Description Of A Policy; Policy Platform Considerations - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - POLICY MANAGEMENT CONFIGURATION GUIDE 2010-10-04 Configuration Manual

Description of a Policy

Policy Platform Considerations

Copyright © 2010, Juniper Networks, Inc.
A policy is a condition and an action that is attached to an interface. The condition and
action cause the router to handle the packets passing through the interface in a certain
way. A policy can be attached to IP interfaces and certain layer 2 interfaces such as Frame
Relay, L2TP, MPLS, and VLAN interfaces. The policies do not need to be the same in both
directions.
Packets are sorted at ingress or egress into packet flows based on attributes defined in
classifier control lists. Policy lists contain rules that associate actions with these CLACLs.
A rule is a policy action optionally combined with a classification.
When packets arrive on an interface, you can have a policy evaluate a condition before
the normal route lookup; this kind of policy is known as an input policy. You can also have
conditions evaluated after a route lookup; this kind of policy is known as a secondary
input policy. You can use secondary input policies to defeat denial-of-service attacks
directed at a router's local interface or to protect a router from being overwhelmed by
legitimate local traffic. If you have a policy applied to packets before they leave an
interface, this is known as an output policy.
Classification is the process of taking a single data stream in and sorting it into multiple
output substreams. The classifier engine on an E Series router is a combination of PowerPC
processors, working with a Field Programmable Gate Array (FPGA) for a hardware assist.
In the Differentiated Services (DiffServ) architecture, two basic types of classifiers exist.
The first classifier type is a multifield (MF) classifier, which examines multiple fields in
the IP datagram header to determine the service class to which a packet belongs. The
second type of classifier is a behavior aggregate (BA) classifier, which examines a single
field in an IP datagram header and assigns the packet to a service class based on what
it finds.
There are two categories of hardware classifiers, depending on the type of line module
being used. ES2 4G LM, ES2 10G Uplink LM, ES2 10G LM, OC48/STM16, GE-2, and GE-HDE
line modules support content-addressable memory (CAM) hardware classifiers—all
other line modules support FPGA hardware classifiers.
The maximum number of policies that you can attach to interfaces on an E Series router
depends on the classifier entries that make up the policy and the number of attachment
resources available on the interface. JunosE Software allocates interface attachment
resources when you attach policies to interfaces. E Series routers support software and
hardware classifiers. A policy can be made up of any combination of software and
hardware classifiers.
Policy services are supported on all E Series routers.
For information about the modules supported on E Series routers:
Chapter 1: Managing Policies on the E Series Router
5