Juniper E320 Configuration Manual
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Network Router
  5. E320
  6. Configuration manual

Juniper E320 Configuration Manual

Junose internet software for e-series routing platforms
Hide thumbs Also See for E320:
Table of Contents

Advertisement

Quick Links

See also: Manual
Enlarged version
JUNOSe
Internet Software
for E-series
Routing Platforms

Policy Management

Configuration Guide

Release 7.2.x
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 162-01268-00, Revision A00

Advertisement

Table of Contents
loading

Related Manuals for Juniper E320

Summary of Contents for Juniper E320

  • Page 1: Policy Management

    JUNOSe Internet Software ™ for E-series Routing Platforms ™ Policy Management Configuration Guide Release 7.2.x Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 408-745-2000 www.juniper.net Part Number: 162-01268-00, Revision A00...
  • Page 2 Software” means Software which Juniper has embedded in the Juniper equipment. 3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions: a.
  • Page 3 (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N.

  • Page 5: Table Of Contents

    Table of Contents About This Guide Objectives ....................... ix E-series Routers ....................x Audience......................x Documentation Conventions................x Related E-series and JUNOSe Documentation ..........xii E-series and JUNOSe Documents ............. xii JUNOSe Configuration Guides..............xiv Obtaining Documentation................xv Documentation Feedback ................xv Requesting Support..................
  • Page 6 JUNOSe 7.2.x Policy Management Configuration Guide Classifier Group Command ..............36 Policy Rule Commands................36 Packet Tagging ..................44 Merging Policies ..................... 44 Rules for Attachment Through Interface Configuration Mode ....45 Policy Merging Restrictions..............46 Resolving Merge Conflicts................ 46 Merged Policy Naming Conventions ............
  • Page 7 Table of Contents CAM Hardware Classifiers ................110 Size Limit for IP and IPv6 CAM Hardware Classifiers ......111 IP Classifiers and Size Limits ............111 IPv6 Classifiers and Size Limits ............113 Software Classifiers ..................117 Interface Attachment Resources ..............118 Cam Hardware Classifiers and Interface Attachment Resources ....118 Software Classifiers and Range Vector Hardware Classifiers and Interface Attachment Resources ..............119 Chapter 5...
  • Page 8 JUNOSe 7.2.x Policy Management Configuration Guide Configuring the E-series Router: Mirror User Who Is Already Logged On ............169 Configuring RADIUS-Initiated Mirroring When a User is Already Logged In ..........170 Commands and Guidelines..............171 Conflicts Between CLI-Based and RADIUS-Based Configurations....174 Understanding the Prepended Header ............174 Format of the Mirror Header Attributes...........176 Resolving and Tracking the Analyzer Device’s Address........177 Using Multiple Triggers.................177...

  • Page 9: About This Guide

    About This Guide This preface provides the following guidelines for using JUNOSe™ Internet Software for E-series™ Routing Platforms Policy Management Configuration Guide: Objectives on page ix E-series Routers on page x Audience on page x Documentation Conventions on page x Related E-series and JUNOSe Documentation on page xii Obtaining Documentation...
  • Page 10 ERX-310 router All models use the same software. For information about all models except the E320 router, see ERX Hardware Guide, Chapter 1, ERX Overview. For information about the E320 router, see E320 Hardware Guide, Chapter 1, E320 Overview. In the E-series documentation, the term ERX-14xx models refers to both the ERX-1440 router and the ERX-1410 router.
  • Page 11 About This Guide Table 2 defines text conventions used in this guide and the syntax conventions used primarily in the JUNOSe Command Reference Guide. For more information about command syntax, see JUNOSe System Basics Configuration Guide, Chapter 2, Command-Line Interface. Table 2: Text and Syntax Conventions Convention Description...

  • Page 12: Related E-Series And Junose Documentation

    Description E-series Hardware Documentation E320 Quick Start Guide Shipped in the box with all new E320 routers. Provides the basic procedures to help you get an E320 router up and running quickly. E320 Hardware Guide Provides the necessary procedures for getting E320 routers operational, including...
  • Page 13 About This Guide Table 3: Juniper Networks E-series and JUNOSe Technical Publications (continued) Document Description JUNOSe Software Guides JUNOSe System Basics Configuration Guide Provides information about: Planning and configuring your network Using the command-line interface (CLI) Installing JUNOSe software Configuring the Simple Network Management Protocol (SNMP)

  • Page 14: Junose Configuration Guides

    JUNOSe 7.2.x Policy Management Configuration Guide Table 3: Juniper Networks E-series and JUNOSe Technical Publications (continued) Document Description JUNOSe Quality of Service Configuration Explains how to configure quality of service (QoS) features to queue, schedule, Guide and monitor traffic flow. These features include:...

  • Page 15: Obtaining Documentation

    Sample displays that result when you issue the show command Obtaining Documentation To obtain the most current version of all Juniper Networks technical documentation, see the products documentation page on the Juniper Networks Web site at http://www.juniper.net/. To order printed copies of this manual and other Juniper Networks technical documents or to order a documentation CD, which contains this manual, contact your sales representative.
  • Page 16 JUNOSe 7.2.x Policy Management Configuration Guide Requesting Support...

  • Page 17: Chapter 1 Policy Management Overview

    Chapter 1 Policy Management Overview This chapter introduces policy-based routing management on E-series routers. Policy management enables you to configure, manage, and monitor policies that selectively cause packets to take different paths without requiring a routing table lookup. The JUNOSe software’s packet mirroring feature uses secure policies. This chapter discusses the following topics: Overview on page 1...

  • Page 18: What Is A Policy

    JUNOSe 7.2.x Policy Management Configuration Guide to provide a variety of services, including tiered bandwidth service where traffic conforming to configured bandwidth levels is treated differently than traffic that exceeds the configured values, and a hard-limit service where a fixed bandwidth limit is applied to a traffic flow.

  • Page 19: Classification

    Chapter 1: Policy Management Overview Classification Classification is the process of taking a single data stream in and sorting it into multiple output substreams. The classifier engine on an E-series router is a combination of PowerPC processors, working with a Field Programmable Gate Array (FPGA) for a hardware assist.

  • Page 20: Platform Considerations

    See the ERX Module Guide for modules supported on ERX-7xx models, ERX-14xx models, and the ERX-310 router. See the E320 Module Guide for modules supported on the E320 router. References For more information about policy management, see the following resources: RFC 2474—Definition of the Differentiated Services Field (DS Field) in the IPv4...

  • Page 21: Creating Policies

    Chapter 2 Creating Policies This chapter provides information for configuring policy-based routing management on E-series routers. This chapter discusses the following topics: Overview on page 5 Platform Considerations on page 7 Creating Classifier Control Lists on page 7 Creating Policy Lists on page 19 Creating Classifier Groups and Policy Rules on page 31...

  • Page 22: Policy Processing Order On An Interface Stack

    JUNOSe 7.2.x Policy Management Configuration Guide You can apply policy lists to packets: Arriving at an interface (input policy); on IP and IPv6 interfaces the packets arrive before route lookup Arriving at the interface, but after route lookup (secondary input policy); secondary input policies are supported only on IP and IPv6 interfaces Leaving an interface (output policy) Policy Processing Order on an Interface Stack...

  • Page 23: Platform Considerations

    See the ERX Module Guide for modules supported on ERX-7xx models, ERX-14xx models, and the ERX-310 router. See the E320 Module Guide for modules supported on the E320 router. Creating Classifier Control Lists CLACLs specify the criteria by which the router defines a packet flow.
  • Page 24 JUNOSe 7.2.x Policy Management Configuration Guide Table 4: CLACL Criteria (continued) Type of CLACL Criteria Color Destination IP address Destination port Destination route class Internet Control Message Protocol (ICMP) Internet Gateway Management Protocol (IGMP) IP flags IP fragmentation offset Locally destined traffic Protocol Source IP address Source port...

  • Page 25: Classifier Control List Commands

    Chapter 2: Creating Policies Table 4: CLACL Criteria (continued) Type of CLACL Criteria VLAN Color Traffic class User packet class User priority You configure CLACLs with a name and then values to match in the IP datagram header. A CLACL does not include an action: actions take place when a match is included in a policy list.
  • Page 26 JUNOSe 7.2.x Policy Management Configuration Guide frame-relay classifier-list Use to create or modify a Frame Relay classifier control list. NOTE: Do not use the asterisk (*) for the name of a classifier list. The asterisk is used as a wildcard for the classifier-group command. Use the following keywords to configure the list: traffic-class—Matches packets with a class that you defined using the traffic-class command...
  • Page 27 Chapter 2: Creating Policies tos, dsfield, and precedence specify the ToS byte in the IP header tos—Specifies the use of the whole 8 bits of the ToS byte; range is " 0–255 dsfield—Specifies the use of the upper 6 bits of the ToS byte; range is "...
  • Page 28 JUNOSe 7.2.x Policy Management Configuration Guide Use the sourceAddress and destinationAddress options to classify traffic based on source and destination addresses. You can specify the address as a host address, a subnet, or a wildcard. If you specify the address as a subnet, the mask, in binary notation, must be a series of contiguous zeros, followed by a series of contiguous ones.
  • Page 29 Chapter 2: Creating Policies Use the following keywords to configure classification to match route-class values: source-route-class—Classifies on packets associated with a route class based on the packet’s source address; route-class range is 0–255; default is destination-route-class—Classifies on incoming packets associated with a route class based on the packet’s destination address;...
  • Page 30 JUNOSe 7.2.x Policy Management Configuration Guide Use the destinationQualifier option to specify a single TCP or UDP port or range of ports, an ICMP code and optional type, or an IGMP type. The destinationQualifier option is composed of the following suboptions: portNumber—Single port number or the beginning of a range of port numbers (TCP and UDP only) portOperator—One of the following (TCP and UDP only):...
  • Page 31 Chapter 2: Creating Policies Use the color keyword to match on one of the following: green—Matches packets with color green, indicating a low drop preference yellow—Matches packets with color yellow, indicating a medium drop preference red—Matches packets with color red, indicating a high drop preference user-packet-class—Matches packets with the specified user packet class value Use the no version to remove the classifier control list.
  • Page 32 JUNOSe 7.2.x Policy Management Configuration Guide Use the protocol option to match a specific protocol number and specify protocol attributes: icmpv6—ICMP type and code tcp—TCP protocol attributes, such as source and destination port, and source and destination TCP operator and port udp—UDP protocol attributes, such as source and destination port For TCP and UDP, use the portQualifier option to specify a single port or a range of source or destination ports.
  • Page 33 Chapter 2: Creating Policies local true—Matches packets that are destined to a local interface. local false—Matches packets that are traversing the router; this is the default setting. For example: host1(config)#ipv6 classifier-list svale20 source-route-class 1 host1(config)#ipv6 classifier-list svale30 destination-route-class 1 tcfield 10 host1(config)#ipv6 classifier-list svale40 source-route-class 1 local true host1(config)#ipv6 classifier-list west25 source-route-class 1 local false In the previous example, classifier control lists match route-class values as...
  • Page 34 JUNOSe 7.2.x Policy Management Configuration Guide l2tp classifier-list Use to create or modify an L2TP classifier control list. NOTE: Do not use the asterisk (*) for the name of a classifier list. The asterisk is used as a wildcard for the classifier-group command. Use the following keywords to configure the list: traffic-class—Matches packets with a traffic class that you defined using the traffic-class command...

