SlideShare ist ein Scribd-Unternehmen logo

Policy and firewall_filters

Rafael Alcazar
Rafael Alcazar

Routing policy and firewall filters control the flow of network traffic by allowing or denying routes and packets. Routing policy applies to routing information and controls the import and export of routes between routing protocols and the routing table. Firewall filters apply to packets and control the flow of traffic entering or leaving a network device on a per-packet basis. Both routing policy and firewall filters consist of terms that match criteria and specify actions, with policies evaluated sequentially until a terminating action is reached.

TechnologieBusiness
1 von 32
Downloaden Sie, um offline zu lesen
Routing Policy and Firewall Filters © 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net
What Is Routing Policy? Routing policy controls the flow of routing information to and from the routing table •Use policy to accept, reject, or modify attributes for routes: • Received through dynamic routing protocols • Sent to dynamic routing protocols • Installed in the forwarding table © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 2 • Installed in the forwarding table NeighborsNeighborsNeighborsNeighbors ProtocolProtocolProtocolProtocol RoutingRoutingRoutingRouting TableTableTableTable ForwardingForwardingForwardingForwarding TableTableTableTable NeighborsNeighborsNeighborsNeighbors ProtocolProtocolProtocolProtocol ImportImportImportImport RoutesRoutesRoutesRoutes RoutesRoutesRoutesRoutes PFEPFEPFEPFE ExportExportExportExport ExportExportExportExport Import policies control the route importation into the routing table. Export policies control the route exportation from the routing table.
Default Routing Policies ProtocolProtocolProtocolProtocol Import PolicyImport PolicyImport PolicyImport Policy Export PolicyExport PolicyExport PolicyExport Policy BGP Accept all BGP routes and import into inet.0 Accept all active BGP routes OSPF Accept all OSPF routes and import into inet.0 Reject everything (protocol floods by default) © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 3 into inet.0 floods by default) IS-IS Accept all IS-IS routes and import into inet.0 Reject everything (protocol floods by default) RIP Accept all RIP routes from explicitly configured neighbors and import into inet.0 Reject everything
Building Blocks of Routing Policy term firstterm match no match thenfrom my-policy A routing policy consists of zero or more terms; the software evaluates terms sequentially until it reaches a terminating action or end of policy User-defined policy and term names © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4 no match no match term secondterm from then term thirdterm from then match match from statements describe match conditions then statements describe the actions to take if a match with the from statement occurs Note: Ordering matters! If you must reorder terms within a policy, consider using the insert CLI command.
Common Match Criteria Common match criteria for routing policy: •Prefix (route-filter or prefix-list) •Protocol (OSPF, static, BGP, and so forth) •Routing protocol attributes: • OSPF area ID, AS path, and community © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 5 •Next hop term firstterm match thenfrom Note: If you omit the from statement, all routes match and will take the specified action from statements describe match conditions
Prefix Lists Prefix lists contain a list of prefixes: •Configured under [edit policy-options] hierarchy •Can be referenced in firewall filters and routing policy terms [edit policy-options] user@host# show prefix-list rfc1918 { 10.0.0.0/8; 172.16.0.0/12; prefix-list matches the prefix exactly © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6 172.16.0.0/12; 192.168.0.0/16; } policy-statement policy-1 { from { prefix-list rfc1918; } then reject; } policy-statement policy-2 { from { prefix-list-filter rfc1918 orlonger reject; } } prefix-list-filter allows match types and actions. Supported match types include exact, longer, and orlonger and are covered on subsequent slides.
Route Filters Route filters match individual routes within a policy: •You can specify multiple route filters within a single term •Not reusable—term-specific [edit policy-options] user@host# show policy-statement policy-1 { term reject-rfc1918-prefixes { from { © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 7 from { route-filter 172.16.0.0/12 orlonger; route-filter 192.168.0.0/16 orlonger; route-filter 10.0.0.0/8 orlonger; } then reject; } } Note: Various match types are supported. We discuss the match types on subsequent slides.
Match Types (1 of 3) exact: •Match the specified prefix and mask exactly orlonger: from route-filter 192.168.0.0/16 exact; © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 8 orlonger: •Match the specified prefix and mask exactly and all routes that are subsets of the prefix and that have longer masks from route-filter 192.168.0.0/16 orlonger;
Match Types (2 of 3) longer: •Match routes that are subsets of the prefix and that have longer masks; •Do not match the specified prefix and mask from route-filter 192.168.0.0/16 longer; © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 9 upto: •Match specified prefix and mask exactly and any routes that are subsets of the specified prefix and that have a mask no longer than the second value specified from route-filter 192.168.0.0/16 upto /24;
Match Types (3 of 3) prefix-length-range: •Match routes that are subsets of the specified prefix and that have a mask between the two values (inclusive match) through: from route-filter 192.168.0.0/16 prefix-length-range /20-/24; © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 10 through: •Match first and second specified prefixes and masks exactly and all prefixes directly between the two prefixes from route-filter 192.168.0.0/16 through 192.168.16.0/20;
Match Type Summary Given a starting prefix of 192.168/16, what matches with each option? … 192.168/16192.168/16192.168/16192.168/16 … 192.168/16192.168/16192.168/16192.168/16 … 192.168/16192.168/16192.168/16192.168/16 © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 11 exact … orlonger (down to /32) … … longer (down to /32) through … … 192.168/16192.168/16192.168/16192.168/16 … … 192.168/16192.168/16192.168/16192.168/16 /x /y prefix-length-range /x-/y … … 192.168/16192.168/16192.168/16192.168/16 upto
Common Actions Common actions in routing policy: •Terminating actions: • accept • reject •Flow control: • next term © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 12 • next term • next policy •Modifying attributes: • community (add, delete, and set) • preference term firstterm match thenfrom then statements describe the actions to take if a match with the from statement occurs
Implementing Routing Policy (1 of 2) Definition of routing policy is always under the [edit policy-options] hierarchy: [edit policy-options] user@host# show policy-statement my-policy { term accept-local-route { from { protocol local; interface ge-0/0/0; term firstterm thenfrom my-policy © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 13 interface ge-0/0/0; } then accept; } term accept-some-static-routes { from { protocol static; route-filter 172.18.1.0/24 exact; route-filter 172.18.2.0/24 exact; } then accept; } term accept-rip-routes { from protocol rip; then accept; } } match no match no match then term secondterm from then term thirdterm from then from match match
Implementing Routing Policy (2 of 2) You can apply routing policies as import or export policies at different levels (protocol dependent) [edit protocols ospf] user@host# show export my-policy; area 0.0.0.0 { interface ge-0/0/1.0; © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 14 interface ge-0/0/1.0; interface ge-0/0/2.0; interface ge-0/0/3.0 { passive; } interface lo0.0; }
Routing Policy Flow You can chain routing policies together •Evaluation proceeds left to right until the software reaches a terminating action of accept or reject •The software supports flow-control actions such as next policy RouteRouteRouteRoute © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 15 AcceptAcceptAcceptAccept or rejector rejector rejector reject AcceptAcceptAcceptAccept or rejector rejector rejector reject AcceptAcceptAcceptAccept or rejector rejector rejector reject Policy 1Policy 1Policy 1Policy 1 AcceptAcceptAcceptAccept or rejector rejector rejector reject AcceptAcceptAcceptAccept or rejector rejector rejector reject AcceptAcceptAcceptAccept or rejector rejector rejector reject Policy 2Policy 2Policy 2Policy 2 AcceptAcceptAcceptAccept or rejector rejector rejector reject PolicyPolicyPolicyPolicy nnnn AcceptAcceptAcceptAccept RejectRejectRejectReject Term CTerm CTerm CTerm C Term CTerm CTerm CTerm C DefaultDefaultDefaultDefault policypolicypolicypolicy Term ATerm ATerm ATerm A Term BTerm BTerm BTerm B Term ATerm ATerm ATerm A Term BTerm BTerm BTerm B Term ATerm ATerm ATerm A
