Juniper POLICY MANAGEMENT - CONFIGURATION GUIDE V11.1.X Configuration Manual
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. POLICY MANAGEMENT - CONFIGURATION GUIDE...
  6. Configuration manual
Juniper POLICY MANAGEMENT - CONFIGURATION GUIDE V11.1.X Configuration Manual

Juniper POLICY MANAGEMENT - CONFIGURATION GUIDE V11.1.X Configuration Manual

Junose software for broadband services routers policy management configuration guide
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
JUNOSe
Software
for E Series
Broadband Services Routers
Policy Management Configuration Guide
Release 11.1.x
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Published: 2010-04-06

Advertisement

Table of Contents
loading

Related Manuals for Juniper POLICY MANAGEMENT - CONFIGURATION GUIDE V11.1.X

Summary of Contents for Juniper POLICY MANAGEMENT - CONFIGURATION GUIDE V11.1.X

  • Page 1 JUNOSe Software for E Series Broadband Services Routers Policy Management Configuration Guide Release 11.1.x Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 408-745-2000 www.juniper.net Published: 2010-04-06...
  • Page 2 Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
  • Page 3 AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”)
  • Page 4 (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 http://www.gnu.org/licenses/gpl.html...
  • Page 5 agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein.
  • Page 7 Abbreviated Table of Contents About the Documentation xxiii Part 1 Policy Management Chapter 1 Managing Policies on the E Series Router Chapter 2 Creating Classifier Control Lists for Policies Chapter 3 Creating Policy Lists Chapter 4 Creating Classifier Groups and Policy Rules Chapter 5 Creating Rate-Limit Profiles Chapter 6...
  • Page 8 JUNOSe 11.1.x Policy Management Configuration Guide viii...

  • Page 9: Table Of Contents

    Table of Contents About the Documentation xxiii E Series and JUNOSe Documentation and Release Notes ......xxiii Audience ....................xxiii E Series and JUNOSe Text and Syntax Conventions ........xxiii Obtaining Documentation ................xxv Documentation Feedback ................xxv Requesting Technical Support ..............xxv Self-Help Online Tools and Resources ..........xxvi Opening a Case with JTAC ..............xxvi Part 1 Policy Management...
  • Page 10 JUNOSe 11.1.x Policy Management Configuration Guide Creating IP Classifier Control Lists That Match the IP Fragmentation Offset ....................13 Creating or Modifying Classifier Control Lists for IPv6 Policy Lists ....14 Creating or Modifying Classifier Control Lists for L2TP Policy Lists ....14 Creating or Modifying Classifier Control Lists for MPLS Policy Lists ....14 Creating or Modifying Classifier Control Lists for VLAN Policy Lists ....15 Chapter 3...
  • Page 11 Table of Contents Example: Multiple Flows Sharing Preferred Bandwidth Rate-Limiting Hierarchical Policy ................67 Example: Multiple Flows Sharing a Rate Limit Hierarchical Policy ..68 Example: Shared Pool of Additional Bandwidth with Select Flows Rate-Limiting Hierarchical Policy ............69 Example: Aggregate Marking with Oversubscription Rate-Limiting Hierarchical Policy ................70 Color-Aware Configuration for Rate-Limiting Hierarchical Policy .....72 Percent-Based Rates for Rate-Limit Profiles Overview ........73...
  • Page 12 JUNOSe 11.1.x Policy Management Configuration Guide Error Conditions for Merged Policies ............108 Merging Policies Configuration ..............108 Parent Group Merge Algorithm ..............120 Overlapping Classification for IP Input Policy ..........122 Starting Policy Processing ..............124 Processing the Classifier Result .............125 Processing the Auxiliary-Input Policy Attachment .........125 Policy Actions ..................125 Chapter 7 Creating Hierarchical Policies for Interface Groups...
  • Page 13 Table of Contents Software Classifiers Overview ..............178 Interface Attachment Resources Overview ..........179 CAM Hardware Classifiers and Interface Attachment Resources ....180 Range Vector Hardware Classifiers and Interface Attachment Resources ..180 Chapter 9 Monitoring Policy Management Monitoring Policy Management Overview ...........181 Setting a Statistics Baseline for Policies ............182 Monitoring the Policy Configuration of ATM Subinterfaces ......183 Monitoring Classifier Control Lists ...............184 Monitoring Color-Mark Profiles ..............187...
  • Page 14 JUNOSe 11.1.x Policy Management Configuration Guide Configuring CLI-Based Mirroring ..............231 Configuring Triggers for CLI-Based Mirroring ..........232 Configuring the Analyzer Device ..............233 Configuring the E Series Router ..............233 Example: Configuring CLI-Based Interface-Specific Mirroring ......234 Example: Configuring CLI-Based User-Specific Mirroring ......235 Chapter 12 Configuring RADIUS-Based Mirroring RADIUS-Based Mirroring Overview .............239 RADIUS Attributes Used for Packet Mirroring ..........240...
  • Page 15 Table of Contents Monitoring Secure CLACL Configurations ............271 Monitoring Secure Policy Lists ..............273 Monitoring Information for Secure Policies ..........274 Monitoring SNMP Secure Packet Mirroring Traps ........275 Monitoring SNMP Secure Audit Logs ............277 Part 3 Index Index ......................281 Table of Contents...
  • Page 16 JUNOSe 11.1.x Policy Management Configuration Guide Table of Contents...

  • Page 17: List Of Figures

    List of Figures Part 1 Policy Management Chapter 3 Creating Policy Lists Figure 1: Constructing an IP Policy List ............18 Chapter 5 Creating Rate-Limit Profiles Figure 2: Multiple Flows Sharing Preferred Bandwidth ........67 Figure 3: Multiple Packet Flows Sharing a Rate Limit ........68 Figure 4: Shared Pool of Additional Bandwidth with Select Flows ....69 Figure 5: Aggregate Marking with Oversubscription ........71 Figure 6: Congestion Management ..............98...
  • Page 18 JUNOSe 11.1.x Policy Management Configuration Guide xviii List of Figures...

  • Page 19: List Of Tables

    List of Tables About the Documentation xxiii Table 1: Notice Icons ..................xxiv Table 2: Text and Syntax Conventions ............xxiv Part 1 Policy Management Chapter 2 Creating Classifier Control Lists for Policies Table 3: CLACL Criteria ...................7 Chapter 4 Creating Classifier Groups and Policy Rules Table 4: Policy Rule Commands and Precedence ..........33 Table 5: Ascend-Data-Filter Fields ..............47 Table 6: Ascend-Data-Filter Attribute for an Input Policy on an IPv4...
  • Page 20 JUNOSe 11.1.x Policy Management Configuration Guide Table 26: IPv6 Classification Fields for a 288-bit CAM Entry ......173 Table 27: IPv6 Classification Fields for a 576-bit CAM Entry ......174 Table 28: Maximum Policies with One Classifier per Policy for GE-2 LMs ..176 Table 29: Maximum Policies with Four Classifiers per Policy for GE-2 LMs .......................177 Table 30: Resource Consumption ..............179...
  • Page 21 List of Tables Table 62: show ip mirror interface Output Fields ........266 Table 63: show mirror log Output Fields .............267 Table 64: show mirror rules Output Fields ..........268 Table 65: show mirror subscribers Output Fields ........268 Table 66: show radius dynamic-request statistics Output Fields ....270 Table 67: show secure classifier-list Output Fields ........271 Table 68: show secure policy-list Output Fields ...........274 Table 69: show mirror log Output Fields .............275...
  • Page 22 JUNOSe 11.1.x Policy Management Configuration Guide xxii List of Tables...

