The primary function of a firewall filter is to enhance security by blocking packets based on various match criteria. Filters are also used to perform multifield classification, a process whereby various fields in a packet (or frame) are inspected, with matching traffic being subjected to some specialized handling. For example, subjecting the traffic to a policer for rate limiting, assigning the traffic to a CoS forwarding class for later queuing and packet rewrite operations, or directing the traffic to a specific routing instance where it can be forwarded differently than nonmatching traffic to achieve what is known as Filter-Based Forwarding (FBF) in Junos, a concept akin to Policy-Based Routing (PBR) in other vendors’ equipment.

Policers are used to meter and mark traffic in accordance to bandwidth and burst size settings. Policing at the edge enforces bandwidth-related SLAs and is a critical aspect of Differentiated Services (DS) when supporting real-time or high-priority traffic, as this is the primary mechanism to ensure that excess traffic cannot starve conforming traffic that is scheduled at a lower priority. In addition to discard actions, policers can mark (or color) out of conformance traffic, or alter its classification to place it into a new forwarding class.

Those familiar with the IOS way of doing things quickly recognize that stateless Junos filters provide functionality that is similar to Access Control Lists (ACLs), whereas policers ...