Do you have a question about the JUNOSE SOFTWARE FOR E SERIES 11.3.X - POLICY MANAGEMENT CONFIGURATION GUIDE 2010-10-04 and is the answer not in the manual?

Questions and answers

Summary of Contents for Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - POLICY MANAGEMENT CONFIGURATION GUIDE 2010-10-04

Page 2 Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Page 3 REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable...
Page 4 Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license. Copyright © 2010, Juniper Networks, Inc.
Page 5 (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA http://www.gnu.org/licenses/gpl.html...
Page 9: Table Of Contents
Creating or Modifying Classifier Control Lists for MPLS Policy Lists ... . 13 Creating or Modifying Classifier Control Lists for VLAN Policy Lists ... . 13 Copyright © 2010, Juniper Networks, Inc.
Page 21: About The Documentation
Audience This guide is intended for experienced system and network specialists working with Juniper Networks E Series Broadband Services Routers in an Internet access environment. E Series and JunosE Text and Syntax Conventions Table 1 on page xxii defines notice icons used in this documentation.
Page 22: Table 1: Notice Icons
Indicates that you must press two or more Press Ctrl + b. keys simultaneously. Syntax Conventions in the Command Reference Guide Plain text like this Represents keywords. terminal length Italic text like this Represents variables. mask, accessListName xxii Copyright © 2010, Juniper Networks, Inc.
Page 23: Obtaining Documentation
CD-ROMs or DVD-ROMs, see the Portable Libraries page at http://www.juniper.net/techpubs/resources/index.html Copies of the Management Information Bases (MIBs) for a particular software release are available for download in the software image bundle from the Juniper Networks Web site at http://www.juniper.net/...
Page 24: Self-Help Online Tools And Resources
7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/...
Page 25: Policy Management
Creating Classifier Groups and Policy Rules on page 27 Creating Rate-Limit Profiles on page 57 Merging Policies on page 97 Creating Hierarchical Policies for Interface Groups on page 123 Policy Resources on page 151 Monitoring Policy Management on page 173 Copyright © 2010, Juniper Networks, Inc.
Page 27: Managing Policies On The E Series Router
A rate-limit profile with a policy rate-limit profile rule provides this capability. You can construct policies to provide rate limiting for individual packet flows or for the aggregate of multiple packet flows. Juniper Copyright © 2010, Juniper Networks, Inc.
Page 28 If you have a pre-configured policy through CLI as part of subscriber PVC/VLAN provisioning, SRC overwrites the policy when the SRC manages the interface If you have a policy in the Access-Accept, SRC overwrites the policy when the SRC manages the interface Copyright © 2010, Juniper Networks, Inc.
Page 29: Description Of A Policy
A policy can be made up of any combination of software and hardware classifiers. Policy Platform Considerations Policy services are supported on all E Series routers. For information about the modules supported on E Series routers: Copyright © 2010, Juniper Networks, Inc.
Page 30: Policy References
See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the Juniper Networks ERX310 Broadband Services Router. See the E120 and E320 Module Guide for modules supported on the Juniper Networks E120 and E320 Broadband Services Routers.
Page 31: Creating Classifier Control Lists For Policies
Table 3 on page 7 lists the criteria that you can use to create CLACLs for different types of traffic flows. Table 3: CLACL Criteria Type of CLACL Criteria Color Traffic class User packet class Frame Relay Color Mark discard eligibility (DE) bit Traffic class User packet class Copyright © 2010, Juniper Networks, Inc.
Page 32 Multicast Listener Discovery (MLD) Next header Source IPv6 address Source port Source route class Traffic class Transmission Control Protocol (TCP) User Datagram Protocol (UDP) User packet class L2TP Color Traffic class User packet class Copyright © 2010, Juniper Networks, Inc.
Page 33: Creating Or Modifying Classifier Control Lists For Atm Policy Lists
Creating or Modifying Classifier Control Lists for Frame-Relay Policy Lists You can create or modify a classifier control list that can be used only in Frame Relay policy lists. Issue the frame-relay classifier-list command.; Copyright © 2010, Juniper Networks, Inc.
Page 34: Creating Or Modifying Classifier Control Lists For Gre Tunnel Policy Lists
Setting Up an IP Classifier Control List to Accept Traffic from All Sources You can set up a CLACL to accept IP traffic from all source addresses on the subnet. Issue the ip classifier-list command: Copyright © 2010, Juniper Networks, Inc.
Page 35: Classifying Ip Traffic Based On Source And Destination Addresses
To specify a single TCP or UDP port or range of ports, an ICMP code and optional type, or an IGMP type, which matches packets with source address 198.168.30.100 and ICMP type 2 and code 10: host1(config)#ip classifier-list YourListName icmp host 192.168.30.100 any 2 10 Copyright © 2010, Juniper Networks, Inc.
Page 36: Creating An Ip Classifier Control List That Matches The Tos Byte
Creating or Modifying Classifier Control Lists for IPv6 Policy Lists You can create or modify a classifier control list that can be used only in IPv6 policy lists. Copyright © 2010, Juniper Networks, Inc.
Page 37: Creating Or Modifying Classifier Control Lists For L2Tp Policy Lists
Issue the vlan classifier-list command: host1(config)#vlan classifier-list lowLatencyLowDrop user-priority 7 host1(config)#vlan classifier-list lowLatencyLowDrop user-priority 6 host1(config)#vlan classifier-list lowLatency user-priority 5 host1(config)#vlan classifier-list excellentEffort user-priority 4 host1(config)#vlan classifier-list bestEffort user-priority 3 host1(config)#vlan classifier-list bestEffort user-priority 2 Copyright © 2010, Juniper Networks, Inc.
Page 38 CLACL criterion, an error message is displayed when you press Enter to configure the VLAN CLACL with only the name. You must specify at least one criterion for the VLAN CLACL to be successfully configured. Related vlan classifier-list Documentation Copyright © 2010, Juniper Networks, Inc.
Page 39: Creating Policy Lists
Arriving at the interface, but after route lookup (secondary input policy); secondary input policies are supported only on IP and IPv6 interfaces Leaving an interface (output policy) Figure 1 on page 16 shows how a sample IP policy list is constructed. Copyright © 2010, Juniper Networks, Inc.
Page 40: Figure 1: Constructing An Ip Policy List
NOTE: Commands that you issue in Policy Configuration mode do not take effect until you exit from that mode. Related Policy Lists Overview on page 15 Documentation Monitoring Policy Management Overview on page 173 Copyright © 2010, Juniper Networks, Inc.
Page 41: Creating Policy Lists For Atm
ATM 0/0.100 RFC-1483 100 0 100 PVC SNAP 9180 up Static Auto configure status : static Auto configure interface(s) : none Detected 1483 encapsulation : none Detected dynamic interface : none Interface types in lockout : none Copyright © 2010, Juniper Networks, Inc.
Page 42 SNMP trap link-status: disabled InPackets: InBytes: OutPackets: OutBytes: InErrors: OutErrors: InPacketDiscards: InPacketsUnknownProtocol: 0 OutDiscards: ATM policy input polCbr classifier-group * 3096 packets, 377678 bytes traffic-class best-effort color green 1 interface(s) found Related atm policy-list Documentation Copyright © 2010, Juniper Networks, Inc.
Page 43: Creating Policy Lists For Frame Relay
Time since last status change 03:05:09 No baseline has been set In bytes: 660 Out bytes: 660 In frames: 5 Out frames: 5 In errors: 0 Out errors: 0 In discards: 0 Out discards: 0 In unknown protos: 0 Copyright © 2010, Juniper Networks, Inc.
Page 44: Creating Policy Lists For Gre Tunnels
Add two rules for traffic based on the CLACL named gre8: one rule to color packets as red, and a second rule that specifies the ToS DS field value to be assigned to the packets. Copyright © 2010, Juniper Networks, Inc.
Page 45: Creating Policy Lists For Ip
3/1 order 40 Add a rule that sets a ToS byte value of 125 for packets based on classifier list ipCLACL10. host1(config-policy-list-classifier-group)#mark tos 125 Add a rule that uses rate-limit profile ipRLP25. Copyright © 2010, Juniper Networks, Inc.
Page 46: Creating Policy Lists For Ipv6
Create the classification group for the CLACL named ipv6tc67 and assign the precedence to the classification group. host1(config-policy-list)#classifier-group ipv6tc67 precedence 75 host1(config-policy-list-classifier-group)# Add a rule to color packets as red, and a second rule that sets the traffic class field of the packets to 7. Copyright © 2010, Juniper Networks, Inc.
Page 47 Exit Policy List Configuration mode to save the configuration. host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#exit host1(config)# Display the policy list. host1#show policy-list epIPv6 Policy Table ------ ----- IPv6 Policy epIPv6 Administrative state: enable Reference count: Classifier control list: *, precedence 100 Copyright © 2010, Juniper Networks, Inc.
Page 48: Creating Policy Lists For L2Tp
Classifier control list: *, precedence 100 color red rate-limit-profile l2tpRLP20 Related l2tp policy-list Documentation Creating Policy Lists for MPLS The following example creates an MPLS policy list. Create the policy list routeForMpls. host1(config)#mpls policy-list routeForMpls host1(config-policy-list)# Copyright © 2010, Juniper Networks, Inc.
Page 49: Creating Policy Lists For Vlans
Add a rule that sets the drop precedence for all packets that fall into the lowLatencyLowDrop classification to green. host1(config-policy-list-classifier-group)#color green Add a rule that sets the user-priority bits for all packets that fall into the lowLatencyLowDrop classification to 7. Copyright © 2010, Juniper Networks, Inc.
Page 50 7 Classifier control list: lowLatency, precedence 100 traffic-class lowLatency Classifier control list: excellentEffort, precedence 100 traffic-class excellentEffort Classifier control list: bestEffort, precedence 100 traffic-class bestEffort Related vlan policy-list Documentation Copyright © 2010, Juniper Networks, Inc.
Page 51: Creating Classifier Groups And Policy Rules
A policy list might contain multiple classifier groups—you can specify the precedence in which classifier groups are evaluated. Classifier groups are evaluated starting with the Copyright © 2010, Juniper Networks, Inc.
Page 52: Policy Rule Precedence
(the color rule has a higher precedence). Table 4 on page 29 lists the policy rule commands that you can use for each type of policy list. The table lists the rules in their order of precedence. Copyright © 2010, Juniper Networks, Inc.
Page 54 Classifier Groups and Policy Rules Overview on page 27 Documentation Monitoring Policy Management Overview on page 173 color color-mark-profile filter green-mark mark mark-clp mark-de mark-exp mark-user-priority next-hop next-interface rate-limit-profile red-mark reference-rate traffic-class user-packet-class yellow-mark Copyright © 2010, Juniper Networks, Inc.
Page 55: Using Policy Rules To Provide Routing Solutions
Forward—Causes the packet flows that satisfy the classification associated with the rule to be routed by the virtual router Filter—Causes the interface to drop all packets of the packet flow that satisfy the classification associated with the rule Copyright © 2010, Juniper Networks, Inc.
