Policy Attachment Sequence At Login Through Service Manager; Policy Attachment Rules For Merged Policies - Juniper POLICY MANAGEMENT - CONFIGURATION GUIDE V11.1.X Configuration Manual

JUNOSe 11.1.x Policy Management Configuration Guide
Reference Counting for Merged Policies
The reference counts in all containers referenced within a merged policy are
incremented by the number of times they are referenced within the merged policy.
Also, the reference counts of all component policies of a merged policy are
incremented because of the association of the component policies with the merged
policy. This means you cannot delete a component policy while a merged policy is
still associated with it.
Persistent Configuration Differences for Merged Policies Through Service Manager
Service Manager can specify whether a component policy attachment is nonvolatile.
If the interface where the component policy is attached is volatile, then policy
management makes the attachment volatile even when the Service Manager specifies
otherwise. A nonvolatile interface can have both volatile and nonvolatile component
policy attachments. The merged policy that is created is the merge of all component
policies attached at a given attachment point regardless of their volatility. The merged
policy and its attachments are always volatile and reconstructed on each reload
operation.

Policy Attachment Sequence at Login Through Service Manager

During a user login, you can specify policy attachments through Service Manager,
RADIUS, and Interface Profile. The order that is used to select the policy attachment
source is Service Manager, RADIUS, and Interface Profile.
For example, if you configure Ingress-Policy-Name VSA for a user in RADIUS and
also have a profile with an input policy reference applied to this user's interface
column, when the user logs in, the RADIUS VSA is selected as the source for the input
policy attachment. If you also have service profiles applied to the user's interface
column, the service profiles override both RADIUS VSA and the policy name specified
in the interface profile.
NOTE: Policy merging is not supported with ascend data filter policies.
Policy management does not reselect the source if the policy attachment fails for
the selected source. If the policy attachment via service profiles fails, policy
management does not reselect RADIUS VSA as the next source. This means the
interface does not have any input policy attachment.

Policy Attachment Rules for Merged Policies

The attributes of a policy attachment are as follows:
106
Reference Counting for Merged Policies
Policy name Name of policy to be attached.
Attachment type Type of attachment.
Statistics enable/disable Enable or disable statistics for the attachment.