Layer 3 Services
The JUNOS software services are not limited to just Layer 2 services, but can also include Layer 3 services. These services include stateful firewall, NAT, IDS, and IPSec tunnels. We will give an overview of these services here and will provide a detailed discussion of them in Chapter 8.
On the ASP or Multiservices-100 PIC, you must choose to enable either Layer 2 or Layer 3 services; the ASM on the M7i and the J-series router support both Layer 2 and Layer 3 concurrently.
Usually when certain traffic needs to be blocked on a router, a simple stateless packet filter is applied to an interface. On a Juniper router, these are called firewall filters (other vendors call these access lists). Regardless of the name, all stateless filters function in the same manner—they look at a packet and operate on a series of match rules. If the packet matches a rule, it can be either accepted or discarded.
The important point about a packet filter is that it works on a packet-by-packet basis and does not associate a packet with a traffic flow or stream. In other words, it does not maintain any connection state. This type of filter will work in many situations when applications are using well-known port numbers or TCP applications, where the initiator is always in the same direction. Stateless packet filters become more difficult when the application uses random port numbers—TCP initiators are not always the same—or when UDP input and output flows need to be associated ...