  • Page 35: Creating Policy Lists

    Chapter 2: Creating Policies vlan classifier-list Use to create or modify a VLAN classifier control list. NOTE: Do not use the asterisk (*) for the name of a classifier list. The asterisk is used as a wildcard for the classifier-group command. Use the following keywords to configure the list: traffic-class—Matches packets with a traffic class that you defined using the traffic-class command...

  • Page 36: Creating A Policy List For Atm

    JUNOSe 7.2.x Policy Management Configuration Guide Figure 2 shows how a sample IP policy list is constructed. Figure 2: Constructing an IP Policy List tiered12MB AcmeCompanyUDP Database hardlimit9MB XYZCorpIGMP hardlimit3MB XYZCorpICMP Rate limit profiles Classifier control lists filterForHighSecurity routeForAcmeCompany next-interface routeForXYZCorp action classification...
  • Page 37 Chapter 2: Creating Policies 3. Exit Policy List Configuration mode to save the configuration. host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#exit host1(config)# 4. Create a UBR policy that maps to the strict best-effort traffic class and color red. host1(config)#atm policy-list polUbr host1(config-policy-list)#classifier-group * host1(config-policy-list-classifier-group)#traffic-class best-effort host1(config-policy-list-classifier-group)#color red 5.

  • Page 38: Creating A Policy List For Ip

    JUNOSe 7.2.x Policy Management Configuration Guide ATM policy input polUbr Statistics are disabled 1 interface(s) found host1#show atm subinterface atm 0/0.101 Circuit Interface Interface ATM-Prot VCD VPI VCI Type Encap MTU Status Type ----------- -------- --- --- --- ------- ----- ---- ------ --------- ATM 0/0.101 RFC-1483 101 0 101 PVC SNAP...
  • Page 39 Chapter 2: Creating Policies 3. Add a rule that specifies a group of forwarding solutions based on classifier list ipCLACL10. host1(config-policy-list-classifier-group)#forward next-hop 192.0.2.12 order 10 host1(config-policy-list-classifier-group)#forward next-hop 192.0.100.109 order 20 host1(config-policy-list-classifier-group)#forward next-hop 192.120.17.5 order 30 host1(config-policy-list-classifier-group)#forward interface ip 3/1 order 40 4.

  • Page 40: Creating A Policy List For Ipv6

    JUNOSe 7.2.x Policy Management Configuration Guide Creating a Policy List for IPv6 The following example creates an IPv6 policy list named routeForIPv6. For information about creating the CLACL used in this example, see the previous sections. 1. Create the policy list routeForIPv6. host1(config)#ipv6 policy-list routeForIPv6 host1(config-policy-list)# 2.
  • Page 41 Chapter 2: Creating Policies host1(config-policy-list-classifier-group)#mark-de 1 host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#exit 2. Create the policy list used for the ingress traffic. and create the classifier group conforming to CLACL frMatchDeSet. Add a rule that colors the ingress traffic. host1(config)#frame-relay policy-list frInputPolicy host1(config-policy-list)#classifier-group frGroupA host1(config-policy-list-classifier-group)#color red host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#exit...

  • Page 42: Creating A Policy List For Gre Tunnels

    JUNOSe 7.2.x Policy Management Configuration Guide 5. Display the classifier list. host1#show classifier-list detailed Classifier Control List Table ---------- ------- ---- ----- Frame relay Classifier Control List frMatchDeSet Reference count: Entry count: Classifier-List frMatchDeSet Entry 1 DE Bit: 6. Display the policy lists. host1#show policy-list Policy Table ------ -----...

  • Page 43: Creating A Policy List For L2Tp

    Chapter 2: Creating Policies 3. Add two rules for traffic based on the CLACL named gre8: one rule to color packets as red, and a second rule that specifies the ToS DS field value to be assigned to the packets. host1(config-policy-list-classifier-group)#color red host1(config-policy-list-classifier-group)#mark dsfield 20 host1(config-policy-list-classifier-group)#...

  • Page 44: Creating A Policy List For Mpls

    JUNOSe 7.2.x Policy Management Configuration Guide 5. Display the policy list. host1#show policy-list routeForl2tp Policy Table ------ ----- L2TP Policy routeForl2tp Administrative state: enable Reference count: Classifier control list: *, precedence 100 color red rate-limit-profile l2tpRLP20 Commands that you issue in Policy Configuration mode do not take effect NOTE: until you exit from that mode.

  • Page 45: Creating A Policy List For Vlans

    Chapter 2: Creating Policies NOTE: Commands that you issue in Policy Configuration mode do not take effect until you exit from that mode. Creating a Policy List for VLANs The following example creates a VLAN policy list named routeForVlan. The classifier group lowLatencyLowDrop uses the default precedence of 100.

  • Page 46: Policy List Configuration Commands

    JUNOSe 7.2.x Policy Management Configuration Guide 8. Display the policy list. host1#show policy-list routeForVlan Policy Table ------ ----- VLAN Policy routeForVlan Administrative state: enable Reference count: Classifier control list: lowLatencyLowDrop, precedence 100 traffic-class lowLatencyLowDrop color green mark-user-priority 7 Classifier control list: lowLatency, precedence 100 traffic-class lowLatency Classifier control list: excellentEffort, precedence 100 traffic-class excellentEffort...

  • Page 47: Creating Classifier Groups And Policy Rules

    Chapter 2: Creating Policies Creating Classifier Groups and Policy Rules Classifier groups contain the policy rules that make up a policy list. A policy rule is an association between a policy action and an optional CLACL. The CLACL defines the packet flow on which the policy action is taken. A policy list might contain multiple classifier groups—you can specify the precedence in which classifier groups are evaluated.
  • Page 48 JUNOSe 7.2.x Policy Management Configuration Guide The precedence of rules is important if you want a specific rule to be applied. For example, if an IP policy list has both a rate-limit-profile rule (which specifies a color) and a color rule in the same classifier-group, the color specified by the color rule is always used rather than the color implied in the rate-limit-profile rule (the color rule has a higher precedence).

  • Page 49: Rules That Provide Routing Solutions

    Chapter 2: Creating Policies Rules That Provide Routing Solutions The next interface, next hop, filter, and forward rules provide routing solutions for traffic matching a classifier. A classifier can have only one action that provides a routing solution. If you configure two routing solution rules, such as filter and forward, in the same classifier group, the router displays a warning message, and the rule configured last replaces the previous rule.

  • Page 50: Creating Multiple Forwarding Solutions With Ip Policy Lists

    JUNOSe 7.2.x Policy Management Configuration Guide To stop a denial-of-service attack, you can use a policy with a filter rule. You need to construct the classifier list associated with the filter rule so that it isolates the attacker’s traffic into a flow. To determine the criteria for this classifier list, you need to analyze the traffic received on an interface.
  • Page 51 Chapter 2: Creating Policies The following guidelines apply when you create a group of forwarding solutions in an IP policy list: You can specify a maximum of 20 forwarding solutions for a classifier. The interface and next-hop elements of a forwarding solution must exist within a single virtual router: Next-interface elements are associated with the virtual router where that interface exists.

  • Page 52: Classifier Group Command

    JUNOSe 7.2.x Policy Management Configuration Guide NOTE: You can use the suspend version of the command to suspend an individual entry in a group of forwarding solutions. The forward rule remains active as long as there is a reachable or active entry in the group of forwarding solutions. If you suspend all entries in the group, the status of the forward rule is changed to suspended.
  • Page 53 Chapter 2: Creating Policies color Use to color a packet matching the current CLACL as green, yellow, or red: green—Highest precedence yellow—Intermediate precedence red—Lowest precedence Example host1(config-policy-list-classifier-group)#color green Use the suspend version to suspend the color rule within the classifier group. Use the no version to remove the color rule from the classifier group.
  • Page 54 JUNOSe 7.2.x Policy Management Configuration Guide rate-limit-profile—Rate limit is applied and the exception rule is applied to packets. traffic-class—Traffic class is set and the exception rule is applied to packets. user-packet-class—User packet class is set and the exception rule is applied to packets.
  • Page 55 Chapter 2: Creating Policies For IP policy lists only: You can use the forward interface command to specify multiple interfaces and the forward next-hop command to specify next-hop addresses as possible forwarding solutions. If you define multiple forwarding solutions for a single CLACL, use the order keyword to specify the order in which the router chooses the solutions.
  • Page 56 Use to assign a value of 0 or 1 to the ATM CLP bit for packets conforming to the current classifier control list. Marking of CLP on frame-based interfaces is only supported on E320 router line modules. Example host1(config-policy-list-classifier-group)#mark-clp 1 Use the suspend version to temporarily suspend the mark CLP rule.
  • Page 57 Chapter 2: Creating Policies Use the suspend version to suspend the mark DE rule within the classifier group. Use the no version to remove the mark DE rule from the classifier group. mark-exp Use to assign a value in the range 0–7 to the MPLS EXP field for packets conforming to the current CLACL.
  • Page 58 JUNOSe 7.2.x Policy Management Configuration Guide next-interface Use to define an output interface to which the packets conforming to the current CLACL are forwarded. NOTE: The forward interface command replaces the next-interface command. The next-interface command may be removed in a future release. See the forward interface command for details.
  • Page 59 Chapter 2: Creating Policies red-mark Use to apply ToS mark value in the range 0–255 to packets that are classified red by the rate-limit hierarchy. Example host1(config-color-mark-profile)#red-mark 255 Use the no version to restore the default. traffic-class Use to specify a traffic-class rule for packets conforming to the current CLACL. When this rule is applied to a packet, the packet is associated with this traffic class within the router.