  • Page 23: About The Documentation

    If the information in the latest release notes differs from the information in the documentation, follow the JUNOSe Release Notes. To obtain the most current version of all Juniper Networks® technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/...

  • Page 24: Table 1: Notice Icons

    JUNOSe 11.1.x Policy Management Configuration Guide Table 1: Notice Icons Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Warning Alerts you to the risk of personal injury or death. Laser warning Alerts you to the risk of personal injury from a laser.

  • Page 25: About The Documentation

    CD-ROMs or DVD-ROMs, see the Offline Documentation page at http://www.juniper.net/techpubs/resources/cdrom.html Copies of the Management Information Bases (MIBs) for a particular software release are available for download in the software image bundle from the Juniper Networks Web site at http://www.juniper.net/...

  • Page 26: Self-Help Online Tools And Resources

    7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/...

  • Page 27: Policy Management

    Part 1 Policy Management Managing Policies on the E Series Router on page 3 Creating Classifier Control Lists for Policies on page 7 Creating Policy Lists on page 17 Creating Classifier Groups and Policy Rules on page 31 Creating Rate-Limit Profiles on page 61 Merging Policies on page 101 Creating Hierarchical Policies for Interface Groups on page 129 Policy Resources on page 159...
  • Page 28 JUNOSe 11.1.x Policy Management Configuration Guide Policy Management...

  • Page 29: Managing Policies On The E Series Router

    You can construct policies to provide rate limiting for individual packet flows or for the aggregate of multiple packet flows. Juniper Networks E Series Broadband Services Router rate limits are calculated based on the layer 2 packet size. To configure rate limiting, you...
  • Page 30 JUNOSe 11.1.x Policy Management Configuration Guide associated actions. You next create a policy list with a rule that has rate limit as the action and associate a rate-limit profile with this rule. You can configure rate-limit profiles to provide a variety of services, including tiered bandwidth service where traffic conforming to configured bandwidth levels is treated differently than traffic that exceeds the configured values, and a hard-limit service where a fixed bandwidth limit is applied to a traffic flow.
  • Page 31 Chapter 1: Managing Policies on the E Series Router Description of a Policy A policy is a condition and an action that is attached to an interface. The condition and action cause the router to handle the packets passing through the interface in a certain way.

  • Page 32: Policy References

    JUNOSe 11.1.x Policy Management Configuration Guide See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the Juniper Networks ERX310 Broadband Services Router. See the E120 and E320 Module Guide for modules supported on the Juniper Networks E120 and E320 Broadband Services Routers.

  • Page 33: Creating Classifier Control Lists For Policies

    Chapter 2 Creating Classifier Control Lists for Policies This chapter provides information for configuring policy-based routing management on E Series routers. See the E120 and E320 Module Guide for modules supported on the E120 and E320 Broadband Services Routers. The chapter discusses the following topics: Classifier Control Lists Overview on page 7 Creating or Modifying Classifier Control Lists for ATM Policy Lists on page 10...
  • Page 34 JUNOSe 11.1.x Policy Management Configuration Guide Table 3: CLACL Criteria (continued) Type of CLACL Criteria Frame Relay Color Mark discard eligibility (DE) bit Traffic class User packet class Color Traffic class Type-of-service (ToS) byte User packet class Color Destination IP address Destination port Destination route class Internet Control Message Protocol (ICMP)

  • Page 35: Chapter 2 Creating Classifier Control Lists For Policies

    Chapter 2: Creating Classifier Control Lists for Policies Table 3: CLACL Criteria (continued) Type of CLACL Criteria IPv6 Color Destination IPv6 address Destination port Destination route class Internet Control Message Protocol version 6 (ICMPv6) IPv6 traffic class Locally destined traffic Multicast Listener Discovery (MLD) Next header Source IPv6 address...

  • Page 36: Lists

    JUNOSe 11.1.x Policy Management Configuration Guide For information about the hardware and software CLACLs that are supported Related Topics for each interface type, see Policy Resources Overview on page 159. For information about monitoring Classifier Lists, see Monitoring Policy Management Overview on page 181. Creating or Modifying Classifier Control Lists for ATM Policy Lists You can create or modify a classifier control list that can be used only in ATM policy lists.

  • Page 37: Creating Classifier Control List For Only Ip Policy Lists

    Chapter 2: Creating Classifier Control Lists for Policies gre-tunnel classifier-list Related Topics Creating or Modifying Classifier Control Lists for IP Policy Lists Tasks to create or modify classifier control lists for IP policy lists: Creating Classifier Control List for Only IP Policy Lists on page 11 Setting Up an IP Classifier Control List to Accept Traffic from All Sources on page 11 Classifying IP Traffic Based on Source and Destination Addresses on page 11...
  • Page 38 JUNOSe 11.1.x Policy Management Configuration Guide Issue the ip classifier-list command to classify traffic on any source or destination address: host1(config)#ip classifier-list YourListName ip any any host1(config)#ip classifier-list YourListName ip host 10.10.10.10 any host1(config)#ip classifier-list YourListName ip 10.10.0.0 0.0.255.255 host 10.10.10.2 Using IP Classifier Control Lists to Match Route Class Values You can set up classifier control lists to match route-class values.
  • Page 39 Chapter 2: Creating Classifier Control Lists for Policies Creating an IP Classifier Control List That Matches the ToS Byte You can create an IP CLACL that matches the ToS byte in the IP header. Issue the ip classifier-list command using the tos keyword. host1(config)#ip classifier-list tos128 ip any any tos 128 host1(config)#ip classifier-list low-drop-prec ip any any dsfield 10 host1(config)#ip classifier-list priority ip any any precedence 1...

  • Page 40: Creating Or Modifying Classifier Control Lists For Ipv6 Policy Lists

    JUNOSe 11.1.x Policy Management Configuration Guide Creating or Modifying Classifier Control Lists for IPv6 Policy Lists You can create or modify a classifier control list that can be used only in IPv6 policy lists. Issue the ipv6 classifier-list command: host1(config)#ipv6 classifier-list ipv6classifier color red user-packet-class 5 tcfield 10 host1(config)#ipv6 classifier-list YourListName udp destination-port eq 75 host1(config)#ipv6 classifier-list telnetConnects tcp destination-port eq 23...