Case Study: Objective and Topology Advertise the default static route defined on R1 into OSPF using routing policy: .1.2 OSPFOSPFOSPFOSPF Area 0Area 0Area 0Area 0 R1R1R1R1 R2R2R2R2 R4R4R4R4 InternetInternetInternetInternet © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 16 user@R1> show route protocol static inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:00:44 > to 172.30.25.1 via ge-0/0/1.0 .1.2 172.30.25.0/30172.30.25.0/30172.30.25.0/30172.30.25.0/30 R3R3R3R3
Case Study: Defining the Policy Sample routing policy configuration used to advertise R1’s default static route into OSPF: [edit policy-options] user@R1# show policy-statement default-static { term accept-default-static { User-defined policy and term names © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 17 term accept-default-static { from { protocol static; route-filter 0.0.0.0/0 exact; } then accept; } } Match criteria Action
Case Study: Applying the Policy Sample application of routing policy used to advertise R1’s default static route into OSPF: [edit protocols ospf] user@R1# show export default-static; area 0.0.0.0 { R1R1R1R1 R2R2R2R2 © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 18 area 0.0.0.0 { interface ge-0/0/2.0; interface ge-0/0/3.0; interface lo0.0; } Export default static route from route table to OSPF OSPFOSPFOSPFOSPF Area 0Area 0Area 0Area 0 R1R1R1R1 R4R4R4R4 R3R3R3R3 Note: Once you define routing policy and apply it, R1 floods an external LSA for the default static route to all OSPF routers in Area 0.
Case Study: Monitoring the Results Sample verification step to ensure the routing policy works as expected (capture is taken from R4): user@R4> show route protocol ospf exact 0/0 inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 19 0.0.0.0/0 *[OSPF/150] 00:03:33, metric 0, tag 0 > to 172.19.3.1 via ge-0/0/2.0 to 172.19.4.1 via ge-0/0/3.0 .1.2 172.30.25.0/30172.30.25.0/30172.30.25.0/30172.30.25.0/30 OSPFOSPFOSPFOSPF Area 0Area 0Area 0Area 0 R1R1R1R1 R2R2R2R2 R4R4R4R4 R3R3R3R3 InternetInternetInternetInternet R4 installs external default OSPF route flooded by R1
What Is a Firewall Filter? Firewall filters control the traffic entering and leaving a networking device in a stateless fashion: •Processes every packet independently •Used to filter and monitor network traffic © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 20
Building Blocks of Firewall Filters no match term firstterm match thenfrom my-filter Firewall filters consist of one or more terms; the software evaluates terms sequentially until it reaches a terminating action User-defined filter and term names © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 21 no match no match term secondterm term Default match then statements describe the actions to take if a match with the from statement occurs discard Default action for packets not explicitly allowed Note: Ordering matters! If you must reorder terms within a filter, consider using the insert CLI command. from statements describe match conditions thenfrom
Common Match Criteria Can match based on most header fields: Match conditions categories include: •Numeric range © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 22 •Numeric range •Address •Bit field term firstterm match thenfromfrom statements describe match conditions
Firewall Filter Actions Common actions in firewall filters: •Terminating actions: • accept • discard • Reject •Flow control: term firstterm match thenfrom then statements describe the actions to take if a match with the from statement occurs © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 23 •Flow control: • next term •Action modifiers: • count, log, and syslog • forwarding-class and loss-priority • Policer The software discards all traffic not explicitly allowed!
Implementing Firewall Filters (1 of 2) Define firewall filters based on protocol family under the [edit firewall] hierarchy level: [edit firewall family inet] user@host# show filter filter-in { term block-some-packets { from { source-address { The software applies family inet filters only to interfaces running IPv4 term firstterm thenfrom my-policy © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 24 source-address { 10.10.10.0/24; } } then { count spoof-in; discard; } } term accept-others { then accept; } } … If discard is not present then packets are accepted match no match no match then term secondterm from then term thirdterm from then from match match
Implementing Firewall Filters (2 of 2) Apply firewall filters as input or output on an interface •Protocol family on interface and filter must match: The software applies firewall [edit interfaces ge-0/0/1] user@host# show unit 0 { family inet { filter { input filter-in; © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 25 The software applies firewall filters using input and output statements input filter-in; output filter-out; } address 172.30.25.2/30; } } InputInputInputInput InputInputInputInputOutputOutputOutputOutput OutputOutputOutputOutput Input firewall filters control traffic entering an interface Output firewall filters control traffic leaving an interface Tip: To avoid late night drives back to the office, use commit confirmed when activating filters!
Test Your Knowledge (1 of 2) Apply a filter on R1’s ge-0/0/1.0 interface to allow HTTP traffic to 172.27.102.100 •Should the filter be applied as an input or output filter? © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 26 .1.2 172.30.25.0/30172.30.25.0/30172.30.25.0/30172.30.25.0/30 172.27.102.0/24172.27.102.0/24172.27.102.0/24172.27.102.0/24 R1R1R1R1 ge-0/0/1.0.100.100.100.100 .1.1.1.1 MYNETMYNETMYNETMYNET InternetInternetInternetInternet
filter web-server { term allow-web-traffic { from { destination-address { 172.27.102.100/32; } protocol tcp; Test Your Knowledge (2 of 2) Which inbound traffic does the router permit? Applied as an input filter © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 27 protocol tcp; port http; } then accept; } term deny-other-web-traffic { from { protocol tcp; port http; } then { discard; } } } .2 172.27.102.0/24172.27.102.0/24172.27.102.0/24172.27.102.0/24 R1R1R1R1 ge-0/0/1.0.100.100.100.100 .1.1.1.1 MYNETMYNETMYNETMYNET
Filtering Local Traffic (1 of 2) Apply filters to lo0 interface to filter local traffic •Filter must account for routing and management protocols Routing EngineRouting EngineRouting EngineRouting Engine © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 28 Frames/Packets InFrames/Packets InFrames/Packets InFrames/Packets In Packet Forwarding EnginePacket Forwarding EnginePacket Forwarding EnginePacket Forwarding Engine Control PlaneControl PlaneControl PlaneControl Plane Forwarding PlaneForwarding PlaneForwarding PlaneForwarding Plane CPUCPUCPUCPU lo0
filter limit-ssh-access { term ssh-accept { from { source-prefix-list { trusted; } protocol tcp; destination-port ssh; } then accept; lo0 { unit 0 { family inet { filter { input limit-ssh-access; } address 10.255.71.48/32; } } } Filtering Local Traffic (2 of 2) DefinitionDefinitionDefinitionDefinition ApplicationApplicationApplicationApplication © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 29 then accept; } term ssh-reject { from { protocol tcp; destination-port ssh; } then { discard; } } term else-accept { then accept; } } } Which problems might occur if you omit the else-accept term? Think About ItThink About ItThink About ItThink About It Affects incoming traffic destined to the routing engine!
Policing Policing (rate-limiting) enables you to limit the amount of traffic that passes into or out of an interface: •Works with firewall filters to thwart DoS attacks • Common actions include discard and setting loss-priority level •Uses average bandwidth and maximum burst size © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 30 Bit BucketBit BucketBit BucketBit Bucket
[edit firewall] user@host# show policer p1 { if-exceeding { bandwidth-limit 400k; burst-size-limit 100k; } then discard; } family inet { filter rate-limit-subnet { term match-subnet { Configuration Example bandwidth-limit * In bits per second * 30,520 bps to 4.29 Gbps burst-size-limit * In bytes * Minimum should = 10 You must apply filter! Policer defined © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 31 term match-subnet { from { source-address { 192.100.1.0/24; } } then { policer p1; } } term else-accept { then accept; } } } Note: Filter must account for routing and management protocols * Minimum should = 10 times MTU (low speed) or bandwidth times 3–5 milliseconds (high speed) Policer referenced
Policy and firewall_filters

