Chapter 3. Stateless Filters, Hierarchical Policing, and Tri-Color Marking

This chapter covers stateless firewall filters and policers on MX routers. The MX Series has some special features and hardware that can make firewall filters and policers not only stronger, faster, and smarter, but also, once you get the hang of their operation, easier. So even if you think you know how to protect the Routing Engine, don’t skip this chapter or the next. The MX Series is one awesome piece of iron, and users are always finding new ways to deploy its features for revenue. As critical infrastructure, it’s well worth protecting; after all, the best rock stars have bodyguards these days.

By the way, this chapter is an overview, but is required reading for Chapter 4, where we blast right into case studies of IPv4 and IPv6 Routing Engine protection filters and coverage of the new DDoS policing feature available on Trio platforms. Chapter 4 is not going to pause to go back and reiterate the key concepts found here in Chapter 3.

The topics discussed in this chapter include:

• Firewall filtering and policing overview

• Filter operation

• Policer types and operation

• Filter and policer application points

• Transit filtering case study: Bridging with BUM protection