  • Page 60: Packet Tagging

    JUNOSe 7.2.x Policy Management Configuration Guide Packet Tagging You can use the traffic-class rule in policies to tag a packet flow so that the QoS application can provide traffic-class queuing. Policies can perform both in-band and out-of-band packet tagging: Policies perform in-band tagging by using their respective mark rule to modify a packet header field.

  • Page 61: Rules For Attachment Through Interface Configuration Mode

    Chapter 2: Creating Policies An interface and an attachment type identify an attachment point. The policies referenced by the component attachments merge into a new policy, which then attaches at the attachment point. The set of component policies are ordered alphabetically by name.

  • Page 62: Policy Merging Restrictions

    JUNOSe 7.2.x Policy Management Configuration Guide Policy Merging Restrictions The following restrictions apply to policy merging: Classifier lists cannot be merged. Secure policies cannot be merged. Policies created using ascend-data-filters cannot be merged. Existing policy VSAs in RADIUS are not changed; attachments created by this method cannot be merged.
  • Page 63 Chapter 2: Creating Policies For IP, the forward, filter, next-hop, and next-interface rules are mutually exclusive Example 2 within a classifier group. For all other types, filter and forward rules are mutually exclusive. A conflict arises when more than one component policy has the same classifier group and when the rule sets defined in these classifier groups conflict.
  • Page 64 JUNOSe 7.2.x Policy Management Configuration Guide host1(config-classifier-group)#color yellow host1(config-classifier-group)#exit Combining p1 and p2 internally results in: ip policy-list mpl_20 classifier-group C1 precedence 90 color yellow exit With the IP policy forward rule, when more forward rules are added to an existing Example 4 classifier group, the list of forward rules is created.

  • Page 65: Merged Policy Naming Conventions

    Chapter 2: Creating Policies Merged Policy Naming Conventions Merged policies are dynamically created. The naming convention is mpl_<hex of internally generated policy ID>, such as mpl_10. If the newly generated name already exists, then a sequence number is appended to the new name to make it unique.

  • Page 66: Policy Attachment Rules

    JUNOSe 7.2.x Policy Management Configuration Guide Policy Attachment Rules The attributes of a policy attachment are as follows: Policy name—Name of policy to be attached. Attachment type—Type of attachment. Statistics enable/disable—Enable or disable statistics for the attachment. Baseline enable/disable—Enable or disable baselining for the attachment. Merge or Replace—Allow an attachment to become merge-capable and merge with any other attachments that are merge-capable.

  • Page 67: Error Conditions

    Chapter 2: Creating Policies A detachment based on the policy name removes all attachments for that policy at the specified attachment point in a single command regardless of creation source. A detachment based on attachment type detaches all attachments at that attachment point regardless of creation source. Service Manager can delete only one attachment at a time through service deactivation.
  • Page 68 JUNOSe 7.2.x Policy Management Configuration Guide 2. Create IP policy p2. host1(config)#ip classifier-list C1 tcp host 1.1.1.1 any eq 80 host1(config)#ip classifier-list C3 ip any host 2.2.2.2 host1(config)#ip policy-list p2 host1(config-policy)#classifier-group C1 precedence 90 host1(config-policy-classifier-group)#forward next-hop 20.1.1.1 host1(config-policy-classifier-group)#exit host1(config-policy)#classifier-group C3 precedence 10 host1(config-policy-classifier-group)#filter host1(config-policy-classifier-group)#exit host1(config-policy)#classifier-group * precedence 1000...

  • Page 69: Show Configuration

    ! Configuration script being generated on TUE APR 26 2005 17:33:01 UTC ! Juniper Edge Routing Switch ERX-1440 ! Version: 9.9.9 development-4.0 (April 4, 2005 15:39) ! Copyright (c) 1999-2005 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 …...

  • Page 70: Display Interface Statistics

    JUNOSe 7.2.x Policy Management Configuration Guide classifier-group C1 precedence 90 forward next-hop 10.1.1.1 ip policy-list p2 classifier-group C3 precedence 10 filter classifier-group C1 precedence 90 forward next-hop 20.1.1.1 classifier-group * precedence 1000 forward … … ! End of generated configuration script. 7.
  • Page 71 Chapter 2: Creating Policies 0 packets, 0 bytes forward queue 0: traffic class best-effort, bound to ip ATM5/0.1 Queue length 0 bytes Forwarded packets 0, bytes 0 Dropped committed packets 0, bytes 0 Dropped conformed packets 0, bytes 0 Dropped exceeded packets 0, bytes 0 8.
  • Page 72 JUNOSe 7.2.x Policy Management Configuration Guide Referenced by profiles: None Referenced by merge policies: mpl_5 IP Policy mpl_5 Administrative state: enable Reference count: Classifier control list: C2, precedence 10 filter Classifier control list: C3, precedence 10 filter Classifier control list: C1, precedence 90 forward Virtual-router: default List:...
  • Page 73 Chapter 2: Creating Policies Classifier control list: C1, precedence 90 forward Virtual-router: default List: next-hop 10.1.1.1, order 100, rule 2 (active) Referenced by interfaces: None Referenced by profiles: None Referenced by merge policies: mpl_5 mpl_7 IP Policy p2 Administrative state: enable Reference count: Classifier control list: C3, precedence 10 filter...
  • Page 74 JUNOSe 7.2.x Policy Management Configuration Guide Classifier control list: C1, precedence 90 forward Virtual-router: default List: next-hop 10.1.1.1, order 100, rule 2 (active) next-hop 20.1.1.1, order 100, rule 3 (reachable) Classifier control list: *, precedence 1000 forward Referenced by interfaces: ATM5/0.2 output policy, statistics enabled, virtual-router default Referenced by profiles:...
  • Page 75 Chapter 2: Creating Policies Policy Table ------ ----- IP Policy p1 Administrative state: enable Reference count: Classifier control list: C2, precedence 10 filter Classifier control list: C1, precedence 90 forward Virtual-router: default List: next-hop 10.1.1.1, order 100, rule 2 (active) Referenced by interfaces: None Referenced by profiles:...
  • Page 76 JUNOSe 7.2.x Policy Management Configuration Guide Administrative state: enable Reference count: Classifier control list: C2, precedence 10 filter Classifier control list: C3, precedence 10 filter Classifier control list: C1, precedence 90 forward Virtual-router: default List: next-hop 10.1.1.1, order 100, rule 2 (active) next-hop 20.1.1.1, order 100, rule 3 (reachable) Classifier control list: *, precedence 1000 forward...
  • Page 77 Chapter 2: Creating Policies Policy Table ------ ----- IP Policy p1 Administrative state: enable Reference count: Classifier control list: C2, precedence 10 filter Classifier control list: C1, precedence 90 forward Virtual-router: default List: next-hop 10.1.1.1, order 100, rule 2 (active) Referenced by interfaces: None Referenced by profiles:...
  • Page 78 JUNOSe 7.2.x Policy Management Configuration Guide Reference count: Classifier control list: C2, precedence 10 filter Classifier control list: C3, precedence 10 filter Classifier control list: C1, precedence 90 forward Virtual-router: default List: next-hop 10.1.1.1, order 100, rule 2 (active) next-hop 20.1.1.1, order 100, rule 3 (reachable) Classifier control list: *, precedence 1000 forward Referenced by interfaces:...

  • Page 79: Applying Policy Lists To Interfaces And Profiles

    Chapter 2: Creating Policies IP Policy p2 Administrative state: enable Reference count: Classifier control list: C3, precedence 10 filter Classifier control list: C1, precedence 90 forward Virtual-router: default List: next-hop 20.1.1.1, order 100, rule 3 (active) Classifier control list: *, precedence 1000 forward IP Policy p3 Administrative state: enable...

  • Page 80: Policy Commands

    JUNOSe 7.2.x Policy Management Configuration Guide Policy Commands Use the commands described in this section to assign policy lists to interfaces. atm policy frame-relay policy gre-tunnel policy ip policy ipv6 policy mpls policy l2tp policy vlan policy Use to assign an ATM, Frame Relay, GRE tunnel, IP, IPv6, MPLS, or VLAN policy list to an interface.
  • Page 81 Chapter 2: Creating Policies You must also enable baselining on the interface with the appropriate baseline command. NOTE: The gre-tunnel policy command does not support the baseline keyword. You can use the preserve keyword to save the existing statistics when you attach a policy to an interface that already has a policy attached.

  • Page 82: Enabling Atm Cell Mode

    JUNOSe 7.2.x Policy Management Configuration Guide Enabling ATM Cell Mode When you configure a rate limit profile to account for ATM cell tax, the forwarding code now calculates this information to determine the size of a frame instead of using only the frame size. Use the show rate-limit-profile command to display the state of the mode.
  • Page 83 Chapter 2: Creating Policies Rate limit Traffic class Classifiers Destination address Destination port Protocol Source address Source port NOTE: An E-series router dynamically assigns names to the new classifier list and policy list based on information such as the interface and direction of the policy. To create a policy, you use hexadecimal format to configure the Ascend-Data-Filter attribute on the RADIUS server.
  • Page 84 JUNOSe 7.2.x Policy Management Configuration Guide Table 6: Ascend-Data-Filter Policy Format (continued) Action or Classifier Format Comments Destination port qualifier 1 byte 0 = no compare 1 = less than 2 = equal to 3 = greater than 4 = not equal to Reserved 2 bytes –...