Empfohlen

JUNOS - Monitoring and Troubleshooting
JUNOS - Monitoring and TroubleshootingJUNOS - Monitoring and Troubleshooting
JUNOS - Monitoring and TroubleshootingZenith Networks
 
Juniper SRX Quickstart 12.1R3 by Thomas Schmidt
Juniper SRX Quickstart 12.1R3 by Thomas SchmidtJuniper SRX Quickstart 12.1R3 by Thomas Schmidt
Juniper SRX Quickstart 12.1R3 by Thomas SchmidtNam Nguyen
 
Junos routing overview from Juniper
Junos routing overview from JuniperJunos routing overview from Juniper
Junos routing overview from JuniperNam Nguyen
 
JUNOS: OSPF and BGP
JUNOS: OSPF and BGPJUNOS: OSPF and BGP
JUNOS: OSPF and BGPZenith Networks
 
Troubleshooting BGP Juniper Examples
Troubleshooting BGP Juniper ExamplesTroubleshooting BGP Juniper Examples
Troubleshooting BGP Juniper ExamplesSalachudin Emir
 
Juniper Trouble Shooting
Juniper Trouble ShootingJuniper Trouble Shooting
Juniper Trouble ShootingMike(Haobin) Zheng
 
Bgp
BgpBgp
BgpFebrian ‎
 
Ccnp workbook network bulls
Ccnp workbook network bullsCcnp workbook network bulls
Ccnp workbook network bullsSwapnil Kapate
 

Empfohlen

JUNOS - Monitoring and Troubleshooting
JUNOS - Monitoring and TroubleshootingJUNOS - Monitoring and Troubleshooting
JUNOS - Monitoring and TroubleshootingZenith Networks
 
Juniper SRX Quickstart 12.1R3 by Thomas Schmidt
Juniper SRX Quickstart 12.1R3 by Thomas SchmidtJuniper SRX Quickstart 12.1R3 by Thomas Schmidt
Juniper SRX Quickstart 12.1R3 by Thomas SchmidtNam Nguyen
 
Junos routing overview from Juniper
Junos routing overview from JuniperJunos routing overview from Juniper
Junos routing overview from JuniperNam Nguyen
 
JUNOS: OSPF and BGP
JUNOS: OSPF and BGPJUNOS: OSPF and BGP
JUNOS: OSPF and BGPZenith Networks
 
Troubleshooting BGP Juniper Examples
Troubleshooting BGP Juniper ExamplesTroubleshooting BGP Juniper Examples
Troubleshooting BGP Juniper ExamplesSalachudin Emir
 
Juniper Trouble Shooting
Juniper Trouble ShootingJuniper Trouble Shooting
Juniper Trouble ShootingMike(Haobin) Zheng
 