  • Page 41: Creating Or Modifying Classifier Control Lists For Vlan Policy Lists

    Chapter 2: Creating Classifier Control Lists for Policies mpls classifier-list Related Topics Creating or Modifying Classifier Control Lists for VLAN Policy Lists You can create or modify a classifier control list that can be used only in VLAN policy lists. Issue the vlan classifier-list command: host1(config)#vlan classifier-list lowLatencyLowDrop user-priority 7 host1(config)#vlan classifier-list lowLatencyLowDrop user-priority 6...
  • Page 42 JUNOSe 11.1.x Policy Management Configuration Guide Creating or Modifying Classifier Control Lists for VLAN Policy Lists...

  • Page 43: Creating Policy Lists

    Chapter 3 Creating Policy Lists This chapter provides information for configuring policy lists on E Series Broadband Services Routers. See the E120 and E320 Module Guide for modules supported on the E120 and E320 Broadband Services Routers. The chapter discusses the following topics: Policy Lists Overview on page 17 Creating Policy Lists for ATM on page 19...

  • Page 44: Figure 1: Constructing An Ip Policy List

    JUNOSe 11.1.x Policy Management Configuration Guide Figure 1: Constructing an IP Policy List You can create a policy list with an unlimited number of classifier groups, each containing an unlimited number of rules. These rules can reference up to 512 classifier entries.
  • Page 45 Chapter 3: Creating Policy Lists Creating Policy Lists for ATM In the following example, you create two policies: one for CBR traffic and one for UBR traffic. One policy is attached to an interface that contains CBR traffic and the other to an interface that contains UBR traffic.
  • Page 46 JUNOSe 11.1.x Policy Management Configuration Guide Auto configure status : static Auto configure interface(s) : none Detected 1483 encapsulation : none Detected dynamic interface : none Interface types in lockout : none Assigned profile (IP) : none assigned Assigned profile (BridgedEnet): none assigned Assigned profile (PPP) : none assigned Assigned profile (PPPoE)
  • Page 47 Chapter 3: Creating Policy Lists color green 1 interface(s) found atm policy-list Related Topics Creating Policy Lists for Frame Relay The following example creates a Frame Relay policy that on egress marks the DE bit to 1, and on ingress colors frames with a DE bit of 1 as red. Create the policy list used to mark egress traffic, then create the classifier group for packets conforming to CLACL frMatchDeSet.
  • Page 48 JUNOSe 11.1.x Policy Management Configuration Guide classifier-group frGroupA entry 1 5 packets, 640 bytes mark-de 1 Frame relay sub-interface SERIAL5/1:1/1.1, status is up Number of sub-interface down transitions is 0 Time since last status change 03:05:09 No baseline has been set In bytes: 660 Out bytes: 660 In frames: 5...
  • Page 49 Chapter 3: Creating Policy Lists frame-relay policy-list Related Topics Creating Policy Lists for GRE Tunnels The following example creates a GRE tunnel policy list named routeGre50. For information about creating the CLACL used in this example, see the previous sections. Create the policy list routeGre50.
  • Page 50 JUNOSe 11.1.x Policy Management Configuration Guide gre-tunnel policy-list Related Topics Creating Policy Lists for IP The following example creates an IP policy list named routeForABCCorp. For information about creating the CLACLs and rate-limit profile used in this example, see the previous sections. Create the policy list routeForABCCorp.
  • Page 51 Chapter 3: Creating Policy Lists host1#show policy-list routeForABCCorp Policy Table ------ ----- IP Policy routeForABCCorp Administrative state: enable Reference count: Classifier control list: ipCLACL10, precedence 75 forward Virtual-router: default List: next-hop 192.0.2.12, order 10, rule 2 (active) next-hop 192.0.100.109, order 20, rule 3 (reachable) next-hop 192.120.17.5, order 30, rule 4 (reachable) interface ip3/1, order 40, rule 5 mark tos 125...
  • Page 52 JUNOSe 11.1.x Policy Management Configuration Guide host1#show policy-list routeForIPv6 Policy Table ------ ----- IPv6 Policy routeForIPv6 Administrative state: enable Reference count: Classifier control list: ipv6tc67, precedence 75 color red mark tc-precedence 7 You use the exception http-redirect command to create an exception rule within a policy classifier group to specify the client application for the destination of packets rather than forwarding them using the forwarding controller (FC).
  • Page 53 Chapter 3: Creating Policy Lists ipv6 policy-list Related Topics exception http-redirect Creating Policy Lists for L2TP The following example creates an L2TP policy list. Create the policy list routeForl2tp. host1(config)#l2tp policy-list routeForl2tp host1(config-policy-list)# Create the classification group to match all packets. host1(config-policy-list)#classifier-group * host1(config-policy-list-classifier-group)# Add a rule to color packets as red, and a second rule that uses the rate-limit...
  • Page 54 JUNOSe 11.1.x Policy Management Configuration Guide host1(config)#mpls policy-list routeForMpls host1(config-policy-list)# Create the classification group. host1(config-policy-list)#classifier-group * precedence 200 host1(config-policy-list-classifier-group)# Add one rule that sets the EXP bits for all packets to 2, and a second rule that uses the rate-limit profile mplsRLP host1(config-policy-list-classifier-group)#mark-exp 2 host1(config-policy-list-classifier-group)#rate-limit-profile mplsRLP5 Exit Policy List Configuration mode to save the configuration.
  • Page 55 Chapter 3: Creating Policy Lists host1(config-policy-list-classifier-group)#traffic-class lowLatencyLowDrop Add a rule that sets the drop precedence for all packets that fall into the lowLatencyLowDrop classification to green. host1(config-policy-list-classifier-group)#color green Add a rule that sets the user-priority bits for all packets that fall into the lowLatencyLowDrop classification to 7.

  • Page 56: Creating Policy Lists For Vlans

    JUNOSe 11.1.x Policy Management Configuration Guide Creating Policy Lists for VLANs...

  • Page 57: Creating Classifier Groups And Policy Rules

    Chapter 4 Creating Classifier Groups and Policy Rules This chapter provides information for configuring policy-based routing management on E Series routers. See the E120 and E320 Module Guide for modules supported on the E120 and E320 routers. The chapter discusses the following topics: Classifier Groups and Policy Rules Overview on page 31 Policy Rule Precedence on page 32 Using Policy Rules to Provide Routing Solutions on page 35...

  • Page 58: Policy Rule Precedence

    JUNOSe 11.1.x Policy Management Configuration Guide NOTE: For IP policies, the forward command supports the order keyword, which enables you to order multiple forward rules within a single classifier group. (See “Using Policy Rules to Provide Routing Solutions” on page 35.) From Policy Configuration mode, you can assign a precedence value to a CLACL by using the precedence keyword when you create a classifier group.

  • Page 59: Chapter 4 Creating Classifier Groups And Policy Rules

    Chapter 4: Creating Classifier Groups and Policy Rules NOTE: The ES2 10G Uplink LM and the ES2 10G LM support only IP, MPLS, and VLAN interfaces. Table 4: Policy Rule Commands and Precedence Frame Relay IPv6 L2TP MPLS VLAN forward forward forward forward...
  • Page 60 JUNOSe 11.1.x Policy Management Configuration Guide Table 4: Policy Rule Commands and Precedence (continued) Frame Relay IPv6 L2TP MPLS VLAN – – – log (not – – – – supported on ES2 10G Uplink LM or ES2 10G NOTE: The commands listed in this section replace the Policy List Configuration mode versions of the commands.

