer 3 and Layer 4 header fields. You typically apply a stateless firewall filter to one or more interfaces that have been configured with protocol family features. You can apply a stateless firewall filter to an ingress interface, an egress interface, or both.
Data Packet Flow Control
To control the flow of data packets transiting the device as the packets are being forwarded from a source to a destination, you can apply stateless firewall filters to the input or output of the router’s or switch’s physical interfaces.
To enforce a specified bandwidth and maximum burst size for traffic sent or received on an interface, you can configure policers. Policers are a specialized type of stateless firewall filter and a primary component of the Junos OS class-of-service (CoS).
Local Packet Flow Control
To control the flow of local packets between
the physical interfaces and the Routing Engine,
you can apply stateless firewall filters to the
input or output of the loopback interface.
The loopback interface (lo0) is
the interface to the Routing Engine and carries no
data packets.
Junos OS Evolved Local Packet Flow Control
In Junos OS Evolved, you can have two different filters: one for network control traffic (loopback traffic) and one for management traffic (management interface). With two filters, you have more flexibility. For example, you can configure a stricter filter on management interface traffic than on network control traffic.
On Junos OS and Junos OS Evolved, network control traffic firewall filters or loopback firewall filters (Lo0/Lo6) behave the same and there is no difference. You configure a Lo0/Lo6 firewall filter at INET or INET6 firewall filter hierarchy of the Lo0/Lo6 interface. To provide filtering capability for the packet egressing on Lo0 interface, firewall filter is implemented in the software kernel by way of Juniper's Netfilters. Netfilters is installed in the linux kernel and no hardware is involved on this.
The following is a sample configuration for Lo0 firewall filters.
set firewall family inet filter finet interface-specific set firewall family inet filter finet term t1 from source-address 10.0.0.2/32 set firewall family inet filter finet term t1 from destination-address 10.0.0.1/32 set firewall family inet filter finet term t1 from protocol tcp set firewall family inet filter finet term t1 from source-port ssh set firewall family inet filter finet term t1 from destination-port ssh set firewall family inet filter finet term t1 then count c1 set firewall family inet filter finet term t1 then log set interfaces lo0 unit 0 family inet filter input finet
Table 1, Table 2, Table 3, and Table 4 show the supported match conditions and actions for Lo0/Lo6 firewall filter family in Junos OS Evolved.
Firewall Filter Match Condition | Lo0 | Lo6 |
|---|---|---|
ip-destination-address | Yes | Yes |
ip-source-address | Yes | Yes |
destination-prefix-list | Yes | Yes |
source-prefix-list | Yes | Yes |
destination-port | Yes | Yes |
source-port | Yes | Yes |
ip-protocol | Yes | Yes |
first-fragment | Yes | No |
is-fragment | Yes | No |
tcp-flags | Yes | Yes |
ttl | Yes | No |
dscp | Yes | No |
Firewall Filter Match Condition | Lo0 | Lo6 |
|---|---|---|
ip-destination-address | No | Yes |
ip-source-address | No | Yes |
destination-prefix-list | No | Yes |
source-prefix-list | No | Yes |
destination-port | No | Yes |
Action | Lo0 | Lo6 |
|---|---|---|
count | Yes | Yes |
discard | Yes | Yes |
policer | Yes | Yes |
three-color-policer | Yes | Yes |
Action | Lo0 | Lo6 |
|---|---|---|
count | Yes | Yes |
discard | Yes | Yes |
policer | Yes | Yes |
three-color-policer | Yes | Yes |
Management filtering uses Routing Engine filters based on netfilters, a framework provided by the Linux kernel. This difference results in only certain matches and actions being supported. In Routing Engine Firewall Filters to some key differences are listed between Junos OS and Junos OS Evolved.
You must explicitly add the filter on the management interface as for Junos OS Evolved, the lo0 filter no longer applies on the management traffic, as is the case for Junos OS.
To configure in management interface filter, the filter has to be configured at family INET or INET6 firewall filter hierarchy of management interface. The following a sample configuration for configuring firewall filter one the management interface.
set firewall family inet filter f1 interface-specific set firewall family inet filter f1 term t1 from protocol tcp set firewall family inet filter f1 term t1 then count c1 set firewall family inet filter f1 term t1 then accept set firewall family inet filter f1 term t2 from protocol icmp set firewall family inet filter f1 term t2 then count c3 set firewall family inet filter f1 term dft then count dft_cnt set firewall family inet filter f1 term dft then accept set interfaces re0:mgmt-0 unit 0 family inet filter input f1
Table 5, and Table 6, and Table 7 show the supported firewall filter match conditions and actions on management interfaces.
Firewall Filter Match Condition | Supported |
|---|---|
address | Yes |
destination-address | Yes |
destination-port | Yes |
destination-port-except | Yes |
destination-prefix-list | Yes |
icmp-code | Yes |
icmp-code-except | Yes |
icmp-type | Yes |
icmp-type-except | Yes |
next-header | Yes |
next-header-except | Yes |
packet-length | Yes |
packet-length-except | Yes |
payload-protocol | Yes |
payload-protocol-except | Yes |
port | Yes |
port-except | Yes |
prefix-list | Yes |
source-address | Yes |
source-port | Yes |
source-port-except | Yes |
source-prefix-list | Yes |
tcp-established | Yes |
tcp-flags | Yes |
tcp-initial | Yes |
traffic-class | Yes |
traffic-class-except | Yes |
Firewall Filter Match Condition | Supported |
|---|---|
dscp | Yes |
dscp-except | Yes |
precedence | Yes |
precedence-except | Yes |
protocol | Yes |
protocol-except | Yes |
ttl | Yes |
ttl-except | Yes |
Firewall filter action | IPv4 | IPv6 |
|---|---|---|
accept | Yes | Yes |
count | Yes | Yes |
forwarding-class | Yes | Yes |
loss-priority | Yes | Yes |
policer | Yes | Yes |
reject | Yes | Yes |
syslog | Yes | Yes |
Stateless and Stateful Firewall Filters
A stateless firewall filter, also known as an access control list (ACL), does not statefully inspect traffic. Instead, it evaluates packet contents statically and does not keep track of the state of network connections. In contrast, a stateful firewall filter uses connection state information derived from other applications and past communications in the data flow to make dynamic control decisions.
The Routing Policies, Firewall Filters, and Traffic Policers User Guide describes stateless firewall filters.
Purpose of Stateless Firewall Filters
The basic purpose of a stateless firewall filter is to enhance security through the use of packet filtering. Packet filtering enables you to inspect the components of incoming or outgoing packets and then perform the actions you specify on packets that match the criteria you specify. The typical use of a stateless firewall filter is to protect the Routing Engine processes and resources from malicious or untrusted packets.