Bgp
BgpBgp
BgpFebrian ‎
 
Ccnp workbook network bulls
Ccnp workbook network bullsCcnp workbook network bulls
Ccnp workbook network bullsSwapnil Kapate
 
Juniper IPv6 Workshop by Irzan
Juniper IPv6 Workshop by IrzanJuniper IPv6 Workshop by Irzan
Juniper IPv6 Workshop by IrzanFebrian ‎
 
Next Generation Nexus 9000 Architecture
Next Generation Nexus 9000 ArchitectureNext Generation Nexus 9000 Architecture
Next Generation Nexus 9000 ArchitectureCisco Canada
 
Juniper Srx quickstart-12.1r3
Juniper Srx quickstart-12.1r3Juniper Srx quickstart-12.1r3
Juniper Srx quickstart-12.1r3Mohamed Al-Natour
 
Configuring GRE Tunnel Through a Cisco ASA Firewall
Configuring GRE Tunnel Through a Cisco ASA FirewallConfiguring GRE Tunnel Through a Cisco ASA Firewall
Configuring GRE Tunnel Through a Cisco ASA FirewallHarris Andrea
 
Junos vs ios Troubleshooting comands
Junos vs ios Troubleshooting comands Junos vs ios Troubleshooting comands
Junos vs ios Troubleshooting comands sandeep kumar
 
Juniper Platform Overview
Juniper Platform OverviewJuniper Platform Overview
Juniper Platform OverviewHussein Elmenshawy
 
CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf
CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdfCCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf
CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdfpoojaswami31
 
Juniper Networks Router Architecture
Juniper Networks Router ArchitectureJuniper Networks Router Architecture
Juniper Networks Router Architecturelawuah
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksAPNIC
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalKwonSun Bae
 
Session 1
Session 1Session 1
Session 1ahmed elmeghiny
 
CCNA 2 Routing and Switching v5.0 Chapter 6
CCNA 2 Routing and Switching v5.0 Chapter 6CCNA 2 Routing and Switching v5.0 Chapter 6
CCNA 2 Routing and Switching v5.0 Chapter 6Nil Menon
 
Chapter 10 - DHCP
Chapter 10 - DHCPChapter 10 - DHCP
Chapter 10 - DHCPYaser Rahmati
 
Cisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Cisco Live! :: Introduction to IOS XR for Enterprises and Service ProvidersCisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Cisco Live! :: Introduction to IOS XR for Enterprises and Service ProvidersBruno Teixeira
 
Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Novosco
 
Brkdcn 2035 multi-x
Brkdcn 2035 multi-xBrkdcn 2035 multi-x
Brkdcn 2035 multi-xMason Mei
 
Alcatel lucent pt telkom turn-up guide v1
Alcatel lucent pt telkom turn-up guide v1Alcatel lucent pt telkom turn-up guide v1
Alcatel lucent pt telkom turn-up guide v1Wahyu Nasution
 
HSRP ccna
HSRP ccna HSRP ccna
HSRP ccna MohamedJafar5
 
CCNA 1 Routing and Switching v5.0 Chapter 2
CCNA 1 Routing and Switching v5.0 Chapter 2CCNA 1 Routing and Switching v5.0 Chapter 2
CCNA 1 Routing and Switching v5.0 Chapter 2Nil Menon
 
MPLS Layer 3 VPN
MPLS Layer 3 VPN MPLS Layer 3 VPN
MPLS Layer 3 VPN NetProtocol Xpert
 
Routing Polices And Firewall Filter
Routing Polices And Firewall FilterRouting Polices And Firewall Filter
Routing Polices And Firewall FilterKashif Latif
 
2008118090324 hk
2008118090324 hk2008118090324 hk
2008118090324 hkVivek Singh
 

Weitere ähnliche Inhalte

Was ist angesagt?

Juniper IPv6 Workshop by Irzan
Juniper IPv6 Workshop by IrzanJuniper IPv6 Workshop by Irzan
Juniper IPv6 Workshop by IrzanFebrian ‎
 
Next Generation Nexus 9000 Architecture
Next Generation Nexus 9000 ArchitectureNext Generation Nexus 9000 Architecture
Next Generation Nexus 9000 ArchitectureCisco Canada
 
Juniper Srx quickstart-12.1r3
Juniper Srx quickstart-12.1r3Juniper Srx quickstart-12.1r3
Juniper Srx quickstart-12.1r3Mohamed Al-Natour
 
Configuring GRE Tunnel Through a Cisco ASA Firewall
Configuring GRE Tunnel Through a Cisco ASA FirewallConfiguring GRE Tunnel Through a Cisco ASA Firewall
Configuring GRE Tunnel Through a Cisco ASA FirewallHarris Andrea
 
Junos vs ios Troubleshooting comands
Junos vs ios Troubleshooting comands Junos vs ios Troubleshooting comands
Junos vs ios Troubleshooting comands sandeep kumar
 
CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf
CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdfCCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf
CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdfpoojaswami31
 
Juniper Networks Router Architecture
Juniper Networks Router ArchitectureJuniper Networks Router Architecture
Juniper Networks Router Architecturelawuah
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksAPNIC
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalKwonSun Bae
 
CCNA 2 Routing and Switching v5.0 Chapter 6
CCNA 2 Routing and Switching v5.0 Chapter 6CCNA 2 Routing and Switching v5.0 Chapter 6
CCNA 2 Routing and Switching v5.0 Chapter 6Nil Menon
 
Cisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Cisco Live! :: Introduction to IOS XR for Enterprises and Service ProvidersCisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Cisco Live! :: Introduction to IOS XR for Enterprises and Service ProvidersBruno Teixeira
 
Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Novosco
 
Brkdcn 2035 multi-x
Brkdcn 2035 multi-xBrkdcn 2035 multi-x
Brkdcn 2035 multi-xMason Mei
 
Alcatel lucent pt telkom turn-up guide v1
Alcatel lucent pt telkom turn-up guide v1Alcatel lucent pt telkom turn-up guide v1
Alcatel lucent pt telkom turn-up guide v1Wahyu Nasution
 