Page 56: Creating An Exception Rule Within A Policy Classifier Group
The guidelines for creating exception rules within an IPv6 policy classifier group are the same as those for creating exception rules within an IPv4 policy classifier group. NOTE: The exception http-redirect command is not supported for the ES2 10G Uplink LM. Copyright © 2010, Juniper Networks, Inc.
Page 57: Defining Policy Rules For Forwarding
CLACL.The forward command can be used while the policy list is referenced by interfaces. The suspend version suspends the forward rule within the classifier group. For IP policy lists only: Copyright © 2010, Juniper Networks, Inc.
Page 58: Assigning Values To The Atm Clp Bit
ATM cells (ATM Adaptation Layer 0 [AAL0] encapsulation). In this case, if the CLP bit in any cell in the frame has a value of 1, the router treats the reassembled AAL5 frame as if it also had a CLP value of 1. Copyright © 2010, Juniper Networks, Inc.
Page 59: Enabling Atm Cell Mode
Packet Tagging Overview You can use the traffic-class rule in policies to tag a packet flow so that the QoS application can provide traffic-class queuing. Policies can perform both in-band and out-of-band packet tagging: Copyright © 2010, Juniper Networks, Inc.
Page 60: Creating Multiple Forwarding Solutions With Ip Policy Lists
If no solutions are reachable, the traffic is dropped. The following guidelines apply when you create a group of forwarding solutions in an IP policy list: Copyright © 2010, Juniper Networks, Inc.
Page 61 12/0.1. If none of the solutions in the group is reachable, the traffic is dropped. host1(config-policy-list)#classifier-group westfordClacl precedence 200 host1(config-policy-list-classifier-group)#forward interface atm 0/0.1 order 10 host1(config-policy-list-classifier-group)#forward interface atm 12/0.1 order 50 host1(config-policy-list-classifier-group)#forward interface atm 3/0.25 order 300 Copyright © 2010, Juniper Networks, Inc.
Page 62: Creating A Classifier Group For A Policy List
You might inadvertently create empty classifier groups in a policy if you use both the newer CLI style and the older CLI style, which used the Policy List Configuration mode version of the classifier list commands. Copyright © 2010, Juniper Networks, Inc.
Page 63: Applying Policy Lists To Interfaces And Profiles Overview
MPLS, or VLAN policy list to an interface. Also, you can use them to specify an IP, IPv6, or L2TP policy list to a profile, which then assigns the policy to the interfaces to which the profile is attached Copyright © 2010, Juniper Networks, Inc.
Page 64 This keyword saves the statistics for any classifier-list that is the same for both the new and old policy attachments. Without the preserve keyword, all statistics are deleted when you attach the new policy. Copyright © 2010, Juniper Networks, Inc.
Page 65 To create an L2TP profile that applies the policy list routeForABCCorp to the egress of an interface: host1(config)#profile bostonProfile host1(config)#l2tp policy output routeForABCCorp Related atm policy Documentation frame-relay policy gre-tunnel policy ip policy ipv6 policy l2tp policy mpls policy Copyright © 2010, Juniper Networks, Inc.
Page 66: Using Radius To Create And Apply Policies Overview
RADIUS server. For example: Ascend-Data-Filter="01000100 0A020100 00000000 18000000 00000000 00000000" Table 5 on page 43 lists the fields in the order in which they are specified in the hexadecimal Ascend-Data-Filter attribute. Copyright © 2010, Juniper Networks, Inc.
Page 67: Table 5: Ascend-Data-Filter Fields
Established 1 byte Non implemented Source port 2 bytes Destination port 2 bytes Source port qualifier 1 byte 0= no compare 1= less than 2= equal to 3= greater than 4= not equal to Copyright © 2010, Juniper Networks, Inc.
Page 68: Attribute
Construction of IPv6 Classifiers from the Hexadecimal Ascend-Data-Filter Attribute If both the source and destination IP prefixes are 128, the IPv6 classifier is created using the IPv6 host argument as follows: IPv6 classifier-list testipv6 source-host 2001:db8:85a3::8a2e:370:7334 destination-host 2001:db8::1428:57ab Copyright © 2010, Juniper Networks, Inc.
Page 69: Ascend-Data-Filter Attribute For Ipv4/Ipv6 Subscribers In A Dual Stack
IPv6 interface. If the Type 1 action is used and the Indirection action field is set to 00 in the Ascend-Data-Filter attribute, one primary output policy is created and applied on the egress IPv4 interface. Copyright © 2010, Juniper Networks, Inc.
Page 70 Type action field Related Examples: Using the Ascend-Data-Filter Attribute for IPv4 Subscribers on page 47 Documentation Examples: Using the Ascend-Data-Filter Attribute for IPv6 Subscribers on page 52 Copyright © 2010, Juniper Networks, Inc.
Page 71: Examples: Using The Ascend-Data-Filter Attribute For Ipv4 Subscribers
None Source port 0000 None Destination port 0000 None Source port qualifier None Destination port qualifier None Reserved 0000 None Use the show classifier-list and show policy-list commands to view information about the policy: Copyright © 2010, Juniper Networks, Inc.
Page 72 IP Policy plin_ip_1800021 Administrative state: enable Reference count: Classifier control list: clin_1800021_00, precedence 100 filter Referenced by interface(s): ATM4/0.0 input policy, statistics enabled, virtual-router default Referenced by profile(s): No profile references IP Policy plout_ip_1800021 Copyright © 2010, Juniper Networks, Inc.
Page 73 Ascend-Data-Filter = "01010000 14000000 0A020101 08200600 00000000 00000000" Ascend-Data-Filter = "01000000 00000000 0A020101 00200600 00000000 00000000" Ascend-Data-Filter = "01010000 00000000 0A020101 00200000 00000000 00000000" Ascend-Data-Filter = "01000000 00000000 00000000 00000000 00000000 00000000" Copyright © 2010, Juniper Networks, Inc.
Page 74 10.2.1.2 to any destination. The policy marks the packets with a ToS byte of 5 and a mask of 170. The policy also applies a traffic class named someTcl and a rate-limit profile named someRlp. Copyright © 2010, Juniper Networks, Inc.
Page 75: Table 7: Ascend-Data-Filter Attribute Values For A Radius Record
None Source port qualifier None Destination port qualifier None Reserved 0000 None Marking value Marking mask Traffic class 0773 6f6d6554 636c someTcl Rate-limit profile 0773 6f6d6552 6c70 someRlp host1#show classifier-list Classifier Control List Table Copyright © 2010, Juniper Networks, Inc.
Page 76: Examples: Using The Ascend-Data-Filter Attribute For Ipv6 Subscribers
Table 8 on page 52 lists the values specified in the Ascend-Data-Filter1 attribute that are used to create an output policy. Table 8: Ascend-Data-Filter Attribute for an Output Policy on an IPv6 Interface Action or Classifier Hex Value Actual Value Type IPv6 Forward Filter Indirection Egress Copyright © 2010, Juniper Networks, Inc.
Page 77: Table 9: Ascend-Data-Filter Attribute For An Input Policy On An Ipv6
Table 9: Ascend-Data-Filter Attribute for an Input Policy on an IPv6 Interface Action or Classifier Hex Value Actual Value Type IPv6 Forward Filter Indirection Ingress Spare None Source IPv6 address 200182ab 102087ec 12340917 34150012 2001:82ab:1020:87ec:1234:0917:3415:0012 Destination IPv6 address 00000000 00000000 00000000 00000000 Source IPv6 prefix Copyright © 2010, Juniper Networks, Inc.
Page 78 Classifier control list: clout_1800020_00, precedence 100 filter Referenced by interface(s): GigabitEthernet10/0.2 output policy, statistics enabled, virtual-router default Referenced by profile(s): None Referenced by merged policies: None IPv6 Policy plin_ipv6_1800020 Administrative state: enable Reference count: Copyright © 2010, Juniper Networks, Inc.
Page 79 Referenced by profile(s): None Referenced by merged policies: None Related Examples: Using the Ascend-Data-Filter Attribute for IPv4 Subscribers on page 47 Documentation Using RADIUS to Create and Apply Policies Overview on page 42 Copyright © 2010, Juniper Networks, Inc.
Page 81: Creating Rate-Limit Profiles
Setting the Peak Rate for Rate-Limit Profiles on page 89 Setting a One-Rate Rate-Limit Profile on page 89 Setting a Two-Rate Rate-Limit-Profile on page 91 Bandwidth Management Overview on page 92 Rate-Limiting Traffic Flows on page 95 Copyright © 2010, Juniper Networks, Inc.
Page 82: Rate Limits For Interfaces Overview
128,000 bps (16 K bytes per second), regardless of the traffic. If no traffic passes through the rate limiter, the bucket continues to fill until it reaches the committed burst setting. Copyright © 2010, Juniper Networks, Inc.
Page 83: Hierarchical Rate Limits Overview
Ownership of non-preferred packets is transferred while they move from one rate-limit to the next in the hierarchy, so shared rate limits can change the packet color or drop them. Copyright © 2010, Juniper Networks, Inc.
Page 84: Hierarchical Classifier Groups
Preferred packets are transmitted unconditionally. Rate limits that process packets transmitted unconditionally always decrement their token count, if necessary, making it negative. Red packets cannot be transmitted unconditionally, to avoid cases where an aggregate rate limit is oversubscribed with transmit-unconditional rates. Copyright © 2010, Juniper Networks, Inc.
Page 86 NOTE: To avoid saturation when using dual token buckets, the total amount of yellow transmit unconditional traffic should be less than the peak rate minus the committed rate; the green transmit unconditional traffic should be less than the committed rate. Copyright © 2010, Juniper Networks, Inc.
Page 87: Example: Multiple Flows Sharing Preferred Bandwidth Rate-Limiting Hierarchical Policy
10 Mbps. However, if the rate limit Common is color-blind, it treats all packets as Green so the green token bucket gets 6 Mbps of transmit unconditional traffic, which eventually causes all packets to be saturated and dropped. Copyright © 2010, Juniper Networks, Inc.
Page 88: Example: Multiple Flows Sharing A Rate Limit Hierarchical Policy
40000000 host1(config-rate-limit-profile)#exit host1(config)#policy-list rlpshare host1(config-policy-list)#classifier-group A parent-group All host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group B parent-group All host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group C parent-group All host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#parent-group All host1(config-policy-list-parent-group)#rate-limit-profile All host1(config-policy-list-parent-group)#exit Copyright © 2010, Juniper Networks, Inc.
Page 89: Example: Shared Pool Of Additional Bandwidth With Select Flows Rate-Limiting Hierarchical Policy
Because this is transmit conditional, ownership of the packet also transfers so the common rate limit can drop these packets if it has no bandwidth left. host1(config)#rate-limit-profile indiv two-rate hierarchical host1(config-rate-limit-profile)#committed-action transmit final Copyright © 2010, Juniper Networks, Inc.
Page 90: Example: Aggregate Marking With Oversubscription Rate-Limiting Hierarchical Policy
B, and C are also transmitted conditionally to S but arrive as Y because rate limits do not promote packets in color. S is color-aware so these Y packets do not take away G tokens, leaving them reserved only for the G packets coming from A, B, and C. Copyright © 2010, Juniper Networks, Inc.
Page 91: Figure 5: Aggregate Marking With Oversubscription
