Supported Platforms
Comparison of Routing Policies and Firewall Filters
Although routing policies and firewall filters share an architecture, their purposes, implementation, and configuration are different. Table 1 describes their purposes. Table 2 compares the implementation details for routing policies and firewall filters, highlighting the similarities and differences in their configuration.
Table 1: Purpose of Routing Policies and Firewall Filters
Policies | Source | Policy Purpose |
---|---|---|
Routing policies | Routing information is generated by internal networking peers. | To control the size and content of the routing tables, which routes are advertised, and which routes are considered the best to reach various destinations. |
Firewall filters | Packets are generated by internal and external devices through which hostile attacks can be perpetrated. | To protect your router and network from excessive incoming traffic or hostile attacks that can disrupt network service, and to control which packets are forwarded from which router interfaces. |
Table 2: Implementation Differences Between Routing Policies and Firewall Filters
Policy Architecture | Routing Policy Implementation | Firewall Filter Implementation |
---|---|---|
Control points | Control routing information that is placed in the routing table with an import routing policy and advertised from the routing table with an export routing policy. | Control packets that are accepted on a router interface with an input firewall filter and that are forwarded from an interface with an output firewall filter. |
Configuration tasks:
| Define a policy that contains terms, match conditions, and actions. Apply one or more export or import policies to a routing protocol. You can also apply a policy expression, which uses Boolean logical operators with multiple import or export policies. You can also apply one or more export policies to the forwarding table. | Define a policy that contains terms, match conditions, and actions. Apply one input or output firewall filter to a physical interface or physical interface group to filter data packets received by or forwarded to a physical interface (on routing platforms with an Internet Processor II application-specific integrated circuit [ASIC] only). You can also apply one input or output firewall filter to the routing platform’s loopback interface, which is the interface to the Routing Engine (on all routing platforms). This allows you to filter local packets received by or forwarded from the Routing Engine. |
Terms | Configure as many terms as desired. Define a name for each term. Terms are evaluated in the order in which you specify them. Evaluation of a policy ends after a packet matches the criteria in a term and the defined or default policy action of accept or reject is taken. The route is not evaluated against subsequent terms in the same policy or subsequent policies. | Configure as many terms as desired. Define a name for each term. Terms are evaluated in the order in which you specify them. Evaluation of a firewall filter ends after a packet matches the criteria in a term and the defined or default action is taken. The packet is not evaluated against subsequent terms in the firewall filter. |
Match conditions | Specify zero or more criteria that a route must match. You can specify criteria based on source, destination, or properties of a route. You can also specify the following match conditions, which require more configuration:
| Specify zero or more criteria that a packet must match. You must match various fields in the packet’s header. The fields are grouped into the following categories:
|
Actions | Specify zero or one action to take if a route matches all criteria. You can specify the following actions:
In addition to the preceding actions, you can also specify zero or more of the following types of actions:
| Specify zero or one action to take if a packet matches all criteria. (We recommend that you always explicitly configure an action.) You can specify the following actions:
In addition to zero or the preceding actions, you can also specify zero or more action modifiers. You can specify the following action modifiers:
|
Default policies and actions | If an incoming or outgoing route arrives and a policy related to the route is not explicitly configured, the action specified by the default policy for the associated routing protocol is taken. The following default actions exist for routing policies:
| If an incoming or outgoing packet arrives on an interface and a firewall filter is not configured for the interface, the default policy is taken (the packet is accepted). The following default actions exist for firewall filters:
|