Layer 3 Services
The JUNOS software services are not limited to just Layer 2 services, but can also include Layer 3 services. These services include stateful firewall, NAT, IDS, and IPSec tunnels. We will give an overview of these services here and will provide a detailed discussion of them in Chapter 8.
Tip
On the ASP or Multiservices-100 PIC, you must choose to enable either Layer 2 or Layer 3 services; the ASM on the M7i and the J-series router support both Layer 2 and Layer 3 concurrently.
Stateful Firewall
Usually when certain traffic needs to be blocked on a router, a simple stateless packet filter is applied to an interface. On a Juniper router, these are called firewall filters (other vendors call these access lists). Regardless of the name, all stateless filters function in the same mannerâthey look at a packet and operate on a series of match rules. If the packet matches a rule, it can be either accepted or discarded.
The important point about a packet filter is that it works on a packet-by-packet basis and does not associate a packet with a traffic flow or stream. In other words, it does not maintain any connection state. This type of filter will work in many situations when applications are using well-known port numbers or TCP applications, where the initiator is always in the same direction. Stateless packet filters become more difficult when the application uses random port numbersâTCP initiators are not always the sameâor when UDP input and output flows need to ...
Get JUNOS Enterprise Routing now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