BC host1(config-color-mark-profile)# green-mark 10 host1(config-color-mark-profile)# yellow-mark 30 host1(config-color-mark-profile)# red-mark 30 host1(config-color-mark-profile)# exit host1(config)#policy-list ToS_value_10_oversubsribed host1(config-policy-list)#classifier-group A parent-group S host1(config-policy-list-classifier-group)#rate-limit-profile indiv host1(config-policy-list-classifier-group)#mark profile A host1(config-classifier-group)#exit host1(config-policy-list)#classifier-group B parent-group S host1(config-policy-list-classifier-group)#rate-limit-profile indiv host1(config-policy-list-classifier-group)#mark profile BC host1(config-classifier-group)#exit Copyright © 2010, Juniper Networks, Inc.
Page 92: Color-Aware Configuration For Rate-Limiting Hierarchical Policy
A packet that has traversed the hierarchy either has been dropped or emerges with a color (green, yellow or red). This final color can be used by a mark rule with a color-mark profile to select the ToS marking for the packet. Because this operation is interface-type Copyright © 2010, Juniper Networks, Inc.
Page 93: Percent-Based Rates For Rate-Limit Profiles Overview
You can use a policy parameter reference-rate to derive the rates in rate-limit profiles. You can configure rate-limit profiles as a percentage of this parameter. The system calculates the rate at the time of attachment using the value assigned to this parameter for that interface. Copyright © 2010, Juniper Networks, Inc.
Page 94: Specifying Rates Within Rate-Limit Profiles
0—1000 percent of the parameter value. The parameter value derives the appropriate rate within the rate-limit profile using a percentage. There are no validations to make the total rate less than or equal to the parameter value. Copyright © 2010, Juniper Networks, Inc.
Page 95: Specifying Burst Sizes
If a parameter is configured in Global Configuration mode, but you do not assign a default value, then the system assigns a default value to the parameter. The system default value for any parameter of type reference-rate is 64K (65536). Copyright © 2010, Juniper Networks, Inc.
Page 96 You can specify a rate within a rate-limit profile as a percentage of the parameter and burst size in milliseconds. You can use this rate-limit profile in a policy. You can assign values to these parameters for an interface. The actual rate and burst size are calculated Copyright © 2010, Juniper Networks, Inc.
Page 97: Policy Parameter Quick Configuration
10 host1(config-rate-limit-profile)#committed-burst millisecond 100 host1(config-rate-limit-profile)#peak-rate refRlpRate percentage 100 host1(config-rate-limit-profile)#peak-burst millisecond 150 host1(config-rate-limit-profile)#exit Create rate-limit profile rlpVoice. host1(config)#ip rate-limit-profile rlpVoice host1(config-rate-limit-profile)#committed-rate 64000 host1(config-rate-limit-profile)#committed-burst 100000 host1(config-rate-limit-profile)#peak-rate refRlpRate percentage 100 host1(config-rate-limit-profile)#peak-burst millisecond 150 host1(config-rate-limit-profile)#exit Copyright © 2010, Juniper Networks, Inc.
Page 98 Classifier control list: video, precedence 100 rate-limit-profile rlpVideo Referenced by interfaces: ATM5/0.1 input policy, statistics disabled, virtual-router default ATM5/0.2 input policy, statistics enabled, virtual-router default Referenced by profiles: None Referenced by merge policies: None Display the rate-limit profiles. Copyright © 2010, Juniper Networks, Inc.
Page 99 Display policy parameters host1#show policy-parameter Policy Parameter refRlpRate Type: reference-rate Rate: 100000 Reference count: 6 Referenced by interfaces: 1 references IP interface ATM5/0.1: 1000000 Referenced by rate-limit profiles: 5 references rlpData rlpVoice rlpVideo Display interface atm5/0.1. Copyright © 2010, Juniper Networks, Inc.
Page 100 Access routing = disabled Multipath mode = hashed Auto Configure = disabled Auto Detect = disabled Inactivity Timer = disabled In Received Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Multicast Packets 0, Bytes 0 Copyright © 2010, Juniper Networks, Inc.
Page 101 Attach IP Policy P2 at interface atm5/0.2 with the merge keyword. host1(config)#interface atm 5/0.2 host1(config-If)#ip policy-parameter reference-rate refRlpRate 100000 This increases from 0. host1(config)#ip policy-parameter reference-rate refRlpRate increase 100000 This increases from the existing 100000. host1(config)#ip policy input P2 merge Verify the configuration. Copyright © 2010, Juniper Networks, Inc.
Page 102: One-Rate Rate-Limit Profiles Overview
Exceeded action—Drop, transmit, mark (IP and IPv6), or mark-exp (MPLS) when traffic flow exceeds the rate; the mark value is not supported for hierarchical rate limits and the transmit values conditional, unconditional, or final are only supported on hierarchical rate limits Copyright © 2010, Juniper Networks, Inc.
Page 104 Table 10 on page 81 presents equations that can also represent the algorithm for the TCP-friendly one-rate rate limit profile when using hierarchical rate limiting, where: B = size of packet in bytes CD = cumulative debt Copyright © 2010, Juniper Networks, Inc.
Page 105: Two-Rate Rate-Limits Overview
At the beginning of each sample period, the two buckets are filled with tokens based on the configured burst sizes and rates. Traffic is metered to measure its volume. When traffic is received, if tokens remain in both buckets, one token is removed from each Copyright © 2010, Juniper Networks, Inc.
Page 106 Exceeded action—Drop, transmit, mark (IP and IPv6), or mark-exp (MPLS) when traffic flow exceeds the peak rate; the mark value is not supported for hierarchical rate limits and the transmit values conditional, unconditional, or final are only supported on hierarchical rate limits Copyright © 2010, Juniper Networks, Inc.
Page 107: Table 11: Policy Action Applied Based On Rate Settings And Traffic Rate
If incoming packet color is green: – If Tc(t) >= B Packet is marked as green Tc(t) is decremented by B Tp(t) is decremented by B (allow Tp(t) < 0 if necessary) Copyright © 2010, Juniper Networks, Inc.
Page 108: Creating A Two-Rate Rate-Limit Profile
DS field in the ToS byte (the six most significant bits) to the decimal value of 7 using a mask value of 0xFC: host1(config)#ip rate-limit-profile hardlimit9Mb two-rate host1(config-rate-limit-profile)#exceeded-action mark 7 host1(config-rate-limit-profile)#mask-val 252 Copyright © 2010, Juniper Networks, Inc.
Page 109: Setting The Committed Action For A Rate-Limit Profile
When you specify a nonzero value for the rate, the burst size is automatically calculated for a 100-ms burst as described for the committed-rate command. If the calculated burst size is less than the default value of 8 KB, the default value (8192 bytes) is used. Copyright © 2010, Juniper Networks, Inc.
Page 110: Setting The Committed Rate For A Rate-Limit Profile
Setting the Conformed Action for a Rate-Limit Profile You can use the conformed-action command. Packets are colored yellow.For IP and IPv6 rate-limit profiles, mark the packet by setting the ToS byte (IP) or traffic class field Copyright © 2010, Juniper Networks, Inc.
Page 111: Setting The Exceeded Action For A Rate-Limit Profile
1–10000. The no version restores the default value, 0. Issue the excess-burst command from Rate Limit Profile Configuration mode: host1(config-rate-limit-profile)#excess-burst millisecond 1000 Related excess-burst Documentation Copyright © 2010, Juniper Networks, Inc.
Page 112: Setting The Mask Value For Mpls Rate-Limit Profiles
MTU of the interface. Doing so causes large packets to be dropped even when they are transmitted at a very low rate. Issue the peak-burst command in Rate Limit Profile Configuration mode to set the peak burst in bytes: host1(config-rate-limit-profile)#peak-burst 96256 Copyright © 2010, Juniper Networks, Inc.
Page 113: Setting The Peak Rate For Rate-Limit Profiles
Rate Limit Profile Configuration mode, from which you can configure attributes for the rate-limit profile. See Table 11 on page 83. NOTE: The JunosE Software includes the layer 2 headers in the calculations it uses to enforce the rates that you specify in rate-limit profiles. Copyright © 2010, Juniper Networks, Inc.
Page 114: Table 13: One-Rate Rate-Limit-Profile Defaults
Issue the ip rate-limit-profile command in Global Configuration mode: host1(config)#ip rate-limit-profile tcpFriendly10Mb one-rate NOTE: Commands that you issue in Rate Limit Profile Configuration mode do not take effect until you exit from that mode. Related rate-limit-profile Documentation Copyright © 2010, Juniper Networks, Inc.
Page 115: Setting A Two-Rate Rate-Limit-Profile
8192 peak-rate peak-burst 8192 committed-action transmit conformed-action transmit exceeded-action drop mask (IP and IPv6 rate-limit profiles) exp-mask (MPLS rate-limit profiles) During a software upgrade, certain values are set as follows: Copyright © 2010, Juniper Networks, Inc.
Page 116: Bandwidth Management Overview
Having a committed rate and a peak rate enables you to configure two different fill rates for the token buckets. For example, you can configure the fill rate on the peak token bucket to be faster than the fill rate on the committed bucket. This configuration enables Copyright © 2010, Juniper Networks, Inc.
Page 117: Examples: One-Rate Rate-Limit Profile
You can also configure a one-rate rate-limit profile to provide a TCP-friendly rate limiter. To configure a rate limiter with TCP-friendly characteristics, we recommend that you set the committed burst to allow for 1 second of data at the specified rate, and the excess Copyright © 2010, Juniper Networks, Inc.
Page 118: Examples: Two-Rate Rate-Limit Profile
To rate limit individual packet flows, use a separate classifier list to classify each flow. To rate limit the aggregate of multiple traffic flows, use a single classifier list for the multiple entries. Copyright © 2010, Juniper Networks, Inc.
Page 119: Rate-Limiting Traffic Flows
You can rate limit traffic flows destined for an SRP module by implementing a token bucket policer. The configured rate limits are stored in NVS and persist across reboots. Related Rate Limits for Interfaces Overview on page 58 Documentation Monitoring Policy Management Overview on page 173 control-plane policer Copyright © 2010, Juniper Networks, Inc.
Page 121: Merging Policies
An interface and an attachment type identify an attachment point. The policies referenced by the component attachments merge into a new policy, which then attaches at the attachment point. The set of component policies are ordered alphabetically by name. Copyright © 2010, Juniper Networks, Inc.
Page 122 A merge policy is automatically deleted when the last reference is removed. The following restrictions apply to policy merging: Classifier lists cannot be merged. Secure policies cannot be merged. Policies created using ascend-data-filters cannot be merged. Copyright © 2010, Juniper Networks, Inc.
Page 123: Resolving Policy Merge Conflicts
To resolve the merge conflict, the last command entered replaces any previous conflicting commands for a classifier group, as in the following example: Copyright © 2010, Juniper Networks, Inc.
Page 124 With the IP policy forward rule, when more forward rules are added to an existing classifier group, the list of forward rules is created. This is also true during merging, as in the following example: Copyright © 2010, Juniper Networks, Inc.
Page 126: Persistent Configuration Differences For Merged Policies Through Service
If the merge keyword is not specified, then it replaces any existing attachments with the new attachment. Merging always preserves statistics. Preserve—Preserve statistics from earlier attachment when replacing an attachment. This keyword is mutually exclusive with merge keyword. Copyright © 2010, Juniper Networks, Inc.
Page 127: Error Conditions For Merged Policies