  • Page 61: Using Policy Rules To Provide Routing Solutions

    Chapter 4: Creating Classifier Groups and Policy Rules Using Policy Rules to Provide Routing Solutions The next-interface, next-hop, filter, and forward rules provide routing solutions for traffic matching a classifier. A classifier can have only one action that provides a routing solution.

  • Page 62: Creating An Exception Rule Within A Policy Classifier Group

    JUNOSe 11.1.x Policy Management Configuration Guide Filter Causes the interface to drop all packets of the packet flow that satisfy the classification associated with the rule To stop a denial-of-service attack, you can use a policy with a filter rule. You need to construct the classifier list associated with the filter rule so that it isolates the attacker’s traffic into a flow.

  • Page 63: Defining Policy Rules For Forwarding

    Chapter 4: Creating Classifier Groups and Policy Rules NOTE: The exception http-redirect command is not supported for the ES2 10G Uplink LM. An exception rule in the input policy only takes effect if neither the input policy nor the secondary policy drops the packet. Packets dropped by input or secondary policies are not exceptioned to the SRP module.

  • Page 64: Assigning Values To The Atm Clp Bit

    JUNOSe 11.1.x Policy Management Configuration Guide You can use the forward interface command to specify multiple interfaces and the forward next-hop command to specify next-hop addresses as possible forwarding solutions. If you define multiple forwarding solutions for a single CLACL, use the order keyword to specify the order in which the router chooses the solutions.

  • Page 65: Enabling Atm Cell Mode

    Chapter 4: Creating Classifier Groups and Policy Rules this case, if the CLP bit in any cell in the frame has a value of 1, the router treats the reassembled AAL5 frame as if it also had a CLP value of 1. Modules on E120 and E320 routers support marking of the ATM CLP bit on frame-based interfaces.

  • Page 66: Packet Tagging Overview

    JUNOSe 11.1.x Policy Management Configuration Guide Packet Tagging Overview You can use the traffic-class rule in policies to tag a packet flow so that the QoS application can provide traffic-class queuing. Policies can perform both in-band and out-of-band packet tagging: Policies perform in-band tagging by using their respective mark rule to modify a packet header field.
  • Page 67 Chapter 4: Creating Classifier Groups and Policy Rules first reachable solution. To be considered a reachable solution, a solution must be a reachable interface or a next-hop address that has a route in the routing table. If no solutions are reachable, the traffic is dropped. The following guidelines apply when you create a group of forwarding solutions in an IP policy list: You can specify a maximum of 20 forwarding solutions for a classifier.

  • Page 68: Creating A Classifier Group For A Policy List

    JUNOSe 11.1.x Policy Management Configuration Guide host1(config-policy-list)#classifier-group westfordClacl precedence 200 host1(config-policy-list-classifier-group)#forward interface atm 0/0.1 order 10 host1(config-policy-list-classifier-group)#forward interface atm 12/0.1 order 50 host1(config-policy-list-classifier-group)#forward interface atm 3/0.25 order 300 NOTE: You can use the suspend version of the command to suspend an individual entry in a group of forwarding solutions.

  • Page 69: Applying Policy Lists To Interfaces And Profiles Overview

    Chapter 4: Creating Classifier Groups and Policy Rules NOTE: Empty classifier groups have no effect on the router’s classification of packets and are ignored by the router. You might inadvertently create empty classifier groups in a policy if you use both the newer CLI style and the older CLI style, which used the Policy List Configuration mode version of the classifier list commands.
  • Page 70 JUNOSe 11.1.x Policy Management Configuration Guide NOTE: The mpls policy command is used to attach policies to MPLS Layer 2 circuits only. The SRP module Fast Ethernet port does not support policy attachments, nor can the module be the destination for the forward next-hop, forward next-interface, next-hop, and next-interface commands Use the input or output keyword to assign the policy list to the ingress or egress of the interface.
  • Page 71 Chapter 4: Creating Classifier Groups and Policy Rules statistics for the classifier group referencing clOne and the default classifier group are saved. Original Policy Attachment New Policy Attachment Comment ip policy-list plOne ip policy-list plTwo ip classifier-list clOne ip classifier-list clOne statistics from plOne are saved Forward Forward...

  • Page 72: Using Radius To Create And Apply Policies Overview

    JUNOSe 11.1.x Policy Management Configuration Guide mpls policy vlan policy Using RADIUS to Create and Apply Policies Overview E Series routers enable you to use RADIUS to create and apply policies on IPv4 and IPv6 interfaces. This feature supports the Ascend-Data-Filter attribute [242] through a RADIUS vendor-specific attribute (VSA) that specifies a hexadecimal field.

  • Page 73: Table 5: Ascend-Data-Filter Fields

    Chapter 4: Creating Classifier Groups and Policy Rules Table 5 on page 47 lists the fields in the order in which they are specified in the hexadecimal Ascend-Data-Filter attribute. Table 5: Ascend-Data-Filter Fields Action or Classifier Format Comments Type 1 byte 1=IPv4 3=IPv6 Filter or forward...
  • Page 74 JUNOSe 11.1.x Policy Management Configuration Guide Table 5: Ascend-Data-Filter Fields (continued) Action or Classifier Format Comments Destination port qualifier 1 byte 0= no compare 1= less than 2= equal to 3= greater than 4= not equal to Reserved 2 bytes Marking value 1 byte Type of Service (ToS) for IPv4...

  • Page 75: Construction Of Ipv6 Classifiers From The Hexadecimal Ascend-Data-Filter Attribute

    Chapter 4: Creating Classifier Groups and Policy Rules Construction of IPv6 Classifiers from the Hexadecimal Ascend-Data-Filter Attribute If both the source and destination IP prefixes are 128, the IPv6 classifier is created using the IPv6 host argument as follows: IPv6 classifier-list testipv6 source-host 2001:db8:85a3::8a2e:370:7334 destination-host 2001:db8::1428:57ab If either the source or destination IP prefix is non-zero, but less than 128 bits, (for example, 64 bits), the IPv6 classifier is created using the IPv6 address argument as...

  • Page 76: Examples: Using The Ascend-Data-Filter Attribute For Ipv4 Subscribers

    JUNOSe 11.1.x Policy Management Configuration Guide If the Type 1 action is used and the Indirection action field is set to 00 in the Ascend-Data-Filter attribute, one primary output policy is created and applied on the egress IPv4 interface. If the Type 3 action is used and the Indirection action field is set to 00 in the Ascend-Data-Filter attribute, one primary output policy is created and applied on the egress IPv6 interface.