CCNA 1 Routing and Switching v5.0 Chapter 2
CCNA 1 Routing and Switching v5.0 Chapter 2CCNA 1 Routing and Switching v5.0 Chapter 2
CCNA 1 Routing and Switching v5.0 Chapter 2Nil Menon
 

Was ist angesagt? (20)

Juniper IPv6 Workshop by Irzan
Juniper IPv6 Workshop by IrzanJuniper IPv6 Workshop by Irzan
Juniper IPv6 Workshop by Irzan
 
Next Generation Nexus 9000 Architecture
Next Generation Nexus 9000 ArchitectureNext Generation Nexus 9000 Architecture
Next Generation Nexus 9000 Architecture
 
Juniper Srx quickstart-12.1r3
Juniper Srx quickstart-12.1r3Juniper Srx quickstart-12.1r3
Juniper Srx quickstart-12.1r3
 
Configuring GRE Tunnel Through a Cisco ASA Firewall
Configuring GRE Tunnel Through a Cisco ASA FirewallConfiguring GRE Tunnel Through a Cisco ASA Firewall
Configuring GRE Tunnel Through a Cisco ASA Firewall
 
Junos vs ios Troubleshooting comands
Junos vs ios Troubleshooting comands Junos vs ios Troubleshooting comands
Junos vs ios Troubleshooting comands
 
Juniper Platform Overview
Juniper Platform OverviewJuniper Platform Overview
Juniper Platform Overview
 
CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf
CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdfCCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf
CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf
 
Juniper Networks Router Architecture
Juniper Networks Router ArchitectureJuniper Networks Router Architecture
Juniper Networks Router Architecture
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 final
 
Session 1
Session 1Session 1
Session 1
 
CCNA 2 Routing and Switching v5.0 Chapter 6
CCNA 2 Routing and Switching v5.0 Chapter 6CCNA 2 Routing and Switching v5.0 Chapter 6
CCNA 2 Routing and Switching v5.0 Chapter 6
 
Chapter 10 - DHCP
Chapter 10 - DHCPChapter 10 - DHCP
Chapter 10 - DHCP
 
Cisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Cisco Live! :: Introduction to IOS XR for Enterprises and Service ProvidersCisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Cisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
 
Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017
 
Brkdcn 2035 multi-x
Brkdcn 2035 multi-xBrkdcn 2035 multi-x
Brkdcn 2035 multi-x
 
Alcatel lucent pt telkom turn-up guide v1
Alcatel lucent pt telkom turn-up guide v1Alcatel lucent pt telkom turn-up guide v1
Alcatel lucent pt telkom turn-up guide v1
 
HSRP ccna
HSRP ccna HSRP ccna
HSRP ccna
 
CCNA 1 Routing and Switching v5.0 Chapter 2
CCNA 1 Routing and Switching v5.0 Chapter 2CCNA 1 Routing and Switching v5.0 Chapter 2
CCNA 1 Routing and Switching v5.0 Chapter 2
 
MPLS Layer 3 VPN
MPLS Layer 3 VPN MPLS Layer 3 VPN
MPLS Layer 3 VPN
 

Ähnlich wie Policy and firewall_filters

Routing Polices And Firewall Filter
Routing Polices And Firewall FilterRouting Polices And Firewall Filter
Routing Polices And Firewall FilterKashif Latif
 
2008118090324 hk
2008118090324 hk2008118090324 hk
2008118090324 hkVivek Singh
 
NANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessNANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessAPNIC
 
BGP Route Leaks at Ripe74
BGP Route Leaks at Ripe74BGP Route Leaks at Ripe74
BGP Route Leaks at Ripe74Qrator Labs
 
WebRTC Standards & Implementation Q&A - WebRTC Constrains
WebRTC Standards & Implementation Q&A - WebRTC ConstrainsWebRTC Standards & Implementation Q&A - WebRTC Constrains
WebRTC Standards & Implementation Q&A - WebRTC ConstrainsAmir Zmora
 
Cisco Connect Halifax 2018 Application insight and zero trust policies with...
Cisco Connect Halifax 2018 Application insight and zero trust policies with...Cisco Connect Halifax 2018 Application insight and zero trust policies with...
Cisco Connect Halifax 2018 Application insight and zero trust policies with...Cisco Canada
 
Webinar: Incorporating New Throttling Features into Your Business
Webinar: Incorporating New Throttling Features into Your BusinessWebinar: Incorporating New Throttling Features into Your Business
Webinar: Incorporating New Throttling Features into Your BusinessWSO2
 
Motorola MotoTRBO Firmware 2.3A Release Notes (June 2014)
Motorola MotoTRBO Firmware 2.3A Release Notes (June 2014)Motorola MotoTRBO Firmware 2.3A Release Notes (June 2014)
Motorola MotoTRBO Firmware 2.3A Release Notes (June 2014)TwoWayDigitalRadio.com
 
Fully Realizing the Microservices Vision with Service Mesh (DEV312-S) - AWS r...
Fully Realizing the Microservices Vision with Service Mesh (DEV312-S) - AWS r...Fully Realizing the Microservices Vision with Service Mesh (DEV312-S) - AWS r...
Fully Realizing the Microservices Vision with Service Mesh (DEV312-S) - AWS r...Amazon Web Services
 
Network Policy Abstractions in OpenStack Neutron
Network Policy Abstractions in OpenStack NeutronNetwork Policy Abstractions in OpenStack Neutron
Network Policy Abstractions in OpenStack NeutronSumit Naiksatam
 
Lesson.7: Configuring IP Routing B
Lesson.7: Configuring IP Routing BLesson.7: Configuring IP Routing B
Lesson.7: Configuring IP Routing BMahmmoud Mahdi
 

Ähnlich wie Policy and firewall_filters (20)

Routing Polices And Firewall Filter
Routing Polices And Firewall FilterRouting Polices And Firewall Filter
Routing Polices And Firewall Filter
 
2008118090324 hk
2008118090324 hk2008118090324 hk
2008118090324 hk
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
NANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessNANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI Effectiveness
 
BGP Route Leaks at Ripe74
BGP Route Leaks at Ripe74BGP Route Leaks at Ripe74
BGP Route Leaks at Ripe74
 
WebRTC Standards & Implementation Q&A - WebRTC Constrains
WebRTC Standards & Implementation Q&A - WebRTC ConstrainsWebRTC Standards & Implementation Q&A - WebRTC Constrains
WebRTC Standards & Implementation Q&A - WebRTC Constrains
 
Cisco Connect Halifax 2018 Application insight and zero trust policies with...
Cisco Connect Halifax 2018 Application insight and zero trust policies with...Cisco Connect Halifax 2018 Application insight and zero trust policies with...
Cisco Connect Halifax 2018 Application insight and zero trust policies with...
 