OR of all remaining attachments at the specified attachment point. Error Conditions for Merged Policies Most errors, such as mismatched interface types while merging attachments, are caught during configuration. If merging fails, the attachment at the given interface is not modified. Copyright © 2010, Juniper Networks, Inc.
Page 128: Merging Policies Configuration
Attach IP policy p2 as input at interface atm 5/0.1. A merged policy is created. host1(config)#Interface atm 5/0.1 host1(config-subif)#ip policy input p2 statistics enable merge host1(config-subif)#exit Display the policy lists. host1#show policy-list Policy Table ------ ----- Copyright © 2010, Juniper Networks, Inc.
Page 129 10.1.1.1, order 100, rule 2 (active) next-hop 20.1.1.1, order 100, rule 3 (reachable) Classifier control list: *, precedence 1000 forward Referenced by interfaces: ATM5/0.1 input policy, statistics enabled, virtual-router default Referenced by profiles: None Copyright © 2010, Juniper Networks, Inc.
Page 130 ! Configuration script being generated on TUE APR 26 2005 17:33:01 UTC ! Juniper Edge Routing Switch ERX1440 ! Version: 9.9.9 development-4.0 (April 4, 2005 15:39) ! Copyright (c) 1999-2005 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 interface atm 5/0.1...
Page 131 Display policies to verify that mpl_5 is created. host1#show policy-list Policy Table ------ ----- IP Policy p1 Administrative state: enable Reference count: Classifier control list: C2, precedence 10 filter Classifier control list: C1, precedence 90 forward Copyright © 2010, Juniper Networks, Inc.
Page 132 20.1.1.1, order 100, rule 3 (reachable) Classifier control list: *, precedence 1000 forward Referenced by interfaces: ATM5/0.1 input policy, statistics enabled, virtual-router default ATM5/0.2 output policy, statistics enabled, virtual-router default Referenced by profiles: None Component policies: Copyright © 2010, Juniper Networks, Inc.
Page 133 Classifier control list: C3, precedence 10 filter Classifier control list: C1, precedence 90 forward Virtual-router: default List: next-hop 20.1.1.1, order 100, rule 3 (active) Classifier control list: *, precedence 1000 forward Referenced by interfaces: None Referenced by profiles: None Copyright © 2010, Juniper Networks, Inc.
Page 134 Classifier control list: C1, precedence 80 forward Virtual-router: default List: next-hop 10.1.1.1, order 100, rule 2 (active) next-hop 20.1.1.1, order 100, rule 3 (reachable) color yellow Classifier control list: C4, precedence 900 color red Copyright © 2010, Juniper Networks, Inc.
Page 135 Administrative state: enable Reference count: Classifier control list: C3, precedence 10 filter Classifier control list: C1, precedence 90 forward Virtual-router: default List: next-hop 20.1.1.1, order 100, rule 3 (active) Classifier control list: *, precedence 1000 forward Copyright © 2010, Juniper Networks, Inc.
Page 136 Administrative state: enable Reference count: Classifier control list: C2, precedence 10 filter Classifier control list: C1, precedence 80 forward Virtual-router: default List: next-hop 10.1.1.1, order 100, rule 2 (active) next-hop 20.1.1.1, order 100, rule 3 (reachable) Copyright © 2010, Juniper Networks, Inc.
Page 137 Classifier control list: C3, precedence 10 filter Classifier control list: C1, precedence 90 forward Virtual-router: default List: next-hop 20.1.1.1, order 100, rule 3 (active) Classifier control list: *, precedence 1000 forward Referenced by interfaces: None Copyright © 2010, Juniper Networks, Inc.
Page 138 Detach p1 from atm 5/0.2. Merge policy mpl_5 is detached and deleted and only p2 is now attached. host1(config)#interface atm 5/0.2 host1(config-subif)#no ip policy output p1 host1(config-subif)#exit Detach p2 from atm 5/0.2. Copyright © 2010, Juniper Networks, Inc.
Page 139: Parent Group Merge Algorithm
There is a one-to-one correspondence between an internal parent group in the merged policy and an internal parent group in a component policy. Copyright © 2010, Juniper Networks, Inc.
Page 140 Classifier control list: C, precedence 100, external parent-group EPG1 parameter foo forward Classifier control list: D, precedence 100, external parent-group EPG1 parameter forward Parent group: X, parent-group Z rate-limit-profile R1 Parent group: Z rate-limit-profile R2 host1#show policy-list P2 Policy Table ------ ----- Copyright © 2010, Juniper Networks, Inc.
Page 141: Overlapping Classification For Ip Input Policy
IP auxiliary input policy can be used with IP input policy to provide overlapping classification. Two policies, each with a set of independent rules and actions, run in sequence so that each policy can independently produce a set of actions in sequence. Copyright © 2010, Juniper Networks, Inc.
Page 142 Figure 7 on page 119 shows the input policy stage after the addition of the auxiliary substage. It is divided into three steps: Apply classification for both substages. Perform policy actions (if any) for the primary attachment. Perform policy actions (if any) for the auxiliary attachment. Copyright © 2010, Juniper Networks, Inc.
Page 143: Starting Policy Processing
Processing the Classifier Result The classifier result of the input policy attachment is processed and a set of actions is identified. When you configure filter, it is the first action taken and immediately discards Copyright © 2010, Juniper Networks, Inc.
Page 144: Processing The Auxiliary-Input Policy Attachment
Attaching two policies with rate limit profiles in the same policy stage is equivalent to having two policies attached in the same order, but in separate stages. Copyright © 2010, Juniper Networks, Inc.
Page 145: Table 15: Input Action And Secondary Input Actions
Table 15: Input Action and Secondary Input Actions Input Action Secondary Input Action None Exception Filter Next-hop Forward Forward Interface Next-hop None None Exception Filter None Forward Forward Auxiliary Interface Next-hop Auxiliary Auxiliary Copyright © 2010, Juniper Networks, Inc.
Page 146 Auxiliary Auxiliary Forward Exception Filter Forward Forward Forward Interface Interface Primary Auxiliary Interface Interface Next-hop Primary Auxiliary Auxiliary Forward Exception Filter Forward Forward Forward next-hop Next-hop Auxiliary Next-hop Interface Next-hop Primary Primary Auxiliary Auxiliary Copyright © 2010, Juniper Networks, Inc.
Page 147: Creating Hierarchical Policies For Interface Groups
Example: PPP Interfaces Hierarchical Policy Configuration on page 147 Hierarchical Policies for Interface Groups Overview Hierarchical policies allow classifier groups and parent groups within a policy to point to line module global parent groups. The line module global parent groups (external parent Copyright © 2010, Juniper Networks, Inc.
Page 148: External Parent Groups
Therefore, the value configured for the parameters referenced in policies can be different for attachments at different interfaces. This enables you to have an attachment-specific configuration in a policy list that is deferred until the policy is attached. Copyright © 2010, Juniper Networks, Inc.
Page 149: Table 16: Shorthand Notation Mapping
Unique identifier of Ethernet major interface IP, IPv6, and MPLS policies VLAN Unique identifier of VLAN interface IP, IPv6, and MPLS policies SVLAN Identifier constructed from slot, adapter, port, SVLAN IP, IPv6, L2TP, and MPLS policies Copyright © 2010, Juniper Networks, Inc.
Page 150: Hierarchical Aggregation Nodes
Even when you configure the same parameter name to the same value for an external parent group, different rate-limit instances are instantiated if the interfaces are on different line modules. Copyright © 2010, Juniper Networks, Inc.
Page 151: Radius And Profile Configuration For Hierarchical Policies
Global Configuration mode for this parameter is used. You can later change the parameter value for the interface. Copyright © 2010, Juniper Networks, Inc.
Page 152: Example: Hierarchical Policy Quick Configuration
The configuration in Figure 8 on page 129 requires four parent group resources for each atm5/0.1, atm5/0.2, and atm5/0.3 attachment. The rate-limit instance R1 is referenced by C1 and packet flows from C1 to EPG1 to EPG2. Copyright © 2010, Juniper Networks, Inc.
Page 153: Figure 8: Configuration Process
IP1 and IP2 are internal parent groups. ER1, ER2, R1, and R2 are rate-limit profiles. POL is the name of the IP policy. C1 and C2 are classified flows. A, B, and C are policy parameters. Copyright © 2010, Juniper Networks, Inc.
Page 154 (EPG1, parameter A) tuple, one for (EPG1, parameter B) tuple, and one for (EPG2, parameter C) tuple. Value number 1 is substituted for parameters A, B, and C when you use the policy-parameter command. Because of Copyright © 2010, Juniper Networks, Inc.
Page 155 5, ingress, EPG1, 2), (slot 5, ingress, EPG1, 1), (slot 5, ingress, EPG2, 2). All three aggregation nodes were created in earlier steps and were named ER1-instance-2, ER1-instance-1, and ER2-instance-2, respectively. ER1-instance-2 is referenced by parent-group instances (EPG1, parameter A), ER1-instance-1 is referenced by parent Copyright © 2010, Juniper Networks, Inc.
Page 156: Example: Vlan Rate Limit Hierarchical Policy For Interface Groups
Create a rate limit to enforce the contracted maximum for the small business. Create an external parent group to hold this rate limit. host1(config)#rate-limit-profile VLAN_RATE two-rate hierarchical host1(config-rate-limit-profile)#committed-rate 1000000 host1(config-rate-limit-profile)#committed-action transmit final host1(config-rate-limit-profile)#exit host1(config)#parent-group EPG1 host1(config-parent-group)#rate-limit-profile VLAN_RATE host1(config-parent-group)#exit Verify the parent group configuration. Copyright © 2010, Juniper Networks, Inc.
Page 157 VOICE_CLACL udp any any eq 10000 host1(config)#ip policy-list USER_POL2 host1(config-policy-list)#classifier-group VOICE_CLACL parent-group IPG1 host1(config-policy-list-classifier-group)#rate-limit-profile VOICE_RATE host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group * parent-group IPG1 host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#parent-group IPG1 external parent-group EPG1 parameter A host1(config-policy-list-parent-group)#rate-limit-profile USER_RATE host1(config-policy-list-parent-group)#exit host1(config-policy-list)#exit Verify the policy list configuration. Copyright © 2010, Juniper Networks, Inc.
Page 158 USER_POL1 statistics enabled host1(config-interface)#exit Create the interface for user 2, attach USER_POL2, and map parameter A to the VLAN interface. host1(config)#interface ip 3/0.1.2 host1(config-interface)#ip policy-parameter hierarchical A vlan host1(config-interface)#ip policy input USER_POL2 statistics enabled host1(config-interface)#exit Copyright © 2010, Juniper Networks, Inc.
Page 159: Example: Wholesale L2Tp Model Hierarchical Policy Configuration
10 Mbps and interfaces I1 and I2 fall back to 1 Mbps. Figure 10: Interface Stack for Wholesale L2TP Mode To use this example, you must configure the following: At interfaces I1 and I2: Copyright © 2010, Juniper Networks, Inc.
Page 160: Figure 11: Wholesale L2Tp Configuration
Figure 11: Wholesale L2TP Configuration Create a rate-limit that can be shared across all forwarding interfaces. Create an external parent group to hold this rate limit. host1(config)#rate-limit-profile VLAN_RATE two-rate hierarchical host1(config-rate-limit-profile)#committed-rate 12000000 host1(config-rate-limit-profile)#committed-action transmit final Copyright © 2010, Juniper Networks, Inc.
Page 161: Example: Aggregate Rate Limit For All Nonvoice Traffic Hierarchical Policy