  • Page 77: Table 6: Ascend-Data-Filter Attribute For An Input Policy On An Ipv4 Interface

    Chapter 4: Creating Classifier Groups and Policy Rules Examples: Using the Ascend-Data-Filter Attribute for IPv6 Subscribers on page 56 Examples: Using the Ascend-Data-Filter Attribute for IPv4 Subscribers This section provides examples showing the configuration of policies that use the Ascend-Data-Filter attribute for IPv4 subscribers. In this example, the following Ascend-Data-Filter attribute creates a RADIUS record that configures an input policy.
  • Page 78 JUNOSe 11.1.x Policy Management Configuration Guide Use the show classifier-list and show policy-list commands to view information about the policy: host1#show classifier-list Classifier Control List Table ---------- ------- ---- ----- IP clin_1800020_00.1 ip 10.2.1.0 0.0.0.255 any host1#show policy-list Policy Table ------ ----- IP Policy plin_ip_1800020 Administrative state: enable...
  • Page 79 Chapter 4: Creating Classifier Groups and Policy Rules Referenced by profile(s): No profile references IP Policy plout_ip_1800021 Administrative state: enable Reference count: Classifier control list: clout_1800021_01, precedence 100 filter Referenced by interface(s): ATM4/0.0 output policy, statistics enabled, virtual-router default Referenced by profile(s): No profile references This example creates an input policy and an output policy, each with multiple rules.
  • Page 80 JUNOSe 11.1.x Policy Management Configuration Guide Ascend-Data-Filter = "01000000 00000000 0A020101 00200600 00000000 00000000" Ascend-Data-Filter = "01010000 00000000 0A020101 00200000 00000000 00000000" Ascend-Data-Filter = "01000000 00000000 00000000 00000000 00000000 00000000" Using the show classifier-list and show policy-list commands produces the following information about the new policies: host1#show classifier-list Classifier Control List Table...

  • Page 81: Table 7: Ascend-Data-Filter Attribute Values For A Radius Record

    Chapter 4: Creating Classifier Groups and Policy Rules In this example, the following Ascend-Data-Filter attribute creates a RADIUS record that configures an input policy on an IPv4 interface. The policy filters TCP packets from host address 10.2.1.2 to any destination. The policy marks the packets with a ToS byte of 5 and a mask of 170.

  • Page 82: Table 8: Ascend-Data-Filter Attribute For An Output Policy On An Ipv6 Interface

    JUNOSe 11.1.x Policy Management Configuration Guide Classifier Control List Table ---------- ------- ---- ----- IP clin_1800023_00.1 tcp host 10.2.1.2 host1#show policy-list Policy Table ------ ----- IP Policy plin_ip_1800023 Administrative state: enable Reference count: Classifier control list: clin_1800023_00, precedence 100 mark 5 mask 170 traffic-class someTcl rate-limit-profile someRlp Referenced by interface(s):...

  • Page 83: Table 9: Ascend-Data-Filter Attribute For An Input Policy On An Ipv6 Interface

    Chapter 4: Creating Classifier Groups and Policy Rules Table 8: Ascend-Data-Filter Attribute for an Output Policy on an IPv6 Interface (continued) Action or Classifier Hex Value Actual Value Indirection Egress Spare None Source IPv6 address 300182ab 102087ec 00000000 3001:82ab:1020:87ec: 00000000 0000:0000:0000:0000 Destination IPv6 address 200182ab 102087ec 12340917...
  • Page 84 JUNOSe 11.1.x Policy Management Configuration Guide Table 9: Ascend-Data-Filter Attribute for an Input Policy on an IPv6 Interface (continued) Action or Classifier Hex Value Actual Value Destination IPv6 prefix Protocol Established None Source port 2328 9000 Destination port 0000 None Source port qualifier Greater than Destination port qualifier...
  • Page 85 Chapter 4: Creating Classifier Groups and Policy Rules filter Referenced by interface(s): GigabitEthernet10/0.2 input policy, statistics enabled, virtual-router default Referenced by profile(s): None Referenced by merged policies: None Examples: Using the Ascend-Data-Filter Attribute for IPv4 Subscribers on page 51 Related Topics Using RADIUS to Create and Apply Policies Overview on page 46 Examples: Using the Ascend-Data-Filter Attribute for IPv6 Subscribers...

  • Page 86: Examples: Using The Ascend-Data-Filter Attribute For Ipv6 Subscribers

    JUNOSe 11.1.x Policy Management Configuration Guide Examples: Using the Ascend-Data-Filter Attribute for IPv6 Subscribers...

  • Page 87: Creating Rate-Limit Profiles

    Chapter 5 Creating Rate-Limit Profiles This chapter provides information for configuring rate-limit policy management on E Series routers. For information on monitoring rate-limit profiles, see “Monitoring Rate-Limit Profiles” on page 211 This chapter discusses the following topics: Rate Limits for Interfaces Overview on page 62 Hierarchical Rate Limits Overview on page 63 Percent-Based Rates for Rate-Limit Profiles Overview on page 73 Policy Parameter Quick Configuration on page 77...
  • Page 88 JUNOSe 11.1.x Policy Management Configuration Guide Rate Limits for Interfaces Overview To configure rate limiting for interfaces, you first create a rate-limit profile, which is a set of bandwidth attributes and associated actions. Your router supports two types of rate-limit profiles one-rate and two-rate for IP, IPv6, LT2P, and MPLS Layer 2 transport traffic.

  • Page 89: Hierarchical Rate Limits Overview

    Chapter 5: Creating Rate-Limit Profiles Traffic passes through the rate limiter causing a draining of tokens. The drain rate is dependent on how large the packets are and how much time elapses between packets. At any given instant the level of tokens in each bucket is a function of the fill rate, size of packets, and elapsed time between packets.

  • Page 90: Hierarchical Classifier Groups

    JUNOSe 11.1.x Policy Management Configuration Guide Hierarchical Classifier Groups Rate-limit hierarchies can be intra-interface, where different flows from classifier groups are in one policy attachment on an interface. Each time the policy is attached to another interface the rate-limit hierarchy is replicated, with no rate limits shared between attachments.

  • Page 91: Hierarchical Rate-Limit Actions

    Chapter 5: Creating Rate-Limit Profiles Preferred packets are transmitted unconditionally. Rate limits that process packets transmitted unconditionally always decrement their token count, if necessary, making it negative. Red packets cannot be transmitted unconditionally, to avoid cases where an aggregate rate limit is oversubscribed with transmit-unconditional rates. Color-aware uses the incoming packet color in its algorithm Not promoting packets means that if the packet enters the rate limit as yellow and the rate-limit then determines that it is green, the packet remains yellow.
  • Page 92 JUNOSe 11.1.x Policy Management Configuration Guide its actions to the packet. The transmit conditional option is the same as connecting the two rate limits in series. Transmit unconditional Sets the packet color to the result calculated by the rate limit, retains ownership of the packet, and forwards the packet to the next rate limit.

