[Contents] [Prev] [Next] [Index] [Report an Error]

Comparison of Routing Policies and Firewall Filters

Although routing policies and firewall filters share an architecture, as described in Policy Architecture, their purposes, implementation, and configuration are different. Table 7 describes their purposes. Table 8 compares the implementation details for routing policies and firewall filters, highlighting the similarities and differences in their configuration.

For complete information about routing policies, see Routing Policies. For complete information about firewall filters, see Firewall Filters.

Table 7: Purpose of Routing Policies and Firewall Filters

Policies	Source	Policy Purpose
Routing policies	Routing information is generated by internal networking peers.	To control the size and content of the routing tables, which routes are advertised, and which routes are considered the best to reach various destinations.
Firewall filters	Packets are generated by internal and external devices through which hostile attacks can be perpetrated.	To protect your router and network from excessive incoming traffic or hostile attacks that can disrupt network service, and to control which packets are forwarded from which router interfaces.

Table 8: Implementation Differences Between Routing Policies and Firewall Filters

Policy Architecture	Routing Policy Implementation	Firewall Filter Implementation
Control points	Control routing information that is placed in the routing table with an import routing policy and advertised from the routing table with an export routing policy.	Control packets that are accepted on a router interface with an input firewall filter and that are forwarded from an interface with an output firewall filter.
Configuration tasks: Define policy Apply policy	Define a policy that contains terms, match conditions, and actions. Apply one or more export or import policies to a routing protocol. You can also apply a policy expression, which uses Boolean logical operators with multiple import or export policies. You can also apply one or more export policies to the forwarding table.	Define a policy that contains terms, match conditions, and actions. Apply one input or output firewall filter to a physical interface or physical interface group to filter data packets received by or forwarded to a physical interface (on routing platforms with an Internet Processor II application-specific integrated circuit [ASIC] only). You can also apply one input or output firewall filter to the routing platform’s loopback interface, which is the interface to the Routing Engine (on all routing platforms). This allows you to filter local packets received by or forwarded from the Routing Engine.
Terms	Configure as many terms as desired. Define a name for each term. Terms are evaluated in the order in which you specify them. Evaluation of a policy ends after a packet matches the criteria in a term and the defined or default policy action of accept or reject is taken. The route is not evaluated against subsequent terms in the same policy or subsequent policies.	Configure as many terms as desired. Define a name for each term. Terms are evaluated in the order in which you specify them. Evaluation of a firewall filter ends after a packet matches the criteria in a term and the defined or default action is taken. The packet is not evaluated against subsequent terms in the firewall filter.
Match conditions	Specify zero or more criteria that a route must match. You can specify criteria based on source, destination, or properties of a route. You can also specify the following match conditions, which require more configuration: Autonomous system (AS) path expression—A combination of AS numbers and regular expression operators. Community—A group of destinations that share a common property. Prefix list—A named list of prefixes. Route list—A list of destination prefixes. Subroutine—A routing policy that is called repeatedly from other routing policies.	Specify zero or more criteria that a packet must match. You must match various fields in the packet’s header. The fields are grouped into the following categories: Numeric values, such as port and protocol numbers. Prefix values, such as IP source and destination prefixes. Bit-field values—Whether particular bits in the fields are set, such as IP options, Transmission Control Protocol (TCP) flags, and IP fragmentation fields. You can specify the fields using Boolean logical operators.
Actions	Specify zero or one action to take if a route matches all criteria. You can specify the following actions: Accept—Accept the route into the routing table, and propagate it. After this action is taken, the evaluation of subsequent terms and policies ends. Reject—Do not accept the route into the routing table, and do not propagate it. After this action is taken, the evaluation of subsequent terms and policies ends. In addition to the preceding actions, you can also specify zero or more of the following types of actions: Next term—Evaluate the next term in the routing policy. Next policy—Evaluate the next routing policy. Actions that manipulate characteristics associated with a route as the routing protocol places it in the routing table or advertises it from the routing table. Trace action, which logs route matches.	Specify zero or one action to take if a packet matches all criteria. (We recommend that you always explicitly configure an action.) You can specify the following actions: Accept—Accept a packet. Discard—Discard a packet silently, without sending an ICMP message. Reject—Discard a packet, and send an ICMP destination unreachable message. Routing instance—Specify a routing table to which packets are forwarded. Next term—Evaluate the next term in the firewall filter. In addition to zero or the preceding actions, you can also specify zero or more action modifiers. You can specify the following action modifiers: Count—Add packet to a count total. Forwarding class—Set the packet forwarding class to a specified value from 0 through 3. IPSec security association—Used with the source and destination address match conditions, specify an IP Security (IPSec) security association (SA) for the packet. Log—Store the header information of a packet on the Routing Engine. Loss priority—Set the packet loss priority (PLP) bit to a specified value, 0 or 1. Policer—Apply rate-limiting procedures to the traffic. Sample—Sample the packet traffic. Syslog—Log an alert for the packet.
Default policies and actions	If an incoming or outgoing route arrives and a policy related to the route is not explicitly configured, the action specified by the default policy for the associated routing protocol is taken. The following default actions exist for routing policies: If a policy does not specify a match condition, all routes evaluated against the policy match. If a match occurs but the policy does not specify an accept, reject, next term, or next policy action, one of the following occurs: The next term, if present, is evaluated. If no other terms are present, the next policy is evaluated. If no other policies are present, the action specified by the default policy is taken. If a match does not occur with a term in a policy and subsequent terms in the same policy exist, the next term is evaluated. If a match does not occur with any terms in a policy and subsequent policies exist, the next policy is evaluated. If a match does not occur by the end of a policy and no other policies exist, the accept or reject action specified by the default policy is taken.	If an incoming or outgoing packet arrives on an interface and a firewall filter is not configured for the interface, the default policy is taken (the packet is accepted). The following default actions exist for firewall filters: If a firewall filter does not specify a match condition, all packets are considered to match. If a match occurs but the firewall filter does not specify an action, the packet is accepted. If a match occurs, the defined or default action is taken and the evaluation ends. Subsequent terms in the firewall filter are not evaluated, unless the next term action is specified. If a match does not occur with a term in a firewall filter and subsequent terms in the same filter exist, the next term is evaluated. If a match does not occur by the end of a firewall filter, the packet is discarded.

