Routing Policy and Firewall Filters

Introduction

The JUNOS software policy framework provides a mechanism for controlling the flow of traffic into and out of the router. The policy framework has two broad components:

 

Routing policy

Controls routing information that routing protocols place into the routing and forwarding tables and advertise based on the routes in the routing table.

 

Firewall filters

Control packets passing through a router's interface, either coming into the router or being transmitted out.

The architectural design and configuration of JUNOS routing policy and firewall filters and how you configure them are nearly identical, so we discuss them together in a single chapter. However, because they are so similar, it's sometimes easy to confuse the two. The most important point to remember is that routing policy applies to routing protocols and affects how routes are stored in the routing table and how routes are advertised to peers, while firewall filters affect which packets a router's interfaces accept and send.

The process for configuring policies and filters always has two basic steps:

  1. Define the policy or filtering conditions in one part of the configuration ([edit policy-options] for routing policies and [edit firewall] for firewall filters).
  2. Apply the conditions by referencing them when configuring either a specific routing protocol or a specific interface.

Separating the specification of policy and firewall conditions from their actual application means that you can set up common policy and firewall conditions that encompass your organization's business, security, and peering policies. You can then apply the same conditions to different peers, customers, or interfaces.

Because the policy and filter conditions are referenced, you don't have to repeat the same information in many places throughout a configuration but can instead modify the conditions in a single place and reuse them as needed. This modularity is useful, especially when you consider that for larger ISPs, the routing policy and firewall filter sections of the JUNOS configuration file make up a very large percentage of the router's configuration, sometimes 50 percent or more.

Defining Policies and Filters

In the JUNOS configuration, routing policies and firewall filters have the same basic structure:

 

Name

Identifies each policy and filter. You specify and use this name to reference the policy or filter when configuring a routing protocol or interface. You set the name like this:

[edit policy-options] aviva@router1# edit policy-statement add-community [edit firewall] aviva@router1# edit filter incoming-to-me

 

Here, the edit policy-statement command creates a routing policy named add-community, and the edit filter command creates a filter called incoming-to-me.

 

Term

Groups match conditions with corresponding actions. Policies and filters can have one or more terms, which are evaluated in order. Terms are also identified by name, such as:

[edit policy-options filter incoming-to-me] aviva@router1# edit term allow-snmp-from-nms-systems

 

The edit term command creates a term called allow-snmp-from-nms-system.

 

Match conditions

For policies, the match conditions apply to routes; for firewall filters, they apply to packets. Match conditions are generally identified by a from clause to indicate information in the received route or packet. Here, the from clause matches UDP packets:

[edit policy-options filter incoming-to-me term allow-snmp-from-nms-systems] aviva@router1# set from protocol udp

 

Match conditions sometimes have a to clause to match information about the route or packet destination.

 

Action

Specifies what to do when a match occurs. The action is identified by a then clause:

[edit policy-options filter incoming-to-me term allow-snmp-from-nms-systems ] aviva@router1# set then accept

 

Here, the action is to accept the packet.

If the route or packet does not match any of the conditions when the end of the policy or filter is reached, a default action is taken.

A routing policy can have several match conditions, with multiple conditions in a single term, with several terms in the same policy, or with several policies chained together. Similarly, a firewall filter can have a number of match conditions. However, you can apply only one firewall filter on an input or output interface. To have a series of match conditions, you define multiple matches in a term or multiple terms in a single filter.

Applying Policies and Filters

After defining a policy or filter, you apply it to a protocol or interface. For a policy, you use import and export statements. An import policy applies when the router is evaluating routes received from a routing protocol before placing them into the routing table. An export policy applies when an active route in the routing table is sent in a routing-protocol advertisement. For a firewall filter, you use filter input and filter output statements for incoming and outgoing traffic on an interface.

Категории