The JUNOS software policy framework provides a mechanism for controlling the flow of traffic into and out of the router. The policy framework has two broad components:
Controls routing information that routing protocols place into the routing and forwarding tables and advertise based on the routes in the routing table.
Control packets passing through a router's interface, either coming into the router or being transmitted out.
The architectural design and configuration of JUNOS routing policy and firewall filters and how you configure them are nearly identical, so we discuss them together in a single chapter. However, because they are so similar, it's sometimes easy to confuse the two. The most important point to remember is that routing policy applies to routing protocols and affects how routes are stored in the routing table and how routes are advertised to peers, while firewall filters affect which packets a router's interfaces accept and send.
The process for configuring policies and filters always has two basic steps:
Separating the specification of policy and firewall conditions from their actual application means that you can set up common policy and firewall conditions that encompass your organization's business, security, and peering policies. You can then apply the same conditions to different peers, customers, or interfaces.
Because the policy and filter conditions are referenced, you don't have to repeat the same information in many places throughout a configuration but can instead modify the conditions in a single place and reuse them as needed. This modularity is useful, especially when you consider that for larger ISPs, the routing policy and firewall filter sections of the JUNOS configuration file make up a very large percentage of the router's configuration, sometimes 50 percent or more.
Defining Policies and Filters
In the JUNOS configuration, routing policies and firewall filters have the same basic structure:
Identifies each policy and filter. You specify and use this name to reference the policy or filter when configuring a routing protocol or interface. You set the name like this:
[edit policy-options] aviva@router1# edit policy-statement add-community [edit firewall] aviva@router1# edit filter incoming-to-me
Here, the edit policy-statement command creates a routing policy named add-community, and the edit filter command creates a filter called incoming-to-me.
Groups match conditions with corresponding actions. Policies and filters can have one or more terms, which are evaluated in order. Terms are also identified by name, such as:
[edit policy-options filter incoming-to-me] aviva@router1# edit term allow-snmp-from-nms-systems
The edit term command creates a term called allow-snmp-from-nms-system.
For policies, the match conditions apply to routes; for firewall filters, they apply to packets. Match conditions are generally identified by a from clause to indicate information in the received route or packet. Here, the from clause matches UDP packets:
[edit policy-options filter incoming-to-me term allow-snmp-from-nms-systems] aviva@router1# set from protocol udp
Match conditions sometimes have a to clause to match information about the route or packet destination.
Specifies what to do when a match occurs. The action is identified by a then clause:
[edit policy-options filter incoming-to-me term allow-snmp-from-nms-systems ] aviva@router1# set then accept
Here, the action is to accept the packet.
If the route or packet does not match any of the conditions when the end of the policy or filter is reached, a default action is taken.
A routing policy can have several match conditions, with multiple conditions in a single term, with several terms in the same policy, or with several policies chained together. Similarly, a firewall filter can have a number of match conditions. However, you can apply only one firewall filter on an input or output interface. To have a series of match conditions, you define multiple matches in a term or multiple terms in a single filter.
Applying Policies and Filters
After defining a policy or filter, you apply it to a protocol or interface. For a policy, you use import and export statements. An import policy applies when the router is evaluating routes received from a routing protocol before placing them into the routing table. An export policy applies when an active route in the routing table is sent in a routing-protocol advertisement. For a firewall filter, you use filter input and filter output statements for incoming and outgoing traffic on an interface.
Router Configuration and File Management
Basic Router Security and Access Control
Routing Policy and Firewall Filters