  • Page 85: Examples Using The Ascend-Data-Filter Attribute

    Chapter 2: Creating Policies Examples Using the Ascend-Data-Filter Attribute This section provides examples showing the configuration of policies that use the Ascend-Data-Filter attribute. In this example, the following Ascend-Data-Filter attribute creates a RADIUS record Example 1 that configures an input policy. The policy filters all packets from network 10.2.1.0 with wildcard mask 0.0.0.255 to any destination.
  • Page 86 JUNOSe 7.2.x Policy Management Configuration Guide Referenced by profile(s): No profile references In this example, the Ascend-Data-Filter attribute is used to create RADIUS records Example 2 that configure two policies. The first policy is an input policy that filters all TCP packets that come from a port greater than 9000 on host 10.2.1.1 and that go to any destination.
  • Page 87 Chapter 2: Creating Policies Forward all packets from host 10.2.1.1 to any destination. Filter all other traffic. The rules for the input policy translate to the following VSAs. The VSAs must be specified in this order: Ascend-Data-Filter = "01010100 0A020101 14000000 20080600 00000000 00000000" Ascend-Data-Filter = "01000100 0A020101 00000000 20000600 00000000 00000000"...
  • Page 88 JUNOSe 7.2.x Policy Management Configuration Guide Referenced by interface(s): ATM4/0.0 input policy, statistics enabled, virtual-router default Referenced by profile(s): No profile references IP Policy plout_7 Administrative state: enable Reference count: Classifier control list: clout_7_04, precedence 100 forward Classifier control list: clout_7_05, precedence 100 filter Classifier control list: clout_7_06, precedence 100 forward...
  • Page 89 Chapter 2: Creating Policies Table 8: Ascend-Data-Filter Example 4 Values (continued) Action or Classifier Hex Value Actual Value Marking value Marking mask Traffic class 0773 6f6d6554 636c someTcl Rate-limit profile 0773 6f6d6552 6c70 someRlp Use the show classifier-list and show policy-list commands to view information about the policy: host1#show classifier-list Classifier Control List Table...
  • Page 90 JUNOSe 7.2.x Policy Management Configuration Guide Applying Policy Lists to Interfaces and Profiles...

  • Page 91: Creating Rate-Limit Profiles

    Chapter 3 Creating Rate-Limit Profiles This chapter provides information for configuring rate-limit policy management on E-series routers. This chapter discusses the following topics: Overview on page 75 Platform Considerations on page 76 Rate Limits on page 76 Hierarchical Rate Limits on page 77 One-Rate Rate-Limit Profiles on page 88...

  • Page 92: Platform Considerations

    See the ERX Module Guide for modules supported on ERX-7xx models, ERX-14xx models, and the ERX-310 router. See the E320 Module Guide for modules supported on the E320 router. Rate Limits To configure rate limiting for interfaces, you first create a rate-limit profile, which is a set of bandwidth attributes and associated actions.

  • Page 93: Hierarchical Rate Limits

    Chapter 3: Creating Rate-Limit Profiles Rate limiters are implemented using a dual token bucket scheme: a token bucket for conformed (yellow) packets and a token bucket for committed (green) packets. One token is synonymous with one byte. The capacity of the buckets is the maximum number of tokens that can be placed in each bucket.

  • Page 94: Classifier Groups

    JUNOSe 7.2.x Policy Management Configuration Guide Shared rate limits in the hierarchy keep the combined traffic below a configured maximum without dropping preferred packets. Preferred packets always reduce tokens on these rate limits, making their token counts negative, if necessary. Later non-preferred packets are then dropped in greater volume, bringing the total traffic through the shared rate limit below its configured maximum.

  • Page 95: Rate-Limit Profiles

    Chapter 3: Creating Rate-Limit Profiles Rate-Limit Profiles Hierarchical rate-limit profiles are independent from interface types. You can apply the green, yellow, or red mark values to the rate-limit profile for every type of forwarding interface that accepts ToS marking for packets. The same rate limit can be reused for a different interface type.
  • Page 96 JUNOSe 7.2.x Policy Management Configuration Guide These actions become the same action if the hierarchy has only one rate limit. Combining these actions with the additional choices to transmit or drop packets results in the following possible actions: Drop—Drops the packet at that rate limit in the hierarchy. The packet does not change the state of any rate limit further down the hierarchy.

  • Page 97: Rate-Limiting Hierarchical Policy Examples

    Chapter 3: Creating Rate-Limit Profiles 3. traffic class 4. user packet class 5. next hop 6. rate limit 7. color status 8. color action 9. parent group 10. mark The mark action is the last action that occurs, after parent-group, so that the color-mark profile can mark the packet with the final color from the hierarchy.

  • Page 98: Multiple Flows Sharing A Rate Limit

    JUNOSe 7.2.x Policy Management Configuration Guide host1(config)#policy-list mycompany host1(config-policy-list)#classifier-group video parent-group all host1(config-policy-list-classifier-group)#rate-limit-profile preferred host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group * parent-group all host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#parent-group all host1(config-policy-list-parent-group)#rate-limit-profile common host1(config-policy-list-parent-group)#exit Multiple Flows Sharing a Rate Limit Figure 4 shows an interface that has one rate limit and three classified flows, A, B, and C.

  • Page 99: Shared Pool Of Additional Bandwidth With Select Flows

    Chapter 3: Creating Rate-Limit Profiles host1(config-rate-limit-profile)#peak-rate 40000000 host1(config-rate-limit-profile)#exit host1(config)#policy-list rlpshare host1(config-policy-list)#classifier-group A parent-group All host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group B parent-group All host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group C parent-group All host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#parent-group All host1(config-policy-list-parent-group)#rate-limit-profile All host1(config-policy-list-parent-group)#exit Shared Pool of Additional Bandwidth with Select Flows Figure 5 shows three classified flows, A, B, and C, each of which has an individual rate limit with a peak rate of 1 Mbps.
  • Page 100 JUNOSe 7.2.x Policy Management Configuration Guide Figure 5: Shared Pool of Additional Bandwidth With Select Flows Free bandwith Used bandwith Used bandwith Free bandwith Used bandwith Free bandwith Used bandwith Rate limits for A, B, C: Rate-limit extrabw: Each has peak rate: 1 Mbps Each has peak rate: 2 Mbps Rate limit never drops packets Receives overflow packets from A, B, C...

  • Page 101: Aggregate Marking With Oversubscription

    Chapter 3: Creating Rate-Limit Profiles host1(config)#policy-list mypolicy host1(config-policy-list)#classifier-group A parent-group extrabw host1(config-policy-list-classifier-group)#rate-limit-profile indiv host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group B parent-group extrabw host1(config-policy-list-classifier-group)#rate-limit-profile indiv host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group C parent-group extrabw host1(config-policy-list-classifier-group)#rate-limit-profile indiv host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#parent-group extrabw host1(config-policy-list-parent-group)#rate-limit-profile extrabw host1(config-policy-list-parent-group)#rate-limit-profile indiv host1(config-policy-list-parent-group)#exit Aggregate Marking with Oversubscription Figure 6 shows an aggregate rate limit that enables up to 2 Mbps of traffic to be sent with ToS marking TOS1.
  • Page 102 JUNOSe 7.2.x Policy Management Configuration Guide Figure 6: Aggregate Marking with Oversubscription Rate-limits for A, B, C: Rate-limit S: Packets under 1 Mbps marked TOS1 Receives packets from A, B, C Packets between 1-2 Mbps marked TOS2 (A only) or TOS3 (B, C) Packets under 2 Mbps are not affected All packets sent to rate limit S for TOS1 check Drops packets that exceed 6 Mbps rate...

  • Page 103: Color-Aware Configuration

    Chapter 3: Creating Rate-Limit Profiles host1(config)#policy-list TOS1_oversubsribed host1(config-policy-list)#classifier-group A parent-group S host1(config-policy-list-classifier-group)#rate-limit-profile indiv host1(config-policy-list-classifier-group)#mark profile A host1(config--classifier-group)#exit host1(config-policy-list)#classifier-group B parent-group S host1(config-policy-list-classifier-group)#rate-limit-profile indiv host1(config-policy-list-classifier-group)#mark profile BC host1(config--classifier-group)#exit host1(config-policy-list)#classifier-group C parent-group S host1(config-policy-list-classifier-group)#rate-limit-profile indiv host1(config-policy-list-classifier-group)#mark profile BC host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#parent-group S host1(config-policy-list-parent-group)#rate-limit-profile S host1(config-policy-list-parent-group)#exit Color-Aware Configuration Common to many rate-limit hierarchies is a large aggregate rate limit that receives...

  • Page 104: One-Rate Rate-Limit Profiles

    JUNOSe 7.2.x Policy Management Configuration Guide Transmit-unconditional packets entering a color-aware rate limit uses the color on the packet for the rate-limit algorithm. Doing this ensures that the color-aware rate limit depletes tokens from the token buckets to account for these packets. Every packet sent through a rate-limit hierarchy is either dropped inside the hierarchy or emerges with a green, yellow, or red color assigned to it by the rate-limit hierarchy.

  • Page 105: Creating A One-Rate Rate-Limit Profile

    Chapter 3: Creating Rate-Limit Profiles Exceeded action—Drop, transmit, mark (IP and IPv6), or mark-exp (MPLS) when traffic flow exceeds the rate; the mark value is not supported for hierarchical rate limits and the transmit values conditional, unconditional, or final are only supported on hierarchical rate limits Mask value—Mask to be applied with mark values for the ToS byte;...
  • Page 106 JUNOSe 7.2.x Policy Management Configuration Guide The configuration values for the preceding attributes determine the degree of friendliness of the rate-limit process. Instead of tail dropping packets that arrive outside the committed and burst rate envelope, the TCP-friendly bucket enables more tokens to be borrowed, up to a limit determined by the excess burst size.