6978047_2.ppt
6978047_2.ppt6978047_2.ppt
6978047_2.ppt
 
CCCNP ROUTE v6_ch05
CCCNP ROUTE v6_ch05CCCNP ROUTE v6_ch05
CCCNP ROUTE v6_ch05
 
ENCOR_Chapter_6.pptx
ENCOR_Chapter_6.pptxENCOR_Chapter_6.pptx
ENCOR_Chapter_6.pptx
 
Webinar: Incorporating New Throttling Features into Your Business
Webinar: Incorporating New Throttling Features into Your BusinessWebinar: Incorporating New Throttling Features into Your Business
Webinar: Incorporating New Throttling Features into Your Business
 
Motorola MotoTRBO Firmware 2.3A Release Notes (June 2014)
Motorola MotoTRBO Firmware 2.3A Release Notes (June 2014)Motorola MotoTRBO Firmware 2.3A Release Notes (June 2014)
Motorola MotoTRBO Firmware 2.3A Release Notes (June 2014)
 
Session 3
Session 3Session 3
Session 3
 
CCCNP ROUTE v6_ch04
CCCNP ROUTE v6_ch04CCCNP ROUTE v6_ch04
CCCNP ROUTE v6_ch04
 
Fully Realizing the Microservices Vision with Service Mesh (DEV312-S) - AWS r...
Fully Realizing the Microservices Vision with Service Mesh (DEV312-S) - AWS r...Fully Realizing the Microservices Vision with Service Mesh (DEV312-S) - AWS r...
Fully Realizing the Microservices Vision with Service Mesh (DEV312-S) - AWS r...
 
Network Policy Abstractions in OpenStack Neutron
Network Policy Abstractions in OpenStack NeutronNetwork Policy Abstractions in OpenStack Neutron
Network Policy Abstractions in OpenStack Neutron
 
Lesson.7: Configuring IP Routing B
Lesson.7: Configuring IP Routing BLesson.7: Configuring IP Routing B
Lesson.7: Configuring IP Routing B
 
Apricot2004 bgp00
Apricot2004 bgp00Apricot2004 bgp00
Apricot2004 bgp00
 
Rfp template
Rfp templateRfp template
Rfp template
 
Group 1
Group 1Group 1
Group 1
 

Kürzlich hochgeladen

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Kürzlich hochgeladen (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Policy and firewall_filters