Policy Architecture

Routing Policy Implementation

Firewall Filter Implementation

Control points

Control routing information that is placed in the routing table with an import routing policy and advertised from the routing table with an export routing policy.

Control packets that are accepted on a router interface with an input firewall filter and that are forwarded from an interface with an output firewall filter.

Configuration tasks:

Define policy
Apply policy

Define a policy that contains terms, match conditions, and actions.

Apply one or more export or import policies to a routing protocol. You can also apply a policy expression, which uses Boolean logical operators with multiple import or export policies.

You can also apply one or more export policies to the forwarding table.

Define a policy that contains terms, match conditions, and actions.

Apply one input or output firewall filter to a physical interface or physical interface group to filter data packets received by or forwarded to a physical interface (on routing platforms with an Internet Processor II application-specific integrated circuit [ASIC] only).

You can also apply one input or output firewall filter to the routing platform’s loopback interface, which is the interface to the Routing Engine (on all routing platforms). This allows you to filter local packets received by or forwarded from the Routing Engine.

Terms

Configure as many terms as desired. Define a name for each term.

Terms are evaluated in the order in which you specify them.

Evaluation of a policy ends after a packet matches the criteria in a term and the defined or default policy action of accept or reject is taken. The route is not evaluated against subsequent terms in the same policy or subsequent policies.

Configure as many terms as desired. Define a name for each term.

Terms are evaluated in the order in which you specify them.

Evaluation of a firewall filter ends after a packet matches the criteria in a term and the defined or default action is taken. The packet is not evaluated against subsequent terms in the firewall filter.