  • Page 93: Example: Multiple Flows Sharing Preferred Bandwidth Rate-Limiting Hierarchical Policy

    Chapter 5: Creating Rate-Limit Profiles NOTE: To avoid saturation when using dual token buckets, the total amount of yellow transmit unconditional traffic should be less than the peak rate minus the committed rate; the green transmit unconditional traffic should be less than the committed rate. Example: Multiple Flows Sharing Preferred Bandwidth Rate-Limiting Hierarchical Policy Figure 2 on page 67 shows an interface with an attached policy that has a Video classifier that singles out a substream of the packets flowing on that interface.

  • Page 94: Example: Multiple Flows Sharing A Rate Limit Hierarchical Policy

    JUNOSe 11.1.x Policy Management Configuration Guide In this example, the rate limit Common is color-aware, using the color of the incoming packets instead of setting them to Green. This causes the rate limit Preferred to send 6 Mbps of yellow, transmit unconditional packets. The rate limit Common counts the packets against the yellow token bucket, which has a rate of 10 Mbps.

  • Page 95: Example: Shared Pool Of Additional Bandwidth With Select Flows Rate-Limiting Hierarchical Policy

    Chapter 5: Creating Rate-Limit Profiles host1(config-policy-list-classifier-group)# forward host1(config-policy-list-classifier-group)# exit host1(config-policy-list)# classifier-group C parent-group All host1(config-policy-list-classifier-group)# forward host1(config-policy-list-classifier-group)# exit host1(config-policy-list)# parent-group All host1(config-policy-list-parent-group)# rate-limit-profile All host1(config-policy-list-parent-group)# exit Example: Shared Pool of Additional Bandwidth with Select Flows Rate-Limiting Hierarchical Policy Figure 4 on page 69 shows three classified flows, A, B, and C, each of which has an individual rate limit with a peak rate of 1 Mbps.

  • Page 96: Example: Aggregate Marking With Oversubscription Rate-Limiting Hierarchical Policy

    JUNOSe 11.1.x Policy Management Configuration Guide This example uses transmit final so that those packets do not pass through the common rate limit. Transmit final also indicates that there is no shared maximum. If the packets are committed or conformed, they do not need to borrow extra bandwidth or subtract tokens from it.

  • Page 97: Figure 5: Aggregate Marking With Oversubscription

    Chapter 5: Creating Rate-Limit Profiles Committed packets are transmitted conditionally to rate limit S, which has a peak rate of 6 Mbps and a committed rate of 2 Mbps; these packets can be demoted by S to Y (yellow), in which case they are remarked TOS2 or TOS3. If S leaves them as G (green), they are marked as TOS1.

  • Page 98: Color-Aware Configuration For Rate-Limiting Hierarchical Policy

    JUNOSe 11.1.x Policy Management Configuration Guide host1(config-color-mark-profile)# yellow-mark TOS3 host1(config-color-mark-profile)# red-mark TOS3 host1(config--color-mark-profile)# exit host1(config)# policy-list TOS1_oversubsribed host1(config-policy-list)# classifier-group A parent-group S host1(config-policy-list-classifier-group)# rate-limit-profile indiv host1(config-policy-list-classifier-group)# mark profile A host1(config--classifier-group)# exit host1(config-policy-list)# classifier-group B parent-group S host1(config-policy-list-classifier-group)# rate-limit-profile indiv host1(config-policy-list-classifier-group)# mark profile BC host1(config--classifier-group)# exit host1(config-policy-list)# classifier-group C parent-group S host1(config-policy-list-classifier-group)# rate-limit-profile indiv...

  • Page 99: Percent-Based Rates For Rate-Limit Profiles Overview

    Chapter 5: Creating Rate-Limit Profiles Transmit-unconditional packets entering a color-aware rate limit uses the color on the packet for the rate-limit algorithm. Doing this ensures that the color-aware rate limit depletes tokens from the token buckets to account for these packets. Every packet sent through a rate-limit hierarchy is either dropped inside the hierarchy or emerges with a green, yellow, or red color assigned to it by the rate-limit hierarchy.

  • Page 100: Policy Parameter Reference-Rate

    JUNOSe 11.1.x Policy Management Configuration Guide values. You do not have to specify values each time you attach a policy; if you do not specify interface-specific, the system uses the global value. Policy Parameter Reference-Rate You can use a policy parameter reference-rate to derive the rates in rate-limit profiles. You can configure rate-limit profiles as a percentage of this parameter.

  • Page 101: Specifying Burst Sizes

    Chapter 5: Creating Rate-Limit Profiles The committed rate can be in the range 0 100 percent of the parameter value. The peak rate can be in the range 0 1000 percent of the parameter value. The parameter value derives the appropriate rate within the rate-limit profile using a percentage.
  • Page 102 JUNOSe 11.1.x Policy Management Configuration Guide Policy parameter names must be unique regardless of its type. If you configure a policy parameter with a reference-rate type, then you cannot configure it with another type until it is deleted. You can create policy parameters in Global Configuration mode and in Interface Configuration mode in any order.

  • Page 103: Policy Parameter Quick Configuration

    Chapter 5: Creating Rate-Limit Profiles If you modify a policy parameter value in Global Configuration mode, it affects all policies attached to all interfaces that use the global values. For example, if parameter param1 is used in policies attached to two interfaces, but param1 is only configured for interface i1, when you modify the default value for param1 in Global Configuration mode, it affects only the attachment on the second interface i2.
  • Page 104 JUNOSe 11.1.x Policy Management Configuration Guide host1(config-rate-limit-profile)#peak-rate refRlpRate percentage 100 host1(config-rate-limit-profile)#peak-burst millisecond 150 host1(config-rate-limit-profile)#exit Create rate-limit profile rlpVoice. host1(config)#ip rate-limit-profile rlpVoice host1(config-rate-limit-profile)#committed-rate 64000 host1(config-rate-limit-profile)#committed-burst 100000 host1(config-rate-limit-profile)#peak-rate refRlpRate percentage 100 host1(config-rate-limit-profile)#peak-burst millisecond 150 host1(config-rate-limit-profile)#exit Create rate-limit profile rlpVideo. host1(config)#ip rate-limit-profile rlpVideo host1(config-rate-limit-profile)#committed-rate refRlpRate percentage 70 host1(config-rate-limit-profile)#committed-burst millisecond 100 host1(config-rate-limit-profile)#peak-rate refRlpRate percentage 100...
  • Page 105 Chapter 5: Creating Rate-Limit Profiles rate-limit-profile rlpData Classifier control list: voice, precedence 100 rate-limit-profile rlpVoice Classifier control list: video, precedence 100 rate-limit-profile rlpVideo Referenced by interfaces: ATM5/0.1 input policy, statistics disabled, virtual-router default ATM5/0.2 input policy, statistics enabled, virtual-router default Referenced by profiles: None Referenced by merge policies:...
  • Page 106 JUNOSe 11.1.x Policy Management Configuration Guide host1#show policy-parameter brief Reference-rate refRlpRate: 100000, 6 references Display policy parameters host1#show policy-parameter Policy Parameter refRlpRate Type: reference-rate Rate: 100000 Reference count: 6 Referenced by interfaces: 1 references IP interface ATM5/0.1: 1000000 Referenced by rate-limit profiles: 5 references rlpData rlpVoice rlpVideo...
  • Page 107 Chapter 5: Creating Rate-Limit Profiles Network Protocols: IP Internet address is 2.2.2.2/255.255.255.255 Broadcast address is 255.255.255.255 Operational MTU = 0 Administrative MTU = 0 Operational speed = 100000000 Administrative speed = 0 Discontinuity Time = 0 Router advertisement = disabled Proxy Arp = disabled Network Address Translation is disabled TCP MSS Adjustment = disabled...