  • 1. Routing Policy and Firewall Filters © 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net
  • 2. What Is Routing Policy? Routing policy controls the flow of routing information to and from the routing table •Use policy to accept, reject, or modify attributes for routes: • Received through dynamic routing protocols • Sent to dynamic routing protocols • Installed in the forwarding table © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 2 • Installed in the forwarding table NeighborsNeighborsNeighborsNeighbors ProtocolProtocolProtocolProtocol RoutingRoutingRoutingRouting TableTableTableTable ForwardingForwardingForwardingForwarding TableTableTableTable NeighborsNeighborsNeighborsNeighbors ProtocolProtocolProtocolProtocol ImportImportImportImport RoutesRoutesRoutesRoutes RoutesRoutesRoutesRoutes PFEPFEPFEPFE ExportExportExportExport ExportExportExportExport Import policies control the route importation into the routing table. Export policies control the route exportation from the routing table.
  • 3. Default Routing Policies ProtocolProtocolProtocolProtocol Import PolicyImport PolicyImport PolicyImport Policy Export PolicyExport PolicyExport PolicyExport Policy BGP Accept all BGP routes and import into inet.0 Accept all active BGP routes OSPF Accept all OSPF routes and import into inet.0 Reject everything (protocol floods by default) © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 3 into inet.0 floods by default) IS-IS Accept all IS-IS routes and import into inet.0 Reject everything (protocol floods by default) RIP Accept all RIP routes from explicitly configured neighbors and import into inet.0 Reject everything
  • 4. Building Blocks of Routing Policy term firstterm match no match thenfrom my-policy A routing policy consists of zero or more terms; the software evaluates terms sequentially until it reaches a terminating action or end of policy User-defined policy and term names © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4 no match no match term secondterm from then term thirdterm from then match match from statements describe match conditions then statements describe the actions to take if a match with the from statement occurs Note: Ordering matters! If you must reorder terms within a policy, consider using the insert CLI command.
  • 5. Common Match Criteria Common match criteria for routing policy: •Prefix (route-filter or prefix-list) •Protocol (OSPF, static, BGP, and so forth) •Routing protocol attributes: • OSPF area ID, AS path, and community © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 5 •Next hop term firstterm match thenfrom Note: If you omit the from statement, all routes match and will take the specified action from statements describe match conditions
  • 6. Prefix Lists Prefix lists contain a list of prefixes: •Configured under [edit policy-options] hierarchy •Can be referenced in firewall filters and routing policy terms [edit policy-options] user@host# show prefix-list rfc1918 { 10.0.0.0/8; 172.16.0.0/12; prefix-list matches the prefix exactly © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6 172.16.0.0/12; 192.168.0.0/16; } policy-statement policy-1 { from { prefix-list rfc1918; } then reject; } policy-statement policy-2 { from { prefix-list-filter rfc1918 orlonger reject; } } prefix-list-filter allows match types and actions. Supported match types include exact, longer, and orlonger and are covered on subsequent slides.
  • 7. Route Filters Route filters match individual routes within a policy: •You can specify multiple route filters within a single term •Not reusable—term-specific [edit policy-options] user@host# show policy-statement policy-1 { term reject-rfc1918-prefixes { from { © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 7 from { route-filter 172.16.0.0/12 orlonger; route-filter 192.168.0.0/16 orlonger; route-filter 10.0.0.0/8 orlonger; } then reject; } } Note: Various match types are supported. We discuss the match types on subsequent slides.
  • 8. Match Types (1 of 3) exact: •Match the specified prefix and mask exactly orlonger: from route-filter 192.168.0.0/16 exact; © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 8 orlonger: •Match the specified prefix and mask exactly and all routes that are subsets of the prefix and that have longer masks from route-filter 192.168.0.0/16 orlonger;
  • 9. Match Types (2 of 3) longer: •Match routes that are subsets of the prefix and that have longer masks; •Do not match the specified prefix and mask from route-filter 192.168.0.0/16 longer; © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 9 upto: •Match specified prefix and mask exactly and any routes that are subsets of the specified prefix and that have a mask no longer than the second value specified from route-filter 192.168.0.0/16 upto /24;
  • 10. Match Types (3 of 3) prefix-length-range: •Match routes that are subsets of the specified prefix and that have a mask between the two values (inclusive match) through: from route-filter 192.168.0.0/16 prefix-length-range /20-/24; © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 10 through: •Match first and second specified prefixes and masks exactly and all prefixes directly between the two prefixes from route-filter 192.168.0.0/16 through 192.168.16.0/20;
  • 11. Match Type Summary Given a starting prefix of 192.168/16, what matches with each option? … 192.168/16192.168/16192.168/16192.168/16 … 192.168/16192.168/16192.168/16192.168/16 … 192.168/16192.168/16192.168/16192.168/16 © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 11 exact … orlonger (down to /32) … … longer (down to /32) through … … 192.168/16192.168/16192.168/16192.168/16 … … 192.168/16192.168/16192.168/16192.168/16 /x /y prefix-length-range /x-/y … … 192.168/16192.168/16192.168/16192.168/16 upto
  • 12. Common Actions Common actions in routing policy: •Terminating actions: • accept • reject •Flow control: • next term © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 12 • next term • next policy •Modifying attributes: • community (add, delete, and set) • preference term firstterm match thenfrom then statements describe the actions to take if a match with the from statement occurs
  • 13. Implementing Routing Policy (1 of 2) Definition of routing policy is always under the [edit policy-options] hierarchy: [edit policy-options] user@host# show policy-statement my-policy { term accept-local-route { from { protocol local; interface ge-0/0/0; term firstterm thenfrom my-policy © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 13 interface ge-0/0/0; } then accept; } term accept-some-static-routes { from { protocol static; route-filter 172.18.1.0/24 exact; route-filter 172.18.2.0/24 exact; } then accept; } term accept-rip-routes { from protocol rip; then accept; } } match no match no match then term secondterm from then term thirdterm from then from match match
  • 14. Implementing Routing Policy (2 of 2) You can apply routing policies as import or export policies at different levels (protocol dependent) [edit protocols ospf] user@host# show export my-policy; area 0.0.0.0 { interface ge-0/0/1.0; © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 14 interface ge-0/0/1.0; interface ge-0/0/2.0; interface ge-0/0/3.0 { passive; } interface lo0.0; }
  • 15. Routing Policy Flow You can chain routing policies together •Evaluation proceeds left to right until the software reaches a terminating action of accept or reject •The software supports flow-control actions such as next policy RouteRouteRouteRoute © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 15 AcceptAcceptAcceptAccept or rejector rejector rejector reject AcceptAcceptAcceptAccept or rejector rejector rejector reject AcceptAcceptAcceptAccept or rejector rejector rejector reject Policy 1Policy 1Policy 1Policy 1 AcceptAcceptAcceptAccept or rejector rejector rejector reject AcceptAcceptAcceptAccept or rejector rejector rejector reject AcceptAcceptAcceptAccept or rejector rejector rejector reject Policy 2Policy 2Policy 2Policy 2 AcceptAcceptAcceptAccept or rejector rejector rejector reject PolicyPolicyPolicyPolicy nnnn AcceptAcceptAcceptAccept RejectRejectRejectReject Term CTerm CTerm CTerm C Term CTerm CTerm CTerm C DefaultDefaultDefaultDefault policypolicypolicypolicy Term ATerm ATerm ATerm A Term BTerm BTerm BTerm B Term ATerm ATerm ATerm A Term BTerm BTerm BTerm B Term ATerm ATerm ATerm A
