What Is A Policy - Juniper E320 Configuration Manual

JUNOSe 7.2.x Policy Management Configuration Guide

What Is a Policy?

2 !
Overview
to provide a variety of services, including tiered bandwidth service where traffic
conforming to configured bandwidth levels is treated differently than traffic
that exceeds the configured values, and a hard-limit service where a fixed
bandwidth limit is applied to a traffic flow. Finally, you can configure rate-limit
profiles to provide a TCP-friendly rate-limiting service that works in conjunction
with TCP's native flow-control functionality.
! Security—Provides a level of network security by using policy rules that
selectively forward or filter packet flows. You can use a filter rule to stop a
denial-of-service attack. You can use secure policies to mirror packets and send
them to an analyzer.
RADIUS policy support—Enables you to create and attach a policy to an
!
interface through RADIUS.
Packet tagging—Enables the traffic-class rule in policies to tag a packet flow so
!
that the Quality of Service (QoS) application can provide traffic-class queuing.
Policies can perform both in-band and out-of-band packet tagging.
! Packet forwarding—Allows forwarding of packets in a packet flow.
! Packet filtering—Drops packets in a packet flow.
! Packet mirroring—Uses secure policies to mirror packets and send them to an
analyzer.
! Packet logging—Logs packets in a packet flow.
Policy management gives you the CLI tools to build databases, which can then be
drawn from to implement a policy. Each database contains global traffic
specifications. When building a policy, you specify input from one or more of these
databases and then attach the policy to an interface. By combining the information
from the various databases into policies, you can deploy a wide variety of services.
A policy is a condition and an action that is attached to an interface. The condition
and action cause the router to handle the packets passing through the interface in a
certain way. A policy can be attached to IP interfaces and certain layer 2 interfaces
such as Frame Relay, L2TP, MPLS, and VLAN interfaces. The policies do not need to
be the same in both directions.
Packets are sorted at ingress or egress into packet flows based on attributes defined
in classifier control lists. Policy lists contain rules that associate actions with these
CLACLs. A rule is a policy action optionally combined with a classification.
When packets arrive on an interface, you can have a policy evaluate a condition
before the normal route lookup; this kind of policy is known as an input policy. You
can also have conditions evaluated after a route lookup; this kind of policy is known
as a secondary input policy. You can use secondary input policies to defeat
denial-of-service attacks directed at a router's local interface or to protect a router
from being overwhelmed by legitimate local traffic. If you have a policy applied to
packets before they leave an interface, this is known as an output policy.