[Contents] [Prev] [Next] [Index] [Report an Error]

Policy, Firewall Filter, and CoS Terms

Before configuring routing policies, firewall filters, or class of service (CoS) with Differentiated Services (DiffServ) on a Services Router, become familiar with the terms defined in Table 123.

Table 123: Policy, Firewall Filter, and CoS Terms

Term

Definition

assured forwarding (AF)

CoS packet forwarding class that provides a group of values you can define and includes four subclasses, AF1, AF2, AF3, and AF4, each with three drop probabilities, low, medium, and high.

behavior aggregate (BA) classifier

Feature that can be used to determine the forwarding treatment for each packet. The BA classifier maps a code point to a loss priority. The loss priority is used later in the work flow to select one of the two drop profiles used by random early detection (RED).

best-effort (BE)

CoS packet forwarding class that provides no service profile. For the BE forwarding class, loss priority is typically not carried in a code point, and random early detection (RED) drop profiles are more aggressive.

class of service (CoS)

Method of classifying traffic on a packet-by-packet basis, using information in the type-of-service (TOS) byte to assign traffic flows to different service levels.

Differentiated Services (DiffServ)

Services based on RFC 2474, Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers. The DiffServ method of CoS uses the type-of-service (ToS) byte to identify different packet flows on a packet-by-packet basis. DiffServ adds a Class Selector code point (CSCP) and a DiffServ code point (DSCP).

DiffServ code point (DSCP)

Values for a 6-bit field defined in IP packet headers that can be used to enforce class-of-service (CoS) distinctions in a Services Router.

drop profile

Drop probabilities for different levels of buffer fullness that are used by random early detection (RED) to determine from which Services Router scheduling queue to drop packets.

expedited forwarding (EF)

CoS packet forwarding class that provides end-to-end service with low loss, low latency, low jitter, and assured bandwidth.

firewall filter

See stateful firewall filter; stateless firewall filter.

multifield (MF) classifier

Firewall filter that scans through a variety of packet fields to determine the forwarding class and loss priority for a packet and polices traffic to a specific bandwidth and burst size. Typically, a classifier performs matching operations on the selected fields against a configured value.

network address port translation (NAPT)

Method of concealing a set of host ports on a private network behind a pool of public addresses. It can be used as a security measure to protect the host ports from direct targeting in network attacks.

Network Address Translation (NAT)

Method of concealing a set of host addresses on a private network behind a pool of public addresses. It can be used as a security measure to protect the host addresses from direct targeting in network attacks.

network control (NC)

CoS packet forwarding class that is typically high priority because it supports protocol control.

PLP bit

Packet loss priority bit. Used to identify packets that have experienced congestion or are from a transmission that exceeded a service provider's customer service license agreement. A Services Router can use the PLP bit as part of a congestion control strategy. The bit can be configured on an interface or in a filter.

policer

Feature that limits the amount of traffic passing into or out of an interface. It is an essential component of firewall filters that is designed to thwart denial-of-service (DoS) attacks. A policer applies rate limits on bandwidth and burst size for traffic on a particular Service Router interface.

policing

Applying rate and burst size limits to traffic on an interface.

random early detection (RED)

Gradual drop profile for a given class, used for congestion avoidance. RED attempts to anticipate congestion and reacts by dropping a small percentage of packets from the head of a queue to prevent congestion.

rule

Guide that the Services Router follows when applying services. A rule consists of a match direction and one or more terms.

service set

Collection of services. Examples of services include stateful firewall filters and Network Address Translation (NAT).

stateful firewall filter

Type of firewall filter that evaluates the context of connections, permits or denies traffic based on the context, and updates this information dynamically. Context includes IP source and destination addresses, TCP port numbers, TCP sequencing information, and TCP connection flags.

stateless firewall filter

Type of firewall filter that statically evaluates the contents of packets transiting the router, and packets originating from, or destined for, the router. Information about connection states is not maintained.

term

Firewall filters contain one or more terms that specify filter match conditions and actions.

trusted network

Network from which all originating traffic can be trusted—for example, an internal enterprise LAN. Stateful firewall filters allow traffic to flow from trusted to untrusted networks.

untrusted network

Network from which all originating traffic cannot be trusted—for example, a WAN. Unless configured otherwise, stateful firewall filters do not allow traffic to flow from untrusted to trusted networks.


[Contents] [Prev] [Next] [Index] [Report an Error]