  • Page 108: One-Rate Rate-Limit Profiles Overview

    JUNOSe 11.1.x Policy Management Configuration Guide Create policy list P2. host1(config)#ip policy-list P2 host1(config-policy)#classifier-group data2 host1(config-policy-classifier-group)#rate-limit-profile rlpData host1(config-policy-classifier-group)#exit host1(config-policy)#exit Attach IP Policy P2 at interface atm5/0.2 with the merge keyword. host1(config)#interface atm 5/0.2 host1(config-If)#ip policy-parameter reference-rate refRlpRate 100000 This increases from 0. host1(config)#ip policy-parameter reference-rate refRlpRate increase 100000 This increases from the existing 100000.

  • Page 109: Creating A One-Rate Rate-Limit Profile

    Chapter 5: Creating Rate-Limit Profiles Color aware Color-aware rate action (only for hierarchical rate limits) Committed rate Target rate for a packet flow Committed burst Amount of bandwidth allocated to accommodate bursty traffic in excess of the rate Excess burst Amount of bandwidth allocated to accommodate a packet in progress when the rate is in excess of the burst Committed action Drop, transmit, mark (IP and IPv6), or mark-exp (MPLS) when traffic flow does not exceed the rate;...

  • Page 110: Configuring A Tcp-Friendly One-Rate Rate-Limit Profile

    JUNOSe 11.1.x Policy Management Configuration Guide To configure a single-rate hard limit, set the committed rate and burst rate to the desired values, the committed action to transmit, the conformed action to drop, and the exceeded action to drop. The peak rate must be set to zero. NOTE: You can also achieve the characteristics of the single-rate hard limit by configuring a one-rate rate-limit profile with the extended burst rate set to zero.

  • Page 111: Table 10: Tcp-Friendly One-Rate Rate-Limit Profile Algorithms

    Chapter 5: Creating Rate-Limit Profiles Multiplying the committed rate by 1.0 seconds converts the rate to bits, then multiplying the number of bits by 1/8 converts the value to bytes. Excess burst is 1,000,000 x 1.5 x 1/8 + 125,000 = 312,500 bytes Multiplying the committed rate by 1.5 converts the rate to bits, then multiplying the number of bits by 1/8 converts the value to bytes.

  • Page 112: Two-Rate Rate-Limits Overview

    JUNOSe 11.1.x Policy Management Configuration Guide Table 10: TCP-Friendly One-Rate Rate-Limit Profile Algorithms (continued) Step Result If CD < Extended Burst Packet is colored yellow T(t) is decremented by B (allow T(t) < 0, if necessary) If CD >= Extended Burst Packet is colored CD is reset to 0 If incoming packet color is (only occurs in...

  • Page 113: Table 11: Policy Action Applied Based On Rate Settings And Traffic Rate

    Chapter 5: Creating Rate-Limit Profiles Peak rate Amount of bandwidth allocated to accommodate excess traffic flow over the committed rate Peak burst Amount of bandwidth allocated to accommodate bursty traffic in excess of the peak rate Committed action Drop, transmit, conditional, unconditional, final, mark (IP and IPv6), or mark-exp (MPLS) when traffic flow does not exceed the committed rate;...

  • Page 114: Creating A Two-Rate Rate-Limit Profile

    JUNOSe 11.1.x Policy Management Configuration Guide B = size of packet in bytes Tp = size of peak token bucket in bytes (maximum size of this bucket is the configured peak burst) Tc = size of the committed token bucket in bytes (maximum size of this bucket is the configured committed burst) t = time Table 12: Two-Rate Rate-Limit Profile Algorithms...

  • Page 115: Setting The Committed Action For A Rate-Limit Profile

    Chapter 5: Creating Rate-Limit Profiles The following example creates a rate-limit profile named hardlimit9Mb. This rate-limit profile, when included as part of a rule in a policy list, sets a hard limit on the specified committed rate with no peak rate or peak burst ability: host1(config)#ip rate-limit-profile hardlimit9Mb two-rate host1(config-rate-limit-profile)#committed-rate 9000000 host1(config-rate-limit-profile)#committed-burst 20000...

  • Page 116: Setting The Committed Burst For A Rate-Limit Profile

    JUNOSe 11.1.x Policy Management Configuration Guide host1(config-rate-limit-profile)#committed-action transmit committed-action Related Topics Setting the Committed Burst for a Rate-Limit Profile You can use the committed-burst command to set the committed burst in bytes; range is 1–4294967295. You can use the committed-burst command to set the committed burst in milliseconds for a rate-limit profile;...

  • Page 117: Setting The Committed Rate For A Rate-Limit Profile

    Chapter 5: Creating Rate-Limit Profiles committed-burst Related Topics Setting the Committed Rate for a Rate-Limit Profile You can set the committed rate as a percentage of a reference rate defined in the specified policy parameter. Issue the committed-rate command from Rate Limit Profile Configuration mode to set the committed rate in bits per second for a rate-limit profile: host1(config-rate-limit-profile)#committed-rate refRlpRate percentage 10 committed-rate...

  • Page 118: Setting The Excess Burst For A Rate-Limit Profile

    JUNOSe 11.1.x Policy Management Configuration Guide Issue the exceeded-action command from Rate Limit Profile Configuration mode: host1(config-rate-limit-profile)#exceeded-action drop exceeded-action Related Topics Setting the Excess Burst for a Rate-Limit Profile For one-rate rate-limit profiles only, use the excess-burst command to set the excess burst in bytes for a rate-limit profile;...

  • Page 119: Setting The Peak Burst For Two-Rate Rate-Limit Profiles

    Chapter 5: Creating Rate-Limit Profiles mask-val Related Topics Setting the Peak Burst for Two-Rate Rate-Limit Profiles For two-rate rate-limit profiles only, you can use the peak-burst command to set the peak burst in bytes for a rate-limit profile; range is 1–4294967295. Use to set the peak burst in milliseconds for a rate-limit profile;...

  • Page 120: Setting A One-Rate Rate-Limit Profile

    JUNOSe 11.1.x Policy Management Configuration Guide peak burst = (8,000,000 bps x 100 ms) ÷ 8 = 100,000 bytes For this example, displaying the rate-limit profile shows: peak-rate 8000000 peak-burst 100000 If the calculated peak burst value is less than the default peak burst size of 8 KB, the default burst size is used.