  • Page 107: Two-Rate Rate-Limits

    Chapter 3: Creating Rate-Limit Profiles t = time T(t) = number of tokens in token bucket at time t Table 9: TCP-friendly One-Rate Rate-Limit Profile Algorithms Step Result if not color aware, use green as the incoming packet color, otherwise use the actual packet color if incoming packet color is green if T(t) >...
  • Page 108 JUNOSe 7.2.x Policy Management Configuration Guide In color-blind mode, if the committed token bucket has enough tokens when a packet is received, the packet is green and tokens are subtracted from both the committed and the peak token buckets. If the peak bucket does not have enough tokens left, it is allowed to go negative.
  • Page 109 Chapter 3: Creating Rate-Limit Profiles Table 10 indicates the interaction between the rate settings and the actual traffic rate to determine the action taken by a rate-limit rule in a policy when applied to a traffic flow. This implementation is known as a two-rate, three-color marking mechanism.

  • Page 110: Creating A Two-Rate Rate-Limit Profile

    JUNOSe 7.2.x Policy Management Configuration Guide Table 11: Two-Rate Rate-Limit Profile Algorithms (continued) Step Result if Tp(t) < B Packet is marked as red if incoming packet color is red (only Packet is marked as red occurs in color aware operation) Creating a Two-Rate Rate-Limit Profile To create or modify a two-rate rate-limit profile, use the following commands with the two-rate keyword:...

  • Page 111: Rate-Limit Commands

    Chapter 3: Creating Rate-Limit Profiles Rate-Limit Commands This section lists the commands you use to configure CLI-based rate-limiting for interface-specific rate limits. color-aware Use to set the color-aware rate limit. (Supported only on hierarchical rate limits.) Color-aware rate limits may change the algorithm used depending on the color of the incoming packet, which can have been set in the previous rate limit.
  • Page 112 JUNOSe 7.2.x Policy Management Configuration Guide committed-burst Use to set the committed burst in bytes for a rate-limit profile; range is 1–4294967295. When you specify a nonzero value for the rate, the burst size is automatically calculated for a 100-ms burst as described for the committed-rate command.
  • Page 113 Chapter 3: Creating Rate-Limit Profiles conformed-action Use to set the conformed action for a rate-limit profile. Valid conformed actions are: drop—Drop the packet. transmit—Transmit the packet. The following values apply only to hierarchical rate limits: " conditional—Transmit the packet through the rate limit to the next rate limit in the hierarchy.
  • Page 114 JUNOSe 7.2.x Policy Management Configuration Guide mark—For IP and IPv6 rate-limit profiles, mark the packet by setting the ToS byte (IP) or traffic class field (IPv6) to the specified 8-bit value, and transmit the packet. The mark value is masked with the default 255 unless it is overridden by the mask-val command to specify a different mask;...
  • Page 115 Chapter 3: Creating Rate-Limit Profiles Use the following mask values to set the appropriate bits in the ToS field of the IP packet header or in the traffic class field of the IPv6 packet header: IP precedence—0xE0 (three most significant bits) DS field—0xFC (six most significant bits) TOS (IP) or Traffic Class field (IPv6)—0xFF (default) Example...
  • Page 116 JUNOSe 7.2.x Policy Management Configuration Guide If the calculated peak burst value is less than the default peak burst size of 8 KB, the default burst size is used. For most configurations this value is probably sufficient, making it optional to configure the associated peak burst size. During a software upgrade, the peak rate in a rate-limit profile is automatically set to 0 if it was nonzero but less than the committed rate before the upgrade.
  • Page 117 Chapter 3: Creating Rate-Limit Profiles Table 12: One-Rate Rate-Limit-Profile Defaults Policy Attribute Default Value type one-rate committed-rate committed-burst 8192 excess-burst committed-action transmit conformed-action transmit exceeded-action drop mask (IP and IPv6 rate-limit profiles) exp-mask (MPLS rate-limit profiles) NOTE: We recommend that you do not configure a committed or peak burst size smaller than the MTU of the interface.

  • Page 118: Bandwidth Management

    JUNOSe 7.2.x Policy Management Configuration Guide Table 13: Two-Rate Rate-Limit-Profile Defaults Policy Attribute Default Value type two-rate committed-rate committed-burst 8192 peak-rate peak-burst 8192 committed-action transmit conformed-action transmit exceeded-action drop mask (IP and IPv6 rate-limit profiles) exp-mask (MPLS rate-limit profiles) During a software upgrade, certain values are set as follows: Committed burst size—Set to 8192 if it was less than that value before the upgrade Peak burst size—Set to 8192 if it was less than that value before the...
  • Page 119 Chapter 3: Creating Rate-Limit Profiles The queuing system uses drop eligibility to select packets for dropping when congestion exists on an egress interface. This method is called dynamic color-based threshold dropping. The 2-bit tag assigns a color code to the packet: red, yellow, or green.

  • Page 120: One-Rate Rate-Limit Profile

    JUNOSe 7.2.x Policy Management Configuration Guide One-Rate Rate-Limit Profile A one-rate rate-limit profile can be configured for hard tail drop rate-limit or TCP-friendly behavior. Packets can be categorized as committed, conformed, or exceeded. You can configure a one-rate rate-limit profile to hard limit a packet flow to a Example 1 specified rate.

  • Page 121: Rate Limiting Individual Or Aggregate Packet Flows

    Chapter 3: Creating Rate-Limit Profiles The following example rate limits traffic on an interface from source IP address Example 1.1.1.1 so that traffic at a rate up to 1 Mbps is colored green and transmitted, traffic at a rate from 1 Mbps to 2 Mbps is colored yellow and transmitted, and traffic at a rate above 2 Mbps is dropped.
  • Page 122 JUNOSe 7.2.x Policy Management Configuration Guide host1(config-subif)#exit host1(config)# In the following example, interface ATM 3/1.1 again classifies on three traffic flows; Example 2: Multiple Traffic Flows however, this policy rate limits the aggregate of the three flows to 1 MB. host1(config)#ip classifier-list clFlowAll ip host 10.1.1.1 any host1(config)#ip classifier-list clFlowAll ip host 10.1.1.2 any host1(config)#ip classifier-list clFlowAll ip host 10.1.1.3 any...

  • Page 123: Policy Resources

    Chapter 4 Policy Resources This chapter provides information for configuring policy resources. This chapter discusses the following topics: Overview on page 107 Platform Considerations on page 109 FPGA Hardware Classifiers on page 109 CAM Hardware Classifiers on page 110 Software Classifiers on page 117 Interface Attachment Resources on page 118...
  • Page 124 JUNOSe 7.2.x Policy Management Configuration Guide Table 14: Classifier Support (OC48/STM16, GE-2, and GE-HDE Line Modules) Interface Type Hardware Classifier Software Classifier All interface types – Color (except IP and IPv6) Traffic class User packet class Frame Relay Not supported DE bit GRE tunnels Not supported...

  • Page 125: Platform Considerations

    See the ERX Module Guide for modules supported on ERX-7xx models, ERX-14xx models, and the ERX-310 router. See the E320 Module Guide for modules supported on the E320 router. FPGA Hardware Classifiers Classification is the process of taking a single data stream in and sorting it into multiple output substreams.

  • Page 126: Cam Hardware Classifiers

    JUNOSe 7.2.x Policy Management Configuration Guide FPGA hardware classifiers are supported on all line modules except the OC48/STM16, GE-2, and GE-HDE line modules. Table 15 lists the FPGA classifiers and software classifiers supported for each interface type. An E-series router supports two versions of policies that are based on FPGA hardware classifiers.

  • Page 127: Size Limit For Ip And Ipv6 Cam Hardware Classifiers

    Chapter 4: Policy Resources host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group clacl2 host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group * host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#exit host1(config)# In two cases a single classifier entry consumes more than one CAM entry: When a classifier entry contains a port range. For example: host1(config)#ip classifier-list clacl3 tcp any any range 5 8 When a classifier entry contains the not keyword.
  • Page 128 JUNOSe 7.2.x Policy Management Configuration Guide Table 16: Size Limit of Individual IP Classifiers (continued) IP Classifier Size Limit (Bits) Local Protocol Source address Source port Source route class TCP flags Traffic class User packet class Table 17 lists the IP classifiers that share the same classifier entry location and those that are combined to form a larger classifier field.

  • Page 129: Ipv6 Classifiers And Size Limits

    Chapter 4: Policy Resources Table 17: Size Limit of Combined IP Classifiers (continued) IP Classifier Entry Combination Size Limit (Bits) Rule Source address – [ not Source port ] and [ not Destination port ] and When you do not specify the source port and [ [ ICMP type ] | [ ICMP code ] | [ IGMP type ] ] destination port classifiers, but you specify one or more of ICMP type, ICMP code, and IGMP...
  • Page 130 JUNOSe 7.2.x Policy Management Configuration Guide The format in the classifier entry combinations in Table 19 is based on the conventions for CLI commands, except that the pipe symbol ( | ) represents a choice of one or both options to the left and right of the pipe symbol. Table 19: Size Limit of Combined IPv6 Classifiers IPv6 Classifier Entry Combination Size Limit (Bits)
  • Page 131 Chapter 4: Policy Resources In this example, a policy with a combination of IP classifiers is created and Example 1 attached. The configuration conforms to the 128 bit limit. 1. Match all TCP SYN packets from 1.1.1.1 to any DA with port 2000. host1(config)#ip classifier-list tcpCLACL tcp host 1.1.1.1 any eq 2000 tcp-flags "SYN"...
  • Page 132 JUNOSe 7.2.x Policy Management Configuration Guide The total value of the classifiers requested in the ipPol policy is 112, which is less than 128 bit CAM entry size limit. In this example, a policy with a combination of IP classifiers is created and Example 2 attached.

  • Page 133: Software Classifiers

    Chapter 4: Policy Resources Table 21: Classification Fields for Example 2 (continued) Classifiers Size (Bits) Destination port Protocol User packet class Color IP fragmentation The configuration fails because the total value of the classifiers requested in the ipPol policy is 136, which is greater than 128 bit CAM entry size limit. Software Classifiers An E-series router supports a variety of software classifiers, depending on the type of interface.

  • Page 134: Interface Attachment Resources

    The type of line module determines the number of policies attachments supported by interfaces. See ERX Module Guide, Appendix A, Module Protocol Support for more information about supported line modules. See E320 Module Guide, Appendix A, IOA Protocol Support for information about the modules that support BGP.