Example: Aggregate Rate Limit for All Nonvoice Traffic Hierarchical Policy Configuration In this example: There are four IP sessions and their corresponding interfaces are I1, I2, I3, and I4. Each interface corresponds to a dynamic user. Copyright © 2010, Juniper Networks, Inc.
Page 162: Figure 12: Interface Stack For Aggregate Rate Limit
All classified video flow policers over each VLAN interface feed into a single policer with the following configuration: VIDEO_AGG, Committed Rate: 1.5 Mbps Peak Rate: 0 Mbps Committed Action: transmit final Conformed Action: drop Exceeded Action: drop Copyright © 2010, Juniper Networks, Inc.
Page 163: Figure 13: Aggregate Rate Limit For Nonvoice Traffic Configuration
Create a rate limit that can be shared across all video streams. Create an external parent group to hold this rate limit. host1(config)#rate-limit-profile VIDEO_AGG two-rate hierarchical host1(config-rate-limit-profile)#committed-rate 1500000 host1(config-rate-limit-profile)#committed-action transmit final host1(config-rate-limit-profile)#exit host1(config)#parent-group EPG1 host1(config-parent-group)#rate-limit-profile VIDEO_AGG host1(config-parent-group)#exit Create a policy list to attach to all IP sessions. Copyright © 2010, Juniper Networks, Inc.
Page 164: Example: Arbitrary Interface Groups Hierarchical Policy Configuration
Voice traffic has a contracted minimum of 64 Kbps, but the combined voice and other traffic for each subscriber has a contracted maximum of 1 Mbps. Interfaces I1-I4 are interfaces where you can attach policies. Copyright © 2010, Juniper Networks, Inc.
Page 165: Figure 14: Interface Stack For Arbitrary Interface Groups
I1 and I2 feed into a single policer with the following configuration: AGG, Committed Rate: 1 Mbps, Peak Rate: 0 Mbps, Committed Action: transmit, Conformed Action: drop, Exceeded Action: drop Figure 15: Arbitrary Interface Groups Configuration Copyright © 2010, Juniper Networks, Inc.
Page 166 Attach IP_POL1 to the voice session of the second user and attach IP_POL2 to the other session for the same user. Specify a different ID for parameter A. host1(config)#interface ip 3/0.1.2 host1(config-interface)#ip policy-parameter hierarchical A 2 host1(config-interface)#ip policy input IP_POL1 statistics enable Copyright © 2010, Juniper Networks, Inc.
Page 167: Example: Service And User Rate-Limit Hierarchy Overlap Hierarchical Policy
Committed Action: transmit final Conformed Action: drop Exceeded Action: drop Both C1 and C2 feed into a single policer with the following configuration: AGG_VIDEO, Committed Rate: 1 Mbps Peak Rate: 0 Mbps Committed Action: transmit conditional Copyright © 2010, Juniper Networks, Inc.
Page 168: Figure 17: Service And User Rate-Limit Hierarchy Overlap Configuration
Create a policy list to be attached to each IP session. host1(config)#ip classifier-list VIDEO_CLACL udp any any eq 4000 host1(config)#policy-parameter A hierarchical host1(config-policy-parameter)#exit host1(config)#ip policy-list IP_POL host1(config-policy-list)#classifier-group VIDEO_CLACL external parent-group EPG1 parameter A host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group * external parent-group EPG2 Copyright © 2010, Juniper Networks, Inc.
Page 169: Example: Percentage-Based Hierarchical Rate-Limit Profile For External Parent
Create a hierarchical policy parameter. host1(config)#policy-parameter A hierarchical host1(config-policy-parameter)#aggregation-node forwarding host1(config-policy-parameter)#exit Create a policy that references the external parent group. host1(config)#ip policy-list P host1(config-policy)#classifier-group data external parent-group epg1 parameter A Copyright © 2010, Juniper Networks, Inc.
Page 170 5000000 bps, peak burst: 62500 bytes (default) committed: 0 packets, 0 bytes, action: transmit conditional conformed: 0 packets, 0 bytes, action: transmit conditional exceeded: 0 packets, 0 bytes, action: drop unconditional: 0 packets, 0 bytes saturated: 0 packets, 0 bytes Copyright © 2010, Juniper Networks, Inc.
Page 171: Example: Ppp Interfaces Hierarchical Policy Configuration
This example uses the following: At I1 and I3: Classified Video Flow. VIDEO_RATE, Committed Rate: 1 Mbps Peak Rate: 0 Mbps Committed Action: transmit unconditional Conformed Action: drop Exceeded Action: drop At I2 and I4: Copyright © 2010, Juniper Networks, Inc.
Page 172: Figure 18: Interface Stack For Hierarchical Policy Configuration
Create a hierarchical policy parameter list for PPP interfaces. host1(config)#policy-parameter P1_PPP hierarchical host1(config-policy-parameter)#exit Create a reference rate parameter to be used in external parent groups associated with PPP sessions. host1(config)#policy-parameter sessionRlpRate reference-rate host1(config-policy-parameter)#reference-rate 3000000 Copyright © 2010, Juniper Networks, Inc.
Page 173 Specify the policy parameter and attachments through the profile. host(config)#profile PPPOE_PROF1 host(config-profile)#ip policy-parameter hierarchical P1_PPP ppp-interface host(config-profile)#ip policy input IP_POL1 sta enabled merge host(config-profile)#ipv6 policy-parameter hierarchical P1_PPP ppp-interface host(config-profile)#ipv6 policy input IP_POL2 sta enabled merge host(config-profile)#exit Copyright © 2010, Juniper Networks, Inc.
Page 174 However, you can also configure these same settings at the global level, without defining them at the interface or profile level. This feature supports both these methods of configurations. Copyright © 2010, Juniper Networks, Inc.
Page 175: Policy Resources
(CAM) hardware classifiers—all other line modules support FPGA hardware classifiers. Table 17 on page 152 lists the classifiers supported on OC48/STM16, GE-2, and GE-HDE line modules; Table 18 on page 153 lists the classifiers supported on all other line modules. Copyright © 2010, Juniper Networks, Inc.
Page 176: Table 17: Classifier Support
Destination port Destination route class ICMPv6 type and code Local Protocol Source address Source port Source route class TC flags TCP flags Traffic class User packet class MPLS Not supported VLAN Not supported User priority Copyright © 2010, Juniper Networks, Inc.
Page 177: Fpga Hardware Classifiers
An E Series router supports two versions of policies that are based on FPGA hardware classifiers. One version has a maximum of 16 classifier entries per policy, and the second version has 17 to 32 classifier entries per policy. The line module supports 16,255 policies Copyright © 2010, Juniper Networks, Inc.
Page 178: Cam Hardware Classifiers Overview
192.168.1.1 host 192.168.2.2 tos 1 host1(config)#ip classifier-list clacl1 ip host 192.168.1.1 host 192.168.2.2 tos 2 host1(config)#ip classifier-list clacl2 tcp any any tcp-flags "SYN" host1(config)#ip policy-list policy1 host1(config-policy-list)#classifier-group clacl1 host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group clacl2 host1(config-policy-list-classifier-group)#forward Copyright © 2010, Juniper Networks, Inc.
Page 179: Size Limit For Ip And Ipv6 Cam Hardware Classifiers
Based on the size limit for a combined IPv6 classifier entry, a maximum of 336 bits of CAM entry is supported for full IPv6 classification. An additional 16 bits that are reserved for rule set ID are added to the total classifier entry size, which causes the total CAM Copyright © 2010, Juniper Networks, Inc.
Page 180: Ip Classifiers And Size Limits
Color Destination address Destination port Destination route class ICMP type ICMP code IGMP type IP flags IP fragmentation Local Protocol Source address Source port Source route class TCP flags Traffic class User packet class Copyright © 2010, Juniper Networks, Inc.
Page 181: Table 20: Size Limit Of Combined Ip Classifiers
| [ IGMP type ] ] added to the total classifier entry size. ICMP type, ICMP code, and IGMP type require 16 bits even if the source port and destination port classifications are not configured. Copyright © 2010, Juniper Networks, Inc.
Page 182: Ipv6 Classifiers And Size Limits
IPv6 Classifier Entry Size Limit (Bits) Color Destination address Destination port Destination route class ICMPv6 type ICMPv6 code Local Protocol Source address Source port Source route class TC field TCP Flags Traffic class User packet class Copyright © 2010, Juniper Networks, Inc.
Page 183: Table 22: Size Limit Of Combined Ipv6 Classifiers
16 bits even if you have not specified the source port and destination port classifiers. Protocol – Source address (first word) – Source address (second word) – Source address (third word) – Source address (fourth word) – Copyright © 2010, Juniper Networks, Inc.
Page 184: Creating And Attaching A Policy With Ip Classifiers
Apply the policy list to an interface. host1(config)#interface atm 5/0/0.1 host1(config-if)#ip policy input ipPol Table 23 on page 161 lists the active classifiers in the policy named ipPol and the size of each classifier. Copyright © 2010, Juniper Networks, Inc.
Page 185: Table 23: Classification Fields For Example 1
1 ip any any Create a policy list. host1(config)#ip policy-list ipPol host1(config-policy-list)#classifier-group colorCLACL host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#classifier-group ipFragCLACL host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#classifier-group igmpCLACL host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#classifier-group lowDelayCLACL host1(config-policy-list-classifier-group)#traffic-class strict-priority host1(config-policy-list-classifier-group)#classifier-group tcpCLACL host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#classifier-group * host1(config-policy-list-classifier-group)#filter Copyright © 2010, Juniper Networks, Inc.
Page 186: Variable-Sized Cam Classification For Ipv6 Policies Examples
128 bits. To improve scalability for IPv6 policies, Policy Manager uses the optimum CAM entry size, depending on the IPv6 policy definition. The policy definition of IPv6 is used to determine which classification fields in the combined Copyright © 2010, Juniper Networks, Inc.
Page 187: 144-Bit Ipv6 Classification Example
Destination Address (first word), Destination Port, Protocol, TCP Flags, ICMPv6 Type, ICMPv6 Code, Color, and TC field. Table 25 on page 164 lists the active classifiers in the policy named ipv6Pol and the size of each classifier. Copyright © 2010, Juniper Networks, Inc.
Page 188: 288-Bit Ipv6 Classification Example
Table 26: IPv6 Classification Fields for a 288-bit CAM Entry Classifiers Size (Bits) Source address (first word) Source address (second word) Source Address (third word) Source Address (fourth word) Copyright © 2010, Juniper Networks, Inc.
Page 189: 576-Bit Ipv6 Classification Example
Table 27: IPv6 Classification Fields for a 576-bit CAM Entry Classifiers Size (Bits) Source address (first word) Source address (second word) Source Address (third word) Source address (fourth word) Destination Address (first word) Copyright © 2010, Juniper Networks, Inc.
Page 190: Performance Impact And Scalability Considerations
One CAM entry is required per classifier for each unique policy on each line module. Regardless of the classifier definition for an IPv4 policy, each IPv4 classifier consumes 144 bits (one 144-bit CAM entry). However, default classifiers do not consume CAM entries. Copyright © 2010, Juniper Networks, Inc.
Page 191: Cam Device Block Size And Cam Entry Allocation
4 blocks, the IPv6 policy attachment fails. The block that is common to the variable-sized entries is not available for 144-bit CAM entries when you configure any 288-bit or 576-bit entries, even though you remove them Copyright © 2010, Juniper Networks, Inc.
Page 192: Table 28: Maximum Policies With One Classifier Per Policy For Ge-2 Lms