Match conditions

Specify zero or more criteria that a route must match. You can specify criteria based on source, destination, or properties of a route. You can also specify the following match conditions, which require more configuration:

Autonomous system (AS) path expression—A combination of AS numbers and regular expression operators.
Community—A group of destinations that share a common property.
Prefix list—A named list of prefixes.
Route list—A list of destination prefixes.
Subroutine—A routing policy that is called repeatedly from other routing policies.

Specify zero or more criteria that a packet must match. You must match various fields in the packet’s header. The fields are grouped into the following categories:

Numeric values, such as port and protocol numbers.
Prefix values, such as IP source and destination prefixes.
Bit-field values—Whether particular bits in the fields are set, such as IP options, Transmission Control Protocol (TCP) flags, and IP fragmentation fields. You can specify the fields using Boolean logical operators.

Actions

Specify zero or one action to take if a route matches all criteria. You can specify the following actions:

Accept—Accept the route into the routing table, and propagate it. After this action is taken, the evaluation of subsequent terms and policies ends.
Reject—Do not accept the route into the routing table, and do not propagate it. After this action is taken, the evaluation of subsequent terms and policies ends.

In addition to the preceding actions, you can also specify zero or more of the following types of actions:

Next term—Evaluate the next term in the routing policy.
Next policy—Evaluate the next routing policy.
Actions that manipulate characteristics associated with a route as the routing protocol places it in the routing table or advertises it from the routing table.
Trace action, which logs route matches.

Specify zero or one action to take if a packet matches all criteria. (We recommend that you always explicitly configure an action.) You can specify the following actions:

Accept—Accept a packet.
Discard—Discard a packet silently, without sending an ICMP message.
Reject—Discard a packet, and send an ICMP destination unreachable message.
Routing instance—Specify a routing table to which packets are forwarded.
Next term—Evaluate the next term in the firewall filter.

In addition to zero or the preceding actions, you can also specify zero or more action modifiers. You can specify the following action modifiers:

Count—Add packet to a count total.
Forwarding class—Set the packet forwarding class to a specified value from 0 through 3.
IPSec security association—Used with the source and destination address match conditions, specify an IP Security (IPSec) security association (SA) for the packet.
Log—Store the header information of a packet on the Routing Engine.
Loss priority—Set the packet loss priority (PLP) bit to a specified value, 0 or 1.
Policer—Apply rate-limiting procedures to the traffic.
Sample—Sample the packet traffic.
Syslog—Log an alert for the packet.

Default policies and actions

If an incoming or outgoing route arrives and a policy related to the route is not explicitly configured, the action specified by the default policy for the associated routing protocol is taken.

The following default actions exist for routing policies:

If a policy does not specify a match condition, all routes evaluated against the policy match.
If a match occurs but the policy does not specify an accept, reject, next term, or next policy action, one of the following occurs:
- The next term, if present, is evaluated.
- If no other terms are present, the next policy is evaluated.
- If no other policies are present, the action specified by the default policy is taken.

If a match does not occur with a term in a policy and subsequent terms in the same policy exist, the next term is evaluated.
If a match does not occur with any terms in a policy and subsequent policies exist, the next policy is evaluated.
If a match does not occur by the end of a policy and no other policies exist, the accept or reject action specified by the default policy is taken.

If an incoming or outgoing packet arrives on an interface and a firewall filter is not configured for the interface, the default policy is taken (the packet is accepted).

The following default actions exist for firewall filters:

If a firewall filter does not specify a match condition, all packets are considered to match.
If a match occurs but the firewall filter does not specify an action, the packet is accepted.
If a match occurs, the defined or default action is taken and the evaluation ends. Subsequent terms in the firewall filter are not evaluated, unless the next term action is specified.
If a match does not occur with a term in a firewall filter and subsequent terms in the same filter exist, the next term is evaluated.
If a match does not occur by the end of a firewall filter, the packet is discarded.

[Contents] [Prev] [Next] [Index] [Report an Error]