  • Page 135: Software Classifiers And Range Vector Hardware Classifiers And Interface Attachment Resources

    Chapter 4: Policy Resources Software Classifiers and Range Vector Hardware Classifiers and Interface Attachment Resources Range vector classifiers, which include all software classifiers and FPGA-based hardware classifiers, consume one interface attachment resource for every 32 classifier entries in a policy. The following examples illustrate how JUNOSe software allocates interface attachment resources.
  • Page 136 JUNOSe 7.2.x Policy Management Configuration Guide Interface Attachment Resources...

  • Page 137: Chapter 5 Monitoring Policy Management

    Policy services are supported on all E-series routers. For information about the modules supported on E-series routers: See the ERX Module Guide for modules supported on ERX-7xx models, ERX-14xx models, and the ERX-310 router. See the E320 Module Guide for modules supported on the E320 router. Overview...

  • Page 138: Setting A Statistics Baseline

    JUNOSe 7.2.x Policy Management Configuration Guide Setting a Statistics Baseline You can set a baseline for policy statistics by using the baseline interface command and the atm policy, frame-relay policy, ip policy, ipv6 policy, l2tp policy, mpls policy, and vlan policy commands. If you do not enable baselining, show command output fields for baseline counters display the contents of the regular statistics counters.

  • Page 139: Policy Management Show Commands

    Chapter 5: Monitoring Policy Management Broadcast address is 255.255.255.255 Operational MTU = 9180 Administrative MTU = 0 Operational speed = 155520000 Administrative speed = 0 Discontinuity Time = 1251181 Router advertisement = disabled Administrative debounce-time = disabled Operational debounce-time = disabled Access routing = disabled Multipath mode = hashed In Received Packets 5, Bytes 540...
  • Page 140 JUNOSe 7.2.x Policy Management Configuration Guide show classifier-list Use to display CLACL configurations. Use the brief or detail keywords with the show classifier command to display different levels of information. Field descriptions—Fields displayed vary depending on the type and configuration of the CLACL: Reference count—Number of times the CLACL is referenced by policies Entry count—Number of entries in the classifier list Classifier-List—Name of the classifier list...
  • Page 141 Chapter 5: Monitoring Policy Management Source Route Class—Route class used to classify packets based on the packet’s source address Local—If true, matches packets destined to a local interface; if false, matches packets that are traversing the router Example 1—Displays a list of CLACLs host1#show classifier-list Classifier Control List Table ---------- ------- ---- -----...
  • Page 142 JUNOSe 7.2.x Policy Management Configuration Guide Classifier-List bestEffort Entry 1 Color: User Packet Class: User Priority bits: IPv6 Classifier Control List IPv6Classifier Reference count: Entry count: Classifier-List IPv6Classifier Entry 1 User Packet Class: Traffic Class Field: L2TP Classifier Control List l2tpclass Reference count: Entry count: Classifier-List l2tpclass Entry 1...
  • Page 143 Chapter 5: Monitoring Policy Management show frame-relay subinterface Use to display information about a subinterface’s Frame Relay policy lists. Field descriptions related to policy lists Frame Relay policy—Type and name of the VLAN policy mark-de—DE bit value color—Color applied to packet flow for queuing: green, yellow, or red classifier-group—Name of the classifier control list used by the policy filter—Filter policy action forward—Forward policy action...
  • Page 144 JUNOSe 7.2.x Policy Management Configuration Guide To display information about tunnels on a specific virtual router, include the name of the virtual router. Field descriptions related to policies GRE tunnel policy input—Policy for outbound traffic GRE tunnel policy output—Policy for inbound traffic traffic-class—Name of traffic class classifier-group—Name of classifier group entry—Identifier for the entry in the classifier group...
  • Page 145 Chapter 5: Monitoring Policy Management Field descriptions related to policies Subinterface number—Location of the subinterface that carries the VLAN traffic Administrative status—Operational state that you configured for this interface: up or down VLAN ID—Domain number of the VLAN In Bytes—Number of bytes received on the VLAN subinterface In Packets—Sum of all unicast, broadcast, and multicast packets received on the VLAN or S-VLAN subinterface In Errors—Value is always 0 (zero)
  • Page 146 JUNOSe 7.2.x Policy Management Configuration Guide Administrative speed—Configured speed known to the IP layer in bits per second Discontinuity Time—Time since the counters on the interface became invalid—for example, when the line module was reset Router Advertisement—When enabled by the ip irdp command, the router advertises its presence via the ICMP Router Discovery Protocol (IRDP) Administrative debounce-time—Administrative time delay that an interface must remain in a new state before the routing protocols react to the state...
  • Page 147 Chapter 5: Monitoring Policy Management color—Explicit color applied to packet flow for queuing; green, yellow, or red: Packets logged—Number of packets colored " Bytes logged—Number of bytes colored " next hop—Address of the next-hop destination: Packets transmitted—Number of packets sent to the next-hop address "...
  • Page 148 JUNOSe 7.2.x Policy Management Configuration Guide Classifier-group clacl28241X05 entry 1 1 packets, 205 bytes filter Example 2 host1#show ip interface serial 2/1:2/1.101 serial2/1:2/1.101 is up, line protocol is up Network Protocols: IP Internet address is 192.1.2.101/255.255.255.0 Broadcast address is 255.255.255.255 Operational MTU = 1600 Administrative MTU = 0 Router advertisement = disabled Administrative debounce-time = disabled...
  • Page 149 Chapter 5: Monitoring Policy Management Now display baselined statistics: host1#show ip interface atm 9/1.1 delta Partial results might be: Policy output 2egress classifier-group claclWst10 entry 1 10 packets, 1280 bytes forward show ipv6 interface Use to display detailed or summary information, including policy and classifier information, for a particular IPv6 interface or for all interfaces.
  • Page 150 JUNOSe 7.2.x Policy Management Configuration Guide ND RA managed flag—State of the neighbor discovery router advertisement managed flag, enabled or disabled ND RA other config flag—State of the neighbor discovery router advertisement other config flag, enabled or disabled ND RA advertising prefixes—Whether advertisement prefixes for neighbor discovery router advertisement are configured In Received Packets, Bytes—Total number of packets and bytes received on this interface...
  • Page 151 Chapter 5: Monitoring Policy Management Conformed—Number of packets and bytes that exceed the committed " access rate but conform to the peak access rate Exceeded—Number of packets and bytes that exceed the peak access " rate queue, traffic class, bound to ipv6—Queue and traffic class bound to the specified IPv6 interface Queue length—Number of bytes in the queue "...
  • Page 152 JUNOSe 7.2.x Policy Management Configuration Guide Conformed: 0 packets, 0 bytes Exceeded: 0 packets, 0 bytes IPv6 policy output ipv6PolOut2 rate-limit-profile RlpOutA classifier-group clgB entry 1 Committed: 0 packets, 0 bytes Conformed: 0 packets, 0 bytes Exceeded: 0 packets, 0 bytes rate-limit-profile RlpOutB Committed: 0 packets, 0 bytes Conformed: 0 packets, 0 bytes...
  • Page 153 Chapter 5: Monitoring Policy Management queue, traffic class, bound to—Queue and traffic class bound to the specified interface Queue length—Number of bytes in queue " Forwarded packets, bytes—Total number of packets and bytes " forwarded by this interface Dropped committed packets, bytes—Total number of committed "...
  • Page 154 JUNOSe 7.2.x Policy Management Configuration Guide committed: 0 packets, 0 bytes, action: transmit conformed: 0 packets, 0 bytes, action: transmit exceeded: 0 packets, 0 bytes, action: drop show policy-list Use to display information about policy lists. Field descriptions—Fields displayed vary depending on the type of policy and the rules assigned to the policy: Policy—Name of the policy list.
  • Page 155 Chapter 5: Monitoring Policy Management mark user priority—Value assigned to 802.1p VLAN user priority bit " mark DE—DE bit action " Rule status—Indicates whether the rule is suspended. Example host1#show policy-list Policy Table ------ ----- IP Policy routeForABCCorp Administrative state: enable Reference count: atm-cell-mode: enabled Classifier control list: ipCLACL10, precedence 75...
  • Page 156 JUNOSe 7.2.x Policy Management Configuration Guide MPLS Policy routeForMpls Administrative state: enable Reference count: Classifier control list: *, precedence 200 mark-exp 2 mask 7 rate-limit-profile mplsRLP5 VLAN Policy routeForVlan Administrative state: enable Reference count: Classifier control list: lowLatencyLowDrop, precedence 100 traffic-class lowLatencyLowDrop color green mark-user-priority 7...
  • Page 157 Chapter 5: Monitoring Policy Management Classifier control list: *, precedence 1000 filter Referenced by interfaces: ATM4/0.5 input policy, statistics enabled, virtual-router default Referenced by profiles: None Referenced by merge policies: None Example 3—Displays component policies host1#show policy-list mpl_10 Policy Table ------ ----- IP Policy mpl_10 Administrative state: enable...
  • Page 158 JUNOSe 7.2.x Policy Management Configuration Guide mark profile D forward Parent group: X, parent-group Z rate-limit-profile X Parent group: Z rate-limit-profile Z Referenced by interface(s): SERIAL4/0 input policy, statistics disabled, virtual-router default SERIAL4/1 input policy, statistics disabled, virtual-router default Referenced by profile(s): No profile references show rate-limit-profile Use to display information about rate-limit profiles.
  • Page 159 Chapter 5: Monitoring Policy Management Example host1#show rate-limit-profile Rate Limit Profile Table ---- ----- ------- ----- IP Rate-Limit-Profile: rlp Profile Type: one-rate Reference count: Committed rate: Committed burst: 8192 Excess burst: Mask: Committed rate action: transmit Conformed rate action: transmit Exceeded rate action: drop IP Rate-Limit-Profile: rlp...