Equal number of 64,000 8000 8000 16,000 (+ identical IPv4/IPv6 24,000 policies 144-bit entries available) Table 29 on page 169 lists the maximum policies supported with variable length IPv6 CAM classification and four classifiers per policy. Copyright © 2010, Juniper Networks, Inc.
Page 193: Software Classifiers Overview
However, if you configure a policy that requires classification on three different classifier categories, such as ToS, color, and TCP flags, then that policy consumes three of the available 16,383 software classifier resources. NOTE: Policy consumption is per policy definition per line module. Copyright © 2010, Juniper Networks, Inc.
Page 194: Interface Attachment Resources Overview
2 attachment resource pool. The type of line module determines the number of policies attachments supported by interfaces. See ERX Module Guide, Appendix A, Module Protocol Support for more Copyright © 2010, Juniper Networks, Inc.
Page 195: Cam Hardware Classifiers And Interface Attachment Resources
A policy with 1–32 classifier entries consumes 1 interface attachment resource. A policy with 33–64 classifier entries consumes 2 interface attachment resources. A policy with 65–96 classifier entries consumes 3 interface attachment resources. A policy with 487–512 classifier entries consumes 16 interface attachment resources. Copyright © 2010, Juniper Networks, Inc.
Page 198: Setting A Statistics Baseline For Policies
In Error Packets 0 In Invalid Source Address Packets 0 In Discarded Packets 0 Out Forwarded Packets 5, Bytes 540 Out Scheduler Drops Packets 0, Bytes 0 Out Policed Packets 5, Bytes 540 Out Discarded Packets 0 Copyright © 2010, Juniper Networks, Inc.
Page 199: Monitoring The Policy Configuration Of Atm Subinterfaces
Color applied to packet flow for queuing: green, yellow, or red classifier-group Name of the classifier control list used by the policy filter Filter policy action forward Forward policy action traffic-class Traffic class in the policy list Copyright © 2010, Juniper Networks, Inc.
Page 200: Monitoring Classifier Control Lists
Source IP Address: 0.0.0.0 Source IP WildcardMask: 255.255.255.255 Not Source Ip Address: false Destination IP Address: 0.0.0.0 Destination IP WildcardMask:255.255.255.255 Not Destination Ip Address: false GRE Tunnel Classifier Control List greClass Reference count: Entry count: Copyright © 2010, Juniper Networks, Inc.
Page 201: Table 32: Show Classifier-List Output Fields
Reference count Number of times the CLACL is referenced by policies Entry count Number of entries in the classifier list Classifier-List Name of the classifier list Entry Entry number of the classifier list rule Copyright © 2010, Juniper Networks, Inc.
Page 202 Traffic Class Field Traffic class field value to match EXP Bits MPLS EXP bit value to match EXP Mask Mask applied to EXP bits before matching DE Bit Frame Relay DE bit value to match Copyright © 2010, Juniper Networks, Inc.
Page 203: Monitoring Color-Mark Profiles
Documentation Monitoring Control Plane Policer Information Purpose Display information about control plane policer for a specified protocol or all protocols. Action To display information about control plane policer: host1#show control-plane policer protocol Burst Copyright © 2010, Juniper Networks, Inc.
Page 204: Monitoring The Policy Configuration Of Frame Relay Subinterfaces
Frame relay sub-interface SERIAL5/0:1/1.1, status is up Number of sub-interface down transitions is 0 Time since last status change 03:04:59 No baseline has been set In bytes: 660 Out bytes: 660 In frames: 5 Out frames: 5 Copyright © 2010, Juniper Networks, Inc.
Page 205: Monitoring Gre Tunnel Information
Display information about GRE tunnels. The state keyword displays tunnels that are in a specific state: disabled, down, enabled, not-present, or up. The ip keyword to display tunnels associated with an IP address. To display information about a specific tunnel, Copyright © 2010, Juniper Networks, Inc.
Page 206: Table 36: Show Gre Tunnel Output Fields
Name of classifier group entry Identifier for the entry in the classifier group packets Number of packets bytes Number of bytes mark ToS byte setting for the classifier control list mask Mask value corresponding to the ToS Copyright © 2010, Juniper Networks, Inc.
Page 207: Monitoring Interfaces And Policy Lists
Unicast Packets 0, Bytes 0 Multicast Routed Packets 0, Bytes 0 Out Scheduler Dropped Packets 0, Bytes 0 Out Policed Packets 0, Bytes 0 Out Discarded Packets 0 IP policy input P classifier-group data entry 1 Copyright © 2010, Juniper Networks, Inc.
Page 208: Table 37: Show Interfaces Output Fields
Table 37: show interfaces Output Fields Field Name Field Description Subinterface number Location of the subinterface that carries the VLAN traffic Administrative status Operational state that you configured for this interface: up or down Copyright © 2010, Juniper Networks, Inc.
Page 209: Monitoring The Policy Configuration Of Ip Interfaces
Discontinuity Time = 0 Router advertisement = disabled Proxy Arp = disabled ARP spoof checking = enabled Network Address Translation is disabled TCP MSS Adjustment = disabled Administrative debounce-time = disabled Operational debounce-time = disabled Copyright © 2010, Juniper Networks, Inc.
Page 210: Table 38: Show Ip Interfaces Output Fields
Network Protocols Protocols configured on the interface Internet address IP address of the interface Broadcast address Broadcast address used by the interface Operational MTU Operational maximum transmission unit (MTU) for packets sent on this interface Copyright © 2010, Juniper Networks, Inc.
Page 211 In Error Packets Number of packets determined to be in error at the interface In Invalid Source Address Packets Number of packets determined to have originated from an invalid source address Copyright © 2010, Juniper Networks, Inc.
Page 212 Bytes transmitted Number of bytes sent to the next-hop address forward Number of packets and bytes forwarded because of the CLACL interface Interface rule to forward all packets that match the current classifier control list Copyright © 2010, Juniper Networks, Inc.
Page 213: Monitoring The Policy Configuration Of Ipv6 Interfaces
ND RA source link layer is advertised ND RA interval is 200 seconds, lifetime is 1800 seconds ND RA managed flag is disabled, other config flag is disabled ND RA advertising prefixes configured on interface Copyright © 2010, Juniper Networks, Inc.
Page 214: Table 39: Show Ipv6 Interface Output Fields
Table 39 on page 190 lists the show ipv6 interface command output fields. Table 39: show ipv6 interface Output Fields Field Name Field Description Description Optional description for the interface or address specified Network Protocols Network protocols configured on this interface Copyright © 2010, Juniper Networks, Inc.
Page 215 ND RA advertising prefixes Whether advertisement prefixes for neighbor discovery router advertisement are configured In Received Packets, Bytes Total number of packets and bytes received on this interface Copyright © 2010, Juniper Networks, Inc.
Page 216 Number of outbound packets that were discarded for reasons other than those dropped by the scheduler and those dropped because of rate limits IPv6 policy Type (input, output, local-input) and name of the policy Copyright © 2010, Juniper Networks, Inc.
Page 217: Monitoring The Policy Configuration Of Layer 2 Services Over Mpls
2 vc-id 900001 mtu 1500 State UP Label 48 on stack 0 pkts, 0 hcPkts, 0 octets 0 hcOctets, 0 errors, 0 discardPkts Out Label 49 on tun mpls:lsp-de090100-24-37 0 pkts, 0 hcPkts, 0 octets Copyright © 2010, Juniper Networks, Inc.
Page 218: Table 40: Show Mpls L2Transport Interface Output Fields
Mpls Statistics pkts Number of packets received or sent hcPkts Number of high-capacity (64-bit) packets received or sent octets Number of octets received or sent hcOctets Number of high-capacity (64-bit) octets received or sent Copyright © 2010, Juniper Networks, Inc.
Page 219: Monitoring External Parent Groups
Exceeded Number of packets and bytes exceeding the peak access rate Related show mpls Documentation Monitoring External Parent Groups Purpose Display information about external parent groups. Copyright © 2010, Juniper Networks, Inc.
Page 220: Monitoring Policy Lists
------ ----- IPv6 Policy ipv6-pol8 Administrative state: enable Reference count: Classifier control list: *, precedence 100 forward Referenced by interface(s): GigabitEthernet1/0/2.1 input policy, statistics enabled, virtual-router default GigabitEthernet1/0/2.1 output policy, statistics enabled, virtual-router default Copyright © 2010, Juniper Networks, Inc.
Page 221 Administrative state: enable Reference count: Classifier control list: *, precedence 100 color red rate-limit-profile l2tpRLP20 MPLS Policy routeForMpls Administrative state: enable Reference count: Classifier control list: *, precedence 200 mark-exp 2 mask 7 rate-limit-profile mplsRLP5 Copyright © 2010, Juniper Networks, Inc.
Page 222 Classifier control list: C1, precedence 90 color red Classifier control list: *, precedence 1000 filter Referenced by interfaces: ATM4/0.5 input policy, statistics enabled, virtual-router default Referenced by profiles: None Referenced by merge policies: None Copyright © 2010, Juniper Networks, Inc.
Page 223 Classifier control list: *, precedence 100 filter Referenced by interface(s): GigabitEthernet12/1.0 input policy, statistics disabled, virtual-router default Referenced by profile(s): None Referenced by merged policies: None To display rate limit hierarchy in one policy: Copyright © 2010, Juniper Networks, Inc.
Page 224: Table 42: Show Policy-List Output Fields
State of mode for ATM cell tax used in rate calculations. Referenced by interfaces List of interfaces to which policy is attached and is active; indicates whether the attachment is at input or output of interface. Copyright © 2010, Juniper Networks, Inc.
Page 225 TC precedence Traffic class value in the IPv6 header to a specified value mark EXP Value assigned to EXP bits action mark user priority Value assigned to 802.1p VLAN user priority bit Copyright © 2010, Juniper Networks, Inc.
Page 226: Monitoring Policy List Parameters
To display list information: host1(config)#show policy-parameter Policy Parameter Table ------ --------- ----- Policy Parameter refRlpRate Type: reference-rate Rate: 100000 Reference count: 7 Referenced by interfaces: 2 references IP interface ATM5/0.1: 1000000 IP interface ATM5/0.2: 200000 Copyright © 2010, Juniper Networks, Inc.
Page 227: Monitoring Rate-Limit Profiles
To display information about rate-limit profiles: host1#show rate-limit-profile Rate Limit Profile Table ---- ----- ------- ----- IP Rate-Limit-Profile: rlp Profile Type: one-rate Reference count: Committed rate: Committed burst: 8192 Excess burst: Mask: Committed rate action: transmit Copyright © 2010, Juniper Networks, Inc.
Page 228: Table 44: Show Rate-Limit-Profile Output Fields
Peak rate Amount of bandwidth allocated to accommodate traffic flow in excess of the committed rate, in bits per second Copyright © 2010, Juniper Networks, Inc.
Page 229: Monitoring The Policy Configuration Of Vlan Subinterfaces
Location of the subinterface that carries the VLAN traffic VLAN ID Domain number of the VLAN VLAN policy Type and name of the VLAN policy filter Number of packets and bytes that have been policed by the policy Copyright © 2010, Juniper Networks, Inc.
Page 230: Packet Flow Monitoring Overview
