Processing The Auxiliary-Input Policy Attachment; Policy Actions - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - POLICY MANAGEMENT CONFIGURATION GUIDE 2010-10-04 Configuration Manual

JunosE 11.3.x Policy Management Configuration Guide

Processing the Auxiliary-Input Policy Attachment

Policy Actions

120
the packet. This is followed by any modification, such as mark or logging. If a rate limit
profile is configured, the packet is dropped or colored. If the packet is not dropped, it is
sent to the exception path (if configured). If the packet is not exceptioned, any configured
forward action is saved in the packet for use later (unless overridden in Step 3). (See
Figure 7 on page 119.)
Some information generated by the action processing in Step 2 is forwarded to Step 3,
where it may affect the action processing for the auxiliary-input attachment. This
information can include color, exception information, and forwarding information. The
color can affect a rate-limit in the auxiliary-input attachment. Step 3 acts on the exception
and forwarding information, if it is not overridden by similar actions from the auxiliary-input
attachment.
The transmit information (transmit conditional, transmit unconditional, transmit final)
generated with hierarchical policies does not carry forward from input to auxiliary-input
action processing.
If the packet is not filtered or exceptioned in policy Step 2, the classifier result of the
auxiliary policy attachment is processed and a set of actions identified. The packet can
be filtered or exceptioned at this time. These operations, if configured, are performed
regardless of whether a forward action was performed in Step 2. If the packet is not
discarded, either by a filter action or a rate limit, it can be exceptioned (if configured). If
the packet is not filtered, rate-limited, or exceptioned, any configured forward action is
applied and overrides any forward action from Step 2. If no forward action is configured,
any forward action from Step 2 applies.
The set of actions in the following list specified by the input and auxiliary-input policy
attachments are executed in the order: input, auxiliary-input.
Color packet action—Explicitly sets the packet color. Each policy attachment can set
the color and the final value persists. A rate limit profile action can also set the color,
which overrides the value of the color packet action.
Mark action—Each attachment can set the TIP TOS, TOS precedence, and DS fields.
The cumulative result of all configured mark actions determines the resulting value of
these fields.
Mirror action—Executes in the order: secure input policy follows secondary input policy,
secure output policy follows output policy. Mirror is the only supported action for secure
policies.
Rate-limit profile action—Can be specified by any nonsecure input policy attachment.
This enables the application of multiple rate limits either within a policy stage or across
policy stages. These rate limits run serially; if the rate limit imposed in the primary
substage causes the packet to drop, the auxiliary rate limit does not run and the
associated token buckets are not affected. If you configure more than a single rate
limit per interface, it significantly impacts forwarding performance. Attaching two
policies with rate limit profiles in the same policy stage is equivalent to having two
policies attached in the same order, but in separate stages.
Copyright © 2010, Juniper Networks, Inc.