  • Page 160: Packet Flow Monitoring

    JUNOSe 7.2.x Policy Management Configuration Guide Packet Flow Monitoring The policy log rule provides a way to monitor a packet flow by capturing a sample of the packets that satisfy the classification of the rule in the system log. See the JUNOSe System Event Logging Reference Guide for information about logging.
  • Page 161 Chapter 5: Monitoring Policy Management host1:vr2(config)#virtual-router vr1 host1:vr1(config)#interface gigabitEthernet 0/0 host1:vr1(config-if)#ip address 10.10.10.1 255.255.255.0 host1:vr1(config-if)#ip policy input pingAttack statistics enabled host1:vr1(config-if)#exit host1:vr1(config)#exit 2. The ISP configures standard logging on the E-series router. host1(config)#log destination console severity info host1(config)#log severity info policyMgrPacketLog host1(config)#log here INFO 12/16/2003 12:59:47 policyMgrPacketLog (): icmpEchoReq icmp GigabitEthernet0/0 10.10.10.2 10.10.10.1 forwarded...
  • Page 162 JUNOSe 7.2.x Policy Management Configuration Guide Out Policed Packets 0, Bytes 0 Out Discarded Packets 2269 IP policy input pingAttack classifier-group icmpEchoReq entry 1 488421 packets, 69355782 bytes queue 0: traffic class best-effort, bound to ip GigabitEthernet0/0 Queue length 0 bytes Forwarded packets 485988, bytes 70954248 Dropped committed packets 0, bytes 0 Dropped conformed packets 0, bytes 0...

  • Page 163: Packet Mirroring

    Chapter 6 Packet Mirroring Packet mirroring enables you to send a copy of a packet to an external host for analysis. Packet mirroring has many uses, including traffic debugging and troubleshooting user networking problems. This chapter contains the following sections: Overview on page 147 Platform Considerations...

  • Page 164: Comparing Cli-Based Mirroring And Radius-Based Mirroring

    Packet mirroring is supported on ASIC-based modules. See ERX Module Guide, Appendix A, Module Protocol Support for information about modules supported on ERX routers. See E320 Module Guide, Appendix A, IOA Protocol Support for information about modules supported on the E320 router.

  • Page 165: Security

    Chapter 6: Packet Mirroring User-initiated mirroring—If the user is not currently logged in, the mirroring session starts when the user logs on and is authenticated by RADIUS. RADIUS-initiated mirroring—If the user is already logged in, the JUNOSe RADIUS dynamic-request server uses RADIUS-initiated change-of-authorization (CoA) messages to immediately start the mirroring session when the packet mirroring is enabled.

  • Page 166: Packet Mirroring Terms

    JUNOSe 7.2.x Policy Management Configuration Guide CLI-based interface-specific mirroring—Can be useful in small networks with few E-series routers and in static environments where a user typically logs on to the same router through the same interface. CLI-based user-specific mirroring—Is useful in B-RAS environments, in which users log in and log out frequently.

  • Page 167: Platform Considerations

    For detailed information about the modules that support packet mirroring on the E320 router: See E320 Module Guide, Chapter 1, Modules and IOAs for detailed module specifications. See E320 Module Guide, Appendix A, IOA Protocol Support for information about the protocols and applications that support packet mirroring.

  • Page 168: Enabling And Securing Cli-Based Packet Mirroring

    JUNOSe 7.2.x Policy Management Configuration Guide Figure 8: CLI-Based Interface Mirroring Ingress mirrored interface E-series router Interface Destination Port-mirroring interface Analyzer interface Analyzer device Egress mirrored interface E-series router Port-mirroring interface Interface Analyzer interface Analyzer device Enabling and Securing CLI-Based Packet Mirroring The JUNOSe software enables you to create a secure environment for your packet mirroring operation by restricting access to the packet mirroring CLI commands and information.

  • Page 169: Reloading A Cli-Based Packet Mirroring Configuration

    Chapter 6: Packet Mirroring To create a secure packet mirroring environment, you use a combination of the JUNOSe software’s authorization methods and the mirror-enable command. You configure the authorization method to control who can use the mirror-enable command. Authorized users can then issue the mirror-enable command, making the packet mirroring commands visible.

  • Page 170: Using Tacacs+ And Vty Access Lists To Secure Packet Mirroring

    JUNOSe 7.2.x Policy Management Configuration Guide For a .scr file operation, the mirror-enable command must be enabled—both prior to saving the scr. file from the show configuration display, and also before you run the script to reload the packet mirroring configuration. If the mirror-enable command is not enabled, the .scr file operation for the packet mirroring configuration fails.

  • Page 171: Sequence Of Events

    Chapter 6: Packet Mirroring Sequence of Events Figure 9 shows the sequence of events that take place during CLI-based mirroring. The tables after the figure describe the events indicated by the numbers and letters in the figure. Table 25 on page 155 describes the configuration process;...

  • Page 172: Cli-Based Mirroring Procedure

    JUNOSe 7.2.x Policy Management Configuration Guide Table 27 indicates the sequence of steps for a packet mirroring operation that is configured for an interface or for a user who is already logged in. Table 27: CLI-Based Mirroring of Currently Running Session Step Description For user-specific mirroring, the user logs on to the E-series router;...

  • Page 173: Configuring Cli-Based Interface-Specific Mirroring

    Chapter 6: Packet Mirroring Configuring CLI-Based Interface-Specific Mirroring This example shows the configuration of a CLI-based packet mirroring session for a particular static IP interface. The configuration results in all traffic through the interface being replicated and the replicated traffic then sent through an IPSec tunnel to the analyzer device.

  • Page 174: Configuring Cli-Based User-Specific Mirroring

    JUNOSe 7.2.x Policy Management Configuration Guide 5. Verify the secure policy configuration. host1#show secure policy-list name secureIpPolicy1 Policy Table ------ ----- Secure IP Policy secureIpPolicy1 Administrative state: enable Reference count: Classifier control list: * mirror analyzer-ip-address 192.168.125.29 analyzer-virtual-router vr1 Referenced by interface(s): ATM5/0.1 secure-input policy, virtual-router vr1 ATM5/0.2...

  • Page 175: Commands And Guidelines

    Chapter 6: Packet Mirroring 3. Configure the secure L2TP policy that forwards the mirrored traffic to the analyzer device at 192.168.99.2, port 6500. hosts1(config)#secure l2tp policy-list l2tp_toMirrorHQ host1(config-policy-list)#classifier-group * host1(config-policy-list-classifier-group)#mirror analyzer-ip-address 192.168.99.2 analyzer-virtual-router default analyzer-udp-port 6500 mirror-identifier 1 session-identifier 1 4.
  • Page 176 JUNOSe 7.2.x Policy Management Configuration Guide Secure policies do not support classification. Therefore, the only classifier group you can use is classifier-group *. If you modify the rules in the classifier group while the secure policy is attached to one or more interfaces, the modified policy takes effect when you exit Policy Configuration mode.
  • Page 177 Chapter 6: Packet Mirroring An interface cannot be both an analyzer port and a mirrored interface at the same time. If you do not specify an analyzer port when using the ip mirror command, the mirrored traffic is forwarded to the virtual router’s default analyzer port. The command fails if a default analyzer port is not configured.
  • Page 178 JUNOSe 7.2.x Policy Management Configuration Guide Example host1(config)#mirror acct-session-id atm 2/1.2:0.42:0001048579 ip secure-policy-list securePolicyIp4 Use the no version to disable packet mirroring and remove the trigger configuration that is based on the subscriber’s Acct-Session-ID. mirror analyzer-ip-address Use to configure the mirror action for a classifier group in a secure IP or L2TP policy list.
  • Page 179 Chapter 6: Packet Mirroring This command is supported only on an LNS. Use the ip keyword to specify an IP subscriber. The CLI enables you to specify the L2TP keyword for this command; NOTE: however, the Calling Station ID attribute is not available to packet mirroring triggers on the LAC.
  • Page 180 JUNOSe 7.2.x Policy Management Configuration Guide This command applies to the virtual router context. Use the ip keyword to specify an IP subscriber. The CLI enables you to specify the L2TP keyword for this command; NOTE: however, the subscriber’s IP address is not known on the LAC and therefore, cannot be used as a packet mirroring trigger on the LAC.

  • Page 181: Configuring Radius-Based Mirroring

    Chapter 6: Packet Mirroring Configuring RADIUS-Based Mirroring RADIUS-based packet mirroring enables you to mirror traffic related to a specific user, without regard to how often the user logs on or off, or which E-series router or interface the user uses. RADIUS-based mirroring is particularly appropriate for large networks, because you can use a single RADIUS server to provision mirroring on multiple E-series routers in a service provider’s network.

  • Page 182: Dynamically Created Secure Policies

    JUNOSe 7.2.x Policy Management Configuration Guide You add the trigger to the RADIUS record of the user whose traffic will be mirrored. In addition, you must include the RADIUS VSAs listed in Table 29 in the mirrored user’s RADIUS record. For IP mirroring, you must include both VSA 59 and 61 or neither.

  • Page 183: Sequence Of Events

    Chapter 6: Packet Mirroring If you are mirroring an IP session, the packet mirroring operation is enabled or disabled on the MLPPP bundle as a whole. We recommend that you use the Account-Session-ID RADIUS attribute rather than the User-Name attribute as the trigger.

  • Page 184: Radius-Based Mirroring Procedure

    JUNOSe 7.2.x Policy Management Configuration Guide Table 31: RADIUS-Based Mirroring During Session Start Step Description The user logs on to an E-series router, requesting authentication by the RADIUS server. A trigger in the logon request starts the packet mirroring session. The RADIUS server authenticates the user and sends packet mirroring VSAs and any other configured VSAs to the router.

  • Page 185: Configuring The Analyzer Device

    Chapter 6: Packet Mirroring You can also use the mirror disable CLI commands to disable RADIUS-based mirroring. You must use the version of the mirror disable command that corresponds to the RADIUS attribute that was used to identify the user. For example, if you used the RADIUS Calling-Station-ID attribute to create the mirroring session, you must use the mirror disable calling-station-id command to disable the session.

  • Page 186: Configuring Radius-Initiated Mirroring When A User Is Already Logged In

    JUNOSe 7.2.x Policy Management Configuration Guide Configuring RADIUS-Initiated Mirroring When a User is Already Logged In Example When a mirroring operation is initiated for a user who is already logged in, the RADIUS server uses change-of-authorization messages and passes the required RADIUS attributes and the identifier of the currently running session to the E-series router.