The attack is a simple ping flood. The ISP creates a classifier list to define an ICMP echo request packet flow. host1:vr2(config)#ip classifier-list icmpEchoReq icmp any any 8 0 host1:vr2(config)#ip policy-list pingAttack host1:vr2(config-policy-list)#classifier-group icmpEchoReq host1:vr2(config-policy-list-classifier-group)#log host1:vr2(config-policy-list-classifier-group)#exit Copyright © 2010, Juniper Networks, Inc.
Page 231 In Policed Packets 0, Bytes 0 In Error Packets 0 In Invalid Source Address Packets 0 In Discarded Packets 0 Out Forwarded Packets 486152, Bytes 62232048 Unicast Packets 486152, Bytes 62232048 Multicast Routed Packets 0, Bytes 0 Copyright © 2010, Juniper Networks, Inc.
Page 232 INFO 02/20/2008 10:15:11 policyMgrPacketLog: Classifier: test.1, prot: icmp, intf: FastEthernet2/2.100, sa: 100.1.1.2, da: 100.1.2.2 version: 0x45, tos: 0x0, len: 0x3e8, id: 0x714, flags: 0x0, ttl: 0x20, proto; 0x1, chksum: 0xc4fb, forwarded Copyright © 2010, Juniper Networks, Inc.
Page 233 Chapter 9: Monitoring Policy Management INFO 02/20/2008 10:15:14 ppolicyMfrPacketLog: classifier: test.1, prot: icmp, intf: FastEthernet2/2.100, sa: 100.1.1.2 da: 100.1.2.2 version: 0x45, tos: 0x0, len: 0x3e8, id: 0xbe8, flags: 0x0, ttl: 0x7e, proto; 0x1, chksum: 0x6227, forwarded Copyright © 2010, Juniper Networks, Inc.
Page 235: Packet Mirroring
PART 2 Packet Mirroring Packet Mirroring Overview on page 213 Configuring CLI-Based Packet Mirroring on page 219 Configuring RADIUS-Based Mirroring on page 233 Managing Packet Mirroring on page 241 Monitoring Packet Mirroring on page 257 Copyright © 2010, Juniper Networks, Inc.
Page 237: Packet Mirroring Overview
(the mediation device). The mirroring operations are transparent to the user whose traffic is being mirrored. NOTE: Packet-mirroring operations require some system resources. To avoid performance degradation, limit the amount of mirrored traffic to a maximum of 5 percent of the E Series router’s total traffic. Copyright © 2010, Juniper Networks, Inc.
Page 238: Comparing Cli-Based Mirroring And Radius-Based Mirroring
RADIUS-initiated mirroring—If the user is already logged in, the JunosE RADIUS dynamic-request server uses RADIUS-initiated change-of-authorization (CoA) messages to immediately start the mirroring session when the packet mirroring is enabled. Security The following list highlights security features provided by CLI-based and RADIUS-based mirroring: Copyright © 2010, Juniper Networks, Inc.
Page 239: Application
L2TP traffic at the L2TP access concentrator (LAC). If the L2TP network server (LNS) and the LAC belong to different service providers, mirroring at the LAC enables mirroring to take place close to the user’s domain. Copyright © 2010, Juniper Networks, Inc.
Page 240: Packet-Mirroring Terms
For detailed information about the modules that support packet mirroring on the E120 and E320 Broadband Services Router: See E120 and E320 Module Guide, Table 1, Modules and IOAs for detailed module specifications. Copyright © 2010, Juniper Networks, Inc.
Page 241: Packet Mirroring References
For more information about RADIUS-based packet mirroring, consult the following resources: RFC 3576—Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) (July 2003) Lawfully Authorized Electronic Surveillance (LAES) for IP Network Access, American National Standard for Telecommunications, version PTSC-LAES-2006-084R6 Copyright © 2010, Juniper Networks, Inc.
Page 243: Configuring Cli-Based Packet Mirroring
E Series router. The analyzer interface then directs the mirrored traffic to the specified analyzer device for analysis. Copyright © 2010, Juniper Networks, Inc.
Page 244: Enabling And Securing Cli-Based Packet Mirroring
To create a secure packet-mirroring environment, you use a combination of the JunosE Software authorization methods and the mirror-enable command. You configure the authorization method to control who can use the mirror-enable command. Authorized users can then issue the mirror-enable command, making the packet mirroring commands Copyright © 2010, Juniper Networks, Inc.
Page 245: Table 47: Commands Made Visible By The Mirror-Enable Command
TACACS+, the mirror-enable command is the only packet mirroring command that is sent to the TACACS+ server. You can also use TACACS+ to prevent unauthorized individuals from modifying the configuration of analyzed ports. Copyright © 2010, Juniper Networks, Inc.
Page 246: Reloading A Cli-Based Packet-Mirroring Configuration
Configure TACACS+ authorization for the mirror-enable command privilege level. Specify that authorization is denied if TACACS+ is not available. Because TACACS+ is not being used, authorization always fails. Copyright © 2010, Juniper Networks, Inc.
Page 247: Cli-Based Packet Mirroring Sequence Of Events
An individual who is authorized to use the packet mirroring CLI commands configures the packet mirroring environment, including the secure policy, analyzer interface connection to the analyzer device, and the interface or trigger information. Copyright © 2010, Juniper Networks, Inc.
Page 249 L2TP policies is classifier-group *. You cannot delete a secure policy list that is currently attached to an interface. Related classifier-group Documentation ip analyzer ip mirror ip policy mirror Copyright © 2010, Juniper Networks, Inc.
Page 250: Configuring Triggers For Cli-Based Mirroring
CLI-initiated mirroring per account session ID creates a rule that continues to exist after the subscriber logs out. RADIUS CoA messages affect only currently connected subscribers; they do not create persistent rules. Copyright © 2010, Juniper Networks, Inc.
Page 251: Configuring The Analyzer Device
ES2 10G ADV LM, the GRE non-analyzer tunnel interfaces are available on the ES2 4G LM. Only GRE analyzer interfaces with no optional configurations are available on the ES2 10G ADV LM shared tunnel server. Copyright © 2010, Juniper Networks, Inc.
Page 252: Configuring The E Series Router
Therefore, the rule sets the mirror header to disable, which means that the mirror header is not prepended to the mirrored packets. See “Understanding the Prepended Header During a Packet Mirroring Session” on page 243 for information Copyright © 2010, Juniper Networks, Inc.
Page 253: Example: Configuring Cli-Based User-Specific Mirroring
192.168.99.2 255.255.255.255 tunnel ipsec:mirror3 For DHCP and PPP subscribers: host1(config)# interface atm 4/0.1 host1(config-if)#ip address 19.0.0.2 255.255.255.0 host1(config-if)#ip analyzer host1(config-if)#exit host1(config)#ip route 19.0.0.2 255.255.255.255 101.101.101.2 Copyright © 2010, Juniper Networks, Inc.
Page 254 1 x:12000001:pppoe agent circuit id:47 agent-circuit-id IP secure-ipv4-policy 1 79:3a:02:00:00:02:3a:72:65:6d:6f:74:65:20:69:64:3a:35 agent-remote-id secure-ipv4-policy 1 Verify the configuration of the secure policy. host1# show secure policy-list Policy Table Copyright © 2010, Juniper Networks, Inc.
Page 255 Reference count: Classifier control list: * mirror analyzer-ip-address 19.0.0.2 analyzer-virtual-router default analyzer-udp-port 2500 mirror-identifier 1 session-identifier 1 Referenced by interface(s): ip100.1.1.3 secure-input policy, statistics disabled, virtual-router default ip100.1.1.3 secure-output policy, statistics disabled, virtual-router default Copyright © 2010, Juniper Networks, Inc.
Page 257: Configuring Radius-Based Mirroring
RADIUS dynamic-request server to the E Series router. NOTE: You cannot use RADIUS-based packet mirroring to mirror static interfaces, which might not be authenticated through RADIUS. To mirror static interfaces, you must use CLI-based mirroring. Copyright © 2010, Juniper Networks, Inc.
Page 258: Radius Attributes Used For Packet Mirroring
RADIUS record. NOTE: For IP mirroring, you must include both VSA 26-59 and VSA 26-61, or you must omit both of these VSAs. If you use only one of these VSAs, the configuration fails. Copyright © 2010, Juniper Networks, Inc.
Page 259: Radius-Based Packet Mirroring Dynamically Created Secure Policies
If you are mirroring an IP session, the packet-mirroring operation is enabled or disabled on the MLPPP bundle as a whole. We recommend that you use the Account-Session-ID RADIUS attribute rather than the User-Name attribute as the trigger. Using the Copyright © 2010, Juniper Networks, Inc.
Page 260: Radius-Based Mirroring Sequence Of Events
The E Series router administrator configures RADIUS server information and the analyzer interface connection to the analyzer device. Table 55 on page 237 indicates the sequence of steps for a packet mirroring operation that takes place when a user starts a new session. Copyright © 2010, Juniper Networks, Inc.
Page 261: Configuring Router To Start Mirroring When User Logs On
Configuring Router to Start Mirroring When User Logs On To configure the router to support user-initiated mirroring, which starts when the user logs in: Configure RADIUS server authentication information in the router. See JunosE Broadband Access Configuration Guide for information. Copyright © 2010, Juniper Networks, Inc.
Page 262: Configuring Router To Mirror Users Already Logged In
IP Address Port Disconnect Authorization Secret ------------- ---- ---------- ------------- ------ 10.10.3.4 3799 enabled enabled mysecret Configure the analyzer interface to send the mirrored traffic to the analyzer device. host1(config)#interface fastEthernet 4/0 host1(config-if)#ip analyzer Copyright © 2010, Juniper Networks, Inc.
Page 263 Alternatively, for increased security, create the analyzer interface at one end of an IPSec tunnel to the analyzer device. host1(config)# interface tunnel ipsec:mirror3 transport-virtual-router default host1(config-if)#ip analyzer host1(config-if)#exit host1(config)#ip route 192.168.99.2 255.255.255.255 tunnel ipsec:mirror3 Copyright © 2010, Juniper Networks, Inc.
Page 265: Managing Packet Mirroring
CLI-based and RADIUS CoA (RADIUS-initiated mirroring) configurations identify targeted subscribers according to the following configured criteria in the order given: Account session ID Calling station ID IP address associated with the virtual router where the subscriber logs in Copyright © 2010, Juniper Networks, Inc.
Page 266 Mirroring begins for all 20 of these subscribers. Ten more subscribers with the username joe@example.com log in through VR boston1. None of these new subscribers is mirrored because the RADIUS CoA configuration makes no persistent rules. Copyright © 2010, Juniper Networks, Inc.
Page 267: Understanding The Prepended Header During A Packet Mirroring Session
NOTE: For IP mirroring, you must include both VSA 26-59 and VSA 26-61, or you must omit both of these VSAs. If you use only one of these VSAs, the configuration fails. Copyright © 2010, Juniper Networks, Inc.
Page 268: Figure 22: Prepended Header
Table 57: Prepended Header Field Descriptions Field Value Length (Bits) IP Header Version Type of Service Total Length Dynamically computed Identification Dynamically computed Flags Dynamically computed Fragment Offset Dynamically computed Time to Live Protocol Header Checksum Dynamically computed Copyright © 2010, Juniper Networks, Inc.
Page 269: Format Of The Mirror Header Attributes
Session-ID field. You cannot change the order of these two words. For example, a value of 0000030000000090 in VSA 26-59 configures the following fields in the mirror header, as shown in Figure 23 on page 246: MHV = 0 Copyright © 2010, Juniper Networks, Inc.
Page 270: 4-Byte Format
The router tracks the analyzer device’s IP address for any route changes within the router. This tracking ability provides a degree of failure recovery by enabling you to configure multiple analyzer interfaces to serve as redundant ports to reach the analyzer device. Copyright © 2010, Juniper Networks, Inc.