  • 16. Case Study: Objective and Topology Advertise the default static route defined on R1 into OSPF using routing policy: .1.2 OSPFOSPFOSPFOSPF Area 0Area 0Area 0Area 0 R1R1R1R1 R2R2R2R2 R4R4R4R4 InternetInternetInternetInternet © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 16 user@R1> show route protocol static inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:00:44 > to 172.30.25.1 via ge-0/0/1.0 .1.2 172.30.25.0/30172.30.25.0/30172.30.25.0/30172.30.25.0/30 R3R3R3R3
  • 17. Case Study: Defining the Policy Sample routing policy configuration used to advertise R1’s default static route into OSPF: [edit policy-options] user@R1# show policy-statement default-static { term accept-default-static { User-defined policy and term names © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 17 term accept-default-static { from { protocol static; route-filter 0.0.0.0/0 exact; } then accept; } } Match criteria Action
  • 18. Case Study: Applying the Policy Sample application of routing policy used to advertise R1’s default static route into OSPF: [edit protocols ospf] user@R1# show export default-static; area 0.0.0.0 { R1R1R1R1 R2R2R2R2 © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 18 area 0.0.0.0 { interface ge-0/0/2.0; interface ge-0/0/3.0; interface lo0.0; } Export default static route from route table to OSPF OSPFOSPFOSPFOSPF Area 0Area 0Area 0Area 0 R1R1R1R1 R4R4R4R4 R3R3R3R3 Note: Once you define routing policy and apply it, R1 floods an external LSA for the default static route to all OSPF routers in Area 0.
  • 19. Case Study: Monitoring the Results Sample verification step to ensure the routing policy works as expected (capture is taken from R4): user@R4> show route protocol ospf exact 0/0 inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 19 0.0.0.0/0 *[OSPF/150] 00:03:33, metric 0, tag 0 > to 172.19.3.1 via ge-0/0/2.0 to 172.19.4.1 via ge-0/0/3.0 .1.2 172.30.25.0/30172.30.25.0/30172.30.25.0/30172.30.25.0/30 OSPFOSPFOSPFOSPF Area 0Area 0Area 0Area 0 R1R1R1R1 R2R2R2R2 R4R4R4R4 R3R3R3R3 InternetInternetInternetInternet R4 installs external default OSPF route flooded by R1
  • 20. What Is a Firewall Filter? Firewall filters control the traffic entering and leaving a networking device in a stateless fashion: •Processes every packet independently •Used to filter and monitor network traffic © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 20
  • 21. Building Blocks of Firewall Filters no match term firstterm match thenfrom my-filter Firewall filters consist of one or more terms; the software evaluates terms sequentially until it reaches a terminating action User-defined filter and term names © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 21 no match no match term secondterm term Default match then statements describe the actions to take if a match with the from statement occurs discard Default action for packets not explicitly allowed Note: Ordering matters! If you must reorder terms within a filter, consider using the insert CLI command. from statements describe match conditions thenfrom
  • 22. Common Match Criteria Can match based on most header fields: Match conditions categories include: •Numeric range © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 22 •Numeric range •Address •Bit field term firstterm match thenfromfrom statements describe match conditions
  • 23. Firewall Filter Actions Common actions in firewall filters: •Terminating actions: • accept • discard • Reject •Flow control: term firstterm match thenfrom then statements describe the actions to take if a match with the from statement occurs © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 23 •Flow control: • next term •Action modifiers: • count, log, and syslog • forwarding-class and loss-priority • Policer The software discards all traffic not explicitly allowed!
  • 24. Implementing Firewall Filters (1 of 2) Define firewall filters based on protocol family under the [edit firewall] hierarchy level: [edit firewall family inet] user@host# show filter filter-in { term block-some-packets { from { source-address { The software applies family inet filters only to interfaces running IPv4 term firstterm thenfrom my-policy © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 24 source-address { 10.10.10.0/24; } } then { count spoof-in; discard; } } term accept-others { then accept; } } … If discard is not present then packets are accepted match no match no match then term secondterm from then term thirdterm from then from match match
  • 25. Implementing Firewall Filters (2 of 2) Apply firewall filters as input or output on an interface •Protocol family on interface and filter must match: The software applies firewall [edit interfaces ge-0/0/1] user@host# show unit 0 { family inet { filter { input filter-in; © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 25 The software applies firewall filters using input and output statements input filter-in; output filter-out; } address 172.30.25.2/30; } } InputInputInputInput InputInputInputInputOutputOutputOutputOutput OutputOutputOutputOutput Input firewall filters control traffic entering an interface Output firewall filters control traffic leaving an interface Tip: To avoid late night drives back to the office, use commit confirmed when activating filters!
  • 26. Test Your Knowledge (1 of 2) Apply a filter on R1’s ge-0/0/1.0 interface to allow HTTP traffic to 172.27.102.100 •Should the filter be applied as an input or output filter? © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 26 .1.2 172.30.25.0/30172.30.25.0/30172.30.25.0/30172.30.25.0/30 172.27.102.0/24172.27.102.0/24172.27.102.0/24172.27.102.0/24 R1R1R1R1 ge-0/0/1.0.100.100.100.100 .1.1.1.1 MYNETMYNETMYNETMYNET InternetInternetInternetInternet
  • 27. filter web-server { term allow-web-traffic { from { destination-address { 172.27.102.100/32; } protocol tcp; Test Your Knowledge (2 of 2) Which inbound traffic does the router permit? Applied as an input filter © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 27 protocol tcp; port http; } then accept; } term deny-other-web-traffic { from { protocol tcp; port http; } then { discard; } } } .2 172.27.102.0/24172.27.102.0/24172.27.102.0/24172.27.102.0/24 R1R1R1R1 ge-0/0/1.0.100.100.100.100 .1.1.1.1 MYNETMYNETMYNETMYNET
  • 28. Filtering Local Traffic (1 of 2) Apply filters to lo0 interface to filter local traffic •Filter must account for routing and management protocols Routing EngineRouting EngineRouting EngineRouting Engine © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 28 Frames/Packets InFrames/Packets InFrames/Packets InFrames/Packets In Packet Forwarding EnginePacket Forwarding EnginePacket Forwarding EnginePacket Forwarding Engine Control PlaneControl PlaneControl PlaneControl Plane Forwarding PlaneForwarding PlaneForwarding PlaneForwarding Plane CPUCPUCPUCPU lo0
  • 29. filter limit-ssh-access { term ssh-accept { from { source-prefix-list { trusted; } protocol tcp; destination-port ssh; } then accept; lo0 { unit 0 { family inet { filter { input limit-ssh-access; } address 10.255.71.48/32; } } } Filtering Local Traffic (2 of 2) DefinitionDefinitionDefinitionDefinition ApplicationApplicationApplicationApplication © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 29 then accept; } term ssh-reject { from { protocol tcp; destination-port ssh; } then { discard; } } term else-accept { then accept; } } } Which problems might occur if you omit the else-accept term? Think About ItThink About ItThink About ItThink About It Affects incoming traffic destined to the routing engine!
  • 30. Policing Policing (rate-limiting) enables you to limit the amount of traffic that passes into or out of an interface: •Works with firewall filters to thwart DoS attacks • Common actions include discard and setting loss-priority level •Uses average bandwidth and maximum burst size © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 30 Bit BucketBit BucketBit BucketBit Bucket
  • 31. [edit firewall] user@host# show policer p1 { if-exceeding { bandwidth-limit 400k; burst-size-limit 100k; } then discard; } family inet { filter rate-limit-subnet { term match-subnet { Configuration Example bandwidth-limit * In bits per second * 30,520 bps to 4.29 Gbps burst-size-limit * In bytes * Minimum should = 10 You must apply filter! Policer defined © 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 31 term match-subnet { from { source-address { 192.100.1.0/24; } } then { policer p1; } } term else-accept { then accept; } } } Note: Filter must account for routing and management protocols * Minimum should = 10 times MTU (low speed) or bandwidth times 3–5 milliseconds (high speed) Policer referenced