  • Page 187: Commands And Guidelines

    Chapter 6: Packet Mirroring Commands and Guidelines This section lists the commands you use to configure RADIUS-based IP interface mirroring. authorization change Use to enable receipt of change-of-authorization messages from the RADIUS server, which are used during RADIUS-initiated packet mirroring of a user who is already logged in.
  • Page 188 JUNOSe 7.2.x Policy Management Configuration Guide Use to specify a text string used by RADIUS to encrypt the client and server authenticator field during exchanges between the E-series router’s RADIUS dynamic-request server and a RADIUS server. The key (also called the secret) is used during RADIUS-initiated mirroring operations when the user is already logged in.
  • Page 189 Chapter 6: Packet Mirroring mirror nas-port-id Use to configure a packet mirroring session that is based on the NAS Port ID attribute (RADIUS attribute 87) associated with an IP subscriber, and to specify the secure policy that is attached to the subscriber’s interface. This command is visible only to authorized users—the mirror-enable command must be enabled prior to using this command.

  • Page 190: Conflicts Between Cli-Based And Radius-Based Configurations

    JUNOSe 7.2.x Policy Management Configuration Guide Conflicts Between CLI-Based and RADIUS-Based Configurations The JUNOSe software gives you a great deal of flexibility in creating your packet mirroring environment by supporting both the CLI-based and the RADIUS-based configuration methods. However, a conflict might occur when you use both methods.
  • Page 191 Chapter 6: Packet Mirroring Figure 11: Prepended Header Version (4) IHL (5) Type of service (0) Total length Identification Flags Fragment offset Time to live (255) Protocol (17) Header checksum Source address (Analyzer port address) Destination address (MD-IP-address - VSA 26-60) Source port (Analyzer-port-number - VSA 26-61) Destination port (Analyzer-port-number - VSA 26-61) Length...

  • Page 192: Format Of The Mirror Header Attributes

    JUNOSe 7.2.x Policy Management Configuration Guide Table 33: Prepended Header Field Descriptions (continued) Field Value Length (Bits) Mirror Header MHV (mirror header value) Mirror Identifier Format of the Mirror Header Attributes page 176 for details Session-ID Format of the Mirror Header Attributes page 176 for details Format of the Mirror Header Attributes...

  • Page 193: Resolving And Tracking The Analyzer Device's Address

    Chapter 6: Packet Mirroring For example, a value of 40000010 for VSA 26-59 configures the following fields in the mirror header, as shown in Figure MHV = 1 Mirror Identifier = 0x10 Figure 13: 4-Byte Format of VSA 26-59 Mirror (2 bits) identifier 4 0 0 0 0 0 1 0...

  • Page 194: Optimizing Packet Mirroring Performance

    JUNOSe 7.2.x Policy Management Configuration Guide The following list indicates the order of precedence for the subscriber identification triggers, with the acct-session-id having the highest precedence. 1. acct-session-id 2. calling-station-id 3. ip-address (virtual router specific) 4. nas-port-id 5. username (virtual router specific) For example, if you create the following three rules for a subscriber, the packet mirroring session uses the rule with the acct-session-id to identify the subscriber.
  • Page 195 GE-HDE line module (ERX-310 router and ERX-1440 router) OC48 Frame APS I/O module (ERX-1440 router only) ES2 4G LM (E320 router) (B + X ) must be less than the maximum supported egress bandwidth. The number of mirrored interfaces per line module must be less than 1023 (the configuration enforced for secure policy attachments).

  • Page 196: Logging Packet Mirroring Information

    JUNOSe 7.2.x Policy Management Configuration Guide Logging Packet Mirroring Information The JUNOSe software’s packet mirroring feature provides two secure methods of capturing and displaying packet mirroring-related information. Both methods ensure security by requiring the mirror-enable command to be enabled. Secure logging—Captures packet mirroring information to a local secure log on the router.

  • Page 197: Using Snmp Secure Packet Mirroring Traps

    Chapter 6: Packet Mirroring User—User login name Error Status—Description of the error condition Example host1#show mirror log Time Mirror-ID Session-ID User Error Status ----------- ---------------- ---------- -------------- -------------- TUE FEB 03 8976 1923 suresh@aol.com no secure policies available 2005 18:35:43 UTC TUE FEB 03 8976 1924...
  • Page 198 JUNOSe 7.2.x Policy Management Configuration Guide show mirror trap—Displays the status (enabled or disabled) of the secure packet mirroring traps feature. show snmp trap—Displays configuration information about SNMP traps and trap destinations, including secure packet mirroring traps. JUNOSe System Basics Configuration Guide, Chapter 4, Configuring SNMP NOTE: for information about the JUNOSe software’s SNMP support.

  • Page 199: Configuring Snmp Secure Packet Mirroring Traps

    Chapter 6: Packet Mirroring Configuring SNMP Secure Packet Mirroring Traps To configure SNMP secure traps support, you perform the following tasks on your E-series router: 1. Enable packet mirroring support. 2. Configure the packet mirroring application to generate traps. 3. (Optional) Verify the packet mirroring trap configuration. 4.
  • Page 200 JUNOSe 7.2.x Policy Management Configuration Guide mirror trap-enable Use to configure the packet mirroring application to generate secure traps. This command is visible only to authorized users—the mirror-enable command must be enabled prior to using this command. This command generates secure packet mirroring traps on a global basis. Example host1(config)#mirror trap-enable Use the no version to disable generation of SNMP traps for packet mirroring.
  • Page 201 Chapter 6: Packet Mirroring snmp-server secure-log Use to enable secure logs, which are used for SNMP secure packet mirroring traps. This command is visible only to authorized users—the mirror-enable command must be enabled prior to using this command. When you use the snmp-server secure-log command, the following message is displayed.

  • Page 202: Monitoring Packet Mirroring

    JUNOSe 7.2.x Policy Management Configuration Guide Ver—SNMP version (v1 or v2) of the SNMP trap packet Port—UDP port on which the trap recipient accepts traps Trap Categories—Types of traps that the trap recipient can receive TrapSeverityFilter—Severity level filter for this SNMP host Ping TimeOut—Configured ping timeout in minutes Maximum QueueSize—Maximum number of traps to be kept in the trap queue...
  • Page 203 Chapter 6: Packet Mirroring Example host1#baseline radius dynamic-request There is no no version. clear mirror log Use to clear log entries related to packet mirroring. This command is visible only to authorized users—the mirror-enable command must be enabled prior to using this command. Example host1#clear mirror log There is no no version.
  • Page 204 JUNOSe 7.2.x Policy Management Configuration Guide show ip mirror interface Use to display CLI-based packet mirroring configuration information for a specific interface or for all interfaces on which mirroring is enabled. This command is deprecated and might be removed completely in a future NOTE: release.
  • Page 205 Chapter 6: Packet Mirroring show mirror rules Use to display CLI-based packet mirroring information about all packet mirroring triggers (active and inactive) that are configured on the router. This command and the output are visible only to authorized users—the mirror-enable command must be enabled prior to using this command. Field descriptions Subscriber ID—Identification of the subscriber Subscriber ID Method—Method used to identify the subscriber...
  • Page 206 JUNOSe 7.2.x Policy Management Configuration Guide show radius servers Use to display RADIUS dynamic-request server configuration information and statistics. Field descriptions IP Address—IP address of the RADIUS server Udp Port—Port on which the router listens for RADIUS server Disconnect—Status of RADIUS-initiated disconnect feature, enabled or disabled Change of Authorization—Status of change of authorization feature, enabled or disabled...
  • Page 207 Chapter 6: Packet Mirroring Example 2 host1#show radius dynamic-request statistics RADIUS Request Statistics ------------------------- Statistic 10.10.3.4 ----------------------------- ------- UDP Port 1700 Disconnect Requests Disconnect Accepts Disconnect Rejects Disconnect No Session ID Disconnect Bad Authenticators Disconnect Packets Dropped CoA Requests CoA Accepts CoA Rejects CoA No Session ID CoA Bad Authenticators...
  • Page 208 JUNOSe 7.2.x Policy Management Configuration Guide Example host1#show secure policy-list Policy Table ------ ----- Secure IP Policy secureIpPolicy Administrative state: enable Reference count: Classifier control list: * mirror analyzer-ip-address 192.168.1.1 analyzer-virtual-router default analyzer-udp-port 3000 mirror-id 6789 session-id 6543 Referenced by interface(s): ATM5/0.1 secure-input policy, statistics disabled, virtual-router default...

  • Page 209: Index

    ..........30 comments on ............xv atm-cell-mode command ........66, 95 obtaining ..............xv audience for documentation .......... x authorization change command ........171 E320 routers ............... x, xii Ethernet interfaces ..........151 bandwidth management ERX-14xx models ..........102 ............x baseline commands ERX-310 router ..............x baseline radius dynamic-request ......186...
  • Page 210 ..........184 policy attachment rules mirrored interfaces ..........50 policy commands interface types ............160 atm policy ..............64 models frame-relay policy E320 ...........64 ................x gre-tunnel policy ............64 ERX-14xx ..............x ip policy ERX-310 ..............64 ..............x l2tp policy ..............64...
  • Page 211 Index mpls policy rate-limit profile calculations ...............64 .......100 vlan policy rate-limit profile defaults ..............64 ......100, 101 policy list rate-limiting traffic flows ........105 applying to an interface resources .........63 ..............3 constructing a security ............20 ...............2 creating or modifying statistics ..........20 ..............64 Fast Ethernet port on SRP module two-rate rate-limit profile ......64...
  • Page 212 JUNOSe 7.2.x Policy Management Configuration Guide radius commands show snmp commands ............173 radius dynamic-request server show snmp trap ......173 ..........182, 185 rate limiting single-rate rate limit profile ..........88 for interfaces snmp commands ............76 rate-limit hierarchies mirror trap-enable .............

This manual is also suitable for:

Erx-710Erx-310Erx-1440Erx-1410Erx-705

Table of Contents