Page 271: Using Multiple Triggers For Cli-Based Packet Mirroring
If the Acct-Session-Id does not match, then the subscriber information is next examined to determine whether the Calling-Station-Id matches the rule. This process continues for all configured rules. If none of the trigger rules are matched, then that subscriber’s traffic is not mirrored. Copyright © 2010, Juniper Networks, Inc.
Page 272: Optimizing Packet Mirroring Performance
If the fabric bandwidth is not exceeded, then the performance penalties are contained within the slot where the packet mirroring activity occurs. However, if the fabric bandwidth is exceeded, traffic from other line modules might also be dropped. Copyright © 2010, Juniper Networks, Inc.
Page 273: Logging Packet Mirroring Information
(2X + Y) must be less than 100Mbps (the enforced queue limit). The 100 Mbps limit does not apply to the following line modules: GE-2 line module (Juniper Networks ERX310 and ERX1440 Broadband Services Routers) GE-HDE line module (ERX310 and ERX1440 router)
Page 274: Using Snmp Secure Packet Mirroring Traps
CLI An interface failed during trigger or with secure CoA-based or CLI-based policies An analyzer RADIUS-initiated packet attached is packet mirroring mirroring deleted unreachable Analyzer address – – – Application name – – Copyright © 2010, Juniper Networks, Inc.
Page 275: Additional Packet-Mirroring Traps For Calea Compliance
CALEA, such as Lawfully Authorized Electronic Surveillance (LAES) for IP Network Access, American Nation Standard For Telecommunications messages. Individual traps might map to multiple LAES messages to provide additional compliance-related information. Copyright © 2010, Juniper Networks, Inc.
Page 276: Packet Mirroring Trap Severity Levels
JunosE System Basics Configuration Guide for descriptions of the severity levels. Table 60: Packet Mirroring Trap Severity Levels Trap Default Severity Level juniPacketMirrorAnalyzerUnreachable Warning juniPacketMirrorCliTriggerBasedMirroringFailure Error juniPacketMirrorInterfaceDeleted Notice juniPacketMirrorInterfaceSessionActivated Info juniPacketMirrorInterfaceSessionDeactivated Info juniPacketMirrorRadiusBasedMirroringFailure Error juniPacketMirrorSessionEnd Info juniPacketMirrorSessionFailed Info juniPacketMirrorSessionStart Info Copyright © 2010, Juniper Networks, Inc.
Page 277: Configuring Snmp Secure Packet Mirroring Traps
The following example illustrates the procedure to configure SNMP secure packet mirroring traps support: host1#mirror-enable host1#configure terminal host1(config)#mirror trap-enable host1(config)#show mirror trap Traps are enabled host1(config)#snmp-server secure-log host1(config)#snmp-server user fredMirrorUser group mirror authentication md5 fred-md5password privacy des fred-despassword host1(config)#snmp-server enable traps packetMirror trapFilters notice Copyright © 2010, Juniper Networks, Inc.
Page 278: Capturing Snmp Secure Audit Logs
The SNMP agent captures and stores the audit logs for secure traps. The SNMP agent also captures PDU audit logs for Mirror-MIB operations. Configure the snmpTrap, snmpPduAudit, and snmpSetPduAudit logs at the proper severity level to capture the secure audit logs. Copyright © 2010, Juniper Networks, Inc.
Page 279 CLI. You cannot use SNMP to configure and display the logs. Secure trap logs are not populated in the notification logs MIB. From the perspective of the notification log MIB, secure traps do not exist. Related snmp-server clear secure-log Documentation snmp-server secure-log show snmp secure-log show snmp trap Copyright © 2010, Juniper Networks, Inc.
Page 281: Monitoring Packet Mirroring
Use the delta keyword with the show radius statistics command to show baselined statistics. Related baseline radius dynamic-request Documentation clear mirror log Copyright © 2010, Juniper Networks, Inc.
Page 282: Monitoring Cli-Based Packet Mirroring
Proxy Arp = disabled Administrative debounce-time = disabled Operational debounce-time = disabled Access routing = disabled Multipath mode = hashed In Received Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Multicast Packets 0, Bytes 0 Copyright © 2010, Juniper Networks, Inc.
Page 283: Monitoring The Packet Mirroring Configuration Of Ip Interfaces
NOTE: This command is deprecated and might be removed completely in a future release. The function provided by this command has been replaced by the show secure policy-list command. Copyright © 2010, Juniper Networks, Inc.
Page 284: Monitoring Failure Messages For Secure Policies
Table 63 on page 260 lists the show mirror log command output fields. Table 63: show mirror log Output Fields Field Name Field Description Time Day, date, and time of failure Mirror-ID Unique identifier of the mirrored session Copyright © 2010, Juniper Networks, Inc.
Page 285: Monitoring Packet Mirroring Triggers
Table 64: show mirror rules Output Fields Field Name Field Description Subscriber ID Identification of the subscriber ID Method Method used to identify the subscriber Secure Policy Type Type of secure policy; IP, IPv6, or L2TP Copyright © 2010, Juniper Networks, Inc.
Page 286: Monitoring Packet Mirroring Subscriber Information
Method used to identify the subscriber Secure Policy Type Type of secure policy; IP, IPv6, or L2TP Secure Policy List Name of secure policy list used for packet mirroring Sessions Mirrored Number of sessions being mirrored Copyright © 2010, Juniper Networks, Inc.
Page 287: Monitoring Radius Dynamic-Request Server Information
Table 66: show radius dynamic-request statistics Output Fields Field Name Field Description IP Address IP address of the RADIUS server Udp Port Port on which the router listens for RADIUS server Disconnect Status of RADIUS-initiated disconnect feature, enabled or disabled Copyright © 2010, Juniper Networks, Inc.
Page 288: Monitoring Secure Clacl Configurations
Use the brief or detail keywords with the show secure classifier-list command to display different levels of information. Action To display a list of secure CLACLs Copyright © 2010, Juniper Networks, Inc.
Page 289: Table 67: Show Secure Classifier-List Output Fields
Source IP Address Address of the network or host from which the packet is sent Source IP WildcardMask Mask that indicates addresses to be matched when specific bits are set Copyright © 2010, Juniper Networks, Inc.
Page 290 Route class used to classify packets based on the packet’s source address Local If true, matches packets destined to a local interface; if false, matches packets that are traversing the router Related show secure classifier-list Documentation Copyright © 2010, Juniper Networks, Inc.
Page 291: Monitoring Secure Policy Lists
3000 mirror-id 6789 session-id 6543 (unreachable) Referenced by interface(s): TUNNEL l2tp:1/msn.pwh.com/1 secure-input policy, statistics disabled TUNNEL l2tp:1/msn.pwh.com/1 secure-output policy, statistics disabled Meaning Table 68 on page 268 lists show secure policy-list command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 292: Monitoring Information For Secure Policies
Error Status ----------- -------------- ---------- -------------- -------------- TUE SEP 15 8976 1923 123@abc.com no secure policies available 2009 18:35:43 UTC Meaning Table 69 on page 269 lists the show mirror log command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 293: Monitoring Snmp Secure Packet Mirroring Traps
--------------- ------------------ ------- --------- --------- ------------- 10.1.1.1 5 - notice dropLastIn 10.12.12.12 2 - critical dropLastIn 192.168.57.162 2 - critical dropLastIn Meaning Table 70 on page 270 lists the show snmp trap command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 294: Table 70: Show Snmp Trap Output Fields
Queue Full discrd methd Method used to discard traps when the queue is full: dropFirstIn Oldest trap in the queue is dropped dropLastIn Most recent trap is dropped Related mirror trap-enable Documentation snmp-server enable traps snmp-server host Copyright © 2010, Juniper Networks, Inc.
Page 295: Monitoring Snmp Secure Audit Logs
, securityName=jbond, engineBoots=1, engineTime=8602, varCnt=6, Vars: 1.3.6.1.2.1.1.3.0 [1259], 1.3.6.1.6.3.1.1.4.1.0 1],3.6.1.4.1.4874.2.2.77.3.0.4], 1.3.6.1.4.1.4874.2.2.77.3.1.13 [?^K^B 1.3.6.1.4.1.4874.2.2.77.3.1.9 [192.168.7.120], 1.3.6.1.4.1.4874.2.2.77.3.1.14 [1], 1.3.6.1.4.1.4874.2.2.16.1.3.5.0 [4], Meaning Table 71 on page 272 lists the show snmp secure-log command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 296: Table 71: Show Snmp Secure-Log Output Fields
Table 71: show snmp secure-log Output Fields Field Name Field Description Agent’s Context Owner of the secure log entry LogData Contents of the secure audit log Related snmp-server clear secure-log Documentation show snmp secure-log Copyright © 2010, Juniper Networks, Inc.
Page 299: Index
152, 153 ..................162 policy consumption..........151, 169 utilization for CAM entries software..............151, 169 in an IPv4 policy, example........167 classifier control list in an IPv6 policy, example........167 criteria defined..............7 matching IP flags.............12 matching IP fragmentation offset......12 Copyright © 2010, Juniper Networks, Inc.
Page 300 CAM entries............167 classifier per policy.........168 GE-HDE line modules maximum policies supported with one formula for scaling limits classifier per policy.........168 CAM entries............167 performance impact..........166 IPv6 classifier See IPv6 classification hierarchical aggregation nodes........126 Copyright © 2010, Juniper Networks, Inc.
Page 301 89 packet coloring, explicit............35 congestion management...........92 packet flow monitoring.............206 creating a one-rate rate-limit profile......79 packet mirroring creating a two-rate rate-limit profile......84 access level..............220 explicit packet coloring..........35 analyzer device..............216 filtering fragmentation offsets........12 Copyright © 2010, Juniper Networks, Inc.
Page 302 268 for interfaces..............58 show mirror rules............261 hierarchical...............59 show mirror subscribers..........262 individual traffic flows..........94 show radius commands rate-limit hierarchies.............59 show radius servers............263 classifier groups..............59 show radius statistics..........263 color-aware configuration..........68 show secure policy-list command.........267 Copyright © 2010, Juniper Networks, Inc.
Page 303 IPv6 policy example..............163 576–bit size active classifiers in the example policy..............163 creation and attachment of an IPv6 policy, example..............163 size of each classifier in the IPv6 policy example..............163 factors to determine available CAM resources........166 Copyright © 2010, Juniper Networks, Inc.

This manual is also suitable for:

Junose 11.3

Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - POLICY MANAGEMENT CONFIGURATION GUIDE 2010-10-04 Configuration Manual

Chapter 1 Managing Policies on the E Series Router

Chapter 2 Creating Classifier Control Lists for Policies

Chapter 3 Creating Policy Lists

Chapter 4 Creating Classifier Groups and Policy Rules

Chapter 5 Creating Rate-Limit Profiles

Chapter 6 Merging Policies

Chapter 7 Interface

Chapter 8 Policy Resources

Chapter 9 Monitoring Policy Management

Chapter 10 Packet Mirroring

Quick Links

Need help?

Questions and answers

Related Manuals for Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - POLICY MANAGEMENT CONFIGURATION GUIDE 2010-10-04

Summary of Contents for Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - POLICY MANAGEMENT CONFIGURATION GUIDE 2010-10-04