  • Page 121: Setting A Two-Rate Rate-Limit-Profile

    Chapter 5: Creating Rate-Limit Profiles Table 13: One-Rate Rate-Limit-Profile Defaults (continued) Policy Attribute Default Value excess-burst committed-action transmit conformed-action transmit exceeded-action drop mask (IP and IPv6 rate-limit profiles) exp-mask (MPLS rate-limit profiles) NOTE: We recommend that you do not configure a committed or peak burst size smaller than the MTU of the interface.

  • Page 122: Table 14: Two-Rate Rate-Limit-Profile Defaults

    JUNOSe 11.1.x Policy Management Configuration Guide a parent group. The color-aware keyword is only supported on hierarchical rate limits. If you do not include a one-rate or two-rate keyword, the default is a two-rate rate-limit profile. If you enter a rate-limit-profile command and then type exit, the router creates a rate-limit profile with the default values listed in Table 14 on page 96: Table 14: Two-Rate Rate-Limit-Profile Defaults Policy Attribute...

  • Page 123: Bandwidth Management Overview

    Chapter 5: Creating Rate-Limit Profiles exp-mask Related Topics rate-limit-profile Bandwidth Management Overview When you configure the rate-limit profile, packets are tagged with a drop preference. The color-coded tag is added automatically when the committed and peak burst values for an interface’s rate-limit profile are exceeded. The egress forwarding controller uses the drop preference to determine which packets are dropped when there is contention for outbound queuing resources within the E Series router.

  • Page 124: Examples: One-Rate Rate-Limit Profile

    JUNOSe 11.1.x Policy Management Configuration Guide Figure 6: Congestion Management Examples: One-Rate Rate-Limit Profile A one-rate rate-limit profile can be configured for hard tail drop rate-limit or TCP-friendly behavior. Packets can be categorized as committed, conformed, or exceeded. You can configure a one-rate rate-limit profile to hard limit a packet flow to a specified rate.

  • Page 125: Examples: Rate-Limiting Individual Or Aggregate Packet Flows

    Chapter 5: Creating Rate-Limit Profiles This configuration is implemented with token buckets. See RFC 2698 for more details. The following example rate limits traffic on an interface from source IP address 1.1.1.1 so that traffic at a rate up to 1 Mbps is colored green and transmitted, traffic at a rate from 1 Mbps to 2 Mbps is colored yellow and transmitted, and traffic at a rate above 2 Mbps is dropped.

  • Page 126: Rate-Limiting Traffic Flows

    JUNOSe 11.1.x Policy Management Configuration Guide host1(config-subif)#ip policy input plRateLimit statistics enabled host1(config-subif)#exit In the following example, interface ATM 3/1.1 again classifies on three traffic flows; however, this policy rate limits the aggregate of the three flows to 1 MB. host1(config)#ip classifier-list clFlowAll ip host 10.1.1.1 any host1(config)#ip classifier-list clFlowAll ip host 10.1.1.2 any host1(config)#ip classifier-list clFlowAll ip host 10.1.1.3 any...

  • Page 127: Merging Policies

    Chapter 6 Merging Policies This chapter provides information about merging policies on E Series routers. The chapter discusses the following topics: Merging Policies Overview on page 101 Resolving Policy Merge Conflicts on page 103 Merged Policy Naming Conventions on page 105 Reference Counting for Merged Policies on page 106 Persistent Configuration Differences for Merged Policies Through Service Manager on page 106...
  • Page 128 JUNOSe 11.1.x Policy Management Configuration Guide With policy merging, a set of policies is combined to form a single new policy, which is a union of all the component policies. Classifier groups and policy rules from each component combine to create the merged policy as in the following example: host1(config)#interface atm 5/0.1 host1(config-subif)#ip policy input p1 statistics enable merge host1(config-subif)#ip policy input p2 statistics enable merge...
  • Page 129 Chapter 6: Merging Policies Existing policy VSAs in RADIUS are not changed; attachments created by this method cannot be merged. Ascend data filter policies can be attached at input and output attachment points. SNMP support for polling statistics based on component policy attachments is not available.
  • Page 130 JUNOSe 11.1.x Policy Management Configuration Guide merge conflict, the last command entered replaces any previous conflicting commands for a classifier group, as in the following example: host1(config)#ip policy-list p1 host1(config-policy)#classifier-group C1 precedence 90 host1(config-classifier-group)#forward host1(config-classifier-group)#exit host1(config)#ip policy-list p2 host1(config-policy)#classifier-group C1 precedence 90 host1(config-classifier-group)#next-hop 1.1.1.1 host1(config-classifier-group)#exit host1(config)#ip policy-list p3...
  • Page 131 Chapter 6: Merging Policies exit With the IP policy forward rule, when more forward rules are added to an existing classifier group, the list of forward rules is created. This is also true during merging, as in the following example: host1(config)#ip policy-list p1 host1(config-policy)#classifier-group C1 precedence 90 host1(config-classifier-group)#forward next-hop 1.1.1.1...

  • Page 132: Policy Attachment Sequence At Login Through Service Manager

    JUNOSe 11.1.x Policy Management Configuration Guide Reference Counting for Merged Policies The reference counts in all containers referenced within a merged policy are incremented by the number of times they are referenced within the merged policy. Also, the reference counts of all component policies of a merged policy are incremented because of the association of the component policies with the merged policy.
  • Page 133 Chapter 6: Merging Policies Baseline enable/disable Enable or disable baselining for the attachment. Merge or Replace Allow an attachment to become merge-capable and merge with any other attachments that are merge-capable. If the merge keyword is not specified, then it replaces any existing attachments with the new attachment. Merging always preserves statistics.

  • Page 134: Error Conditions For Merged Policies

    JUNOSe 11.1.x Policy Management Configuration Guide The statistics and baseline keywords for the merged policy attachment are recomputed to be a logical OR of all remaining attachments at the specified attachment point. Error Conditions for Merged Policies Most errors, such as mismatched interface types while merging attachments, are caught during configuration.
  • Page 135 Chapter 6: Merging Policies host1(config-subif)#ip policy input p1 statistics enable merge host1(config-subif)#exit Attach IP policy p2 as input at interface atm 5/0.1. A merged policy is created. host1(config)#Interface atm 5/0.1 host1(config-subif)#ip policy input p2 statistics enable merge host1(config-subif)#exit Display the policy lists. host1#show policy-list Policy Table ------ -----...

  • Page 136: Show Configuration

    ! Configuration script being generated on TUE APR 26 2005 17:33:01 UTC ! Juniper Edge Routing Switch ERX-1440 ! Version: 9.9.9 development-4.0 (April 4, 2005 15:39) ! Copyright (c) 1999-2005 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 interface atm 5/0.1...
  • Page 137 Chapter 6: Merging Policies Display interface statistics. host1#show ip interface atm 5/0.1 ATM5/0.1 line protocol Atm1483 is up, ip is up Network Protocols: IP Internet address is 99.99.99.2/255.255.255.0 Broadcast address is 255.255.255.255 Operational MTU = 9180 Administrative MTU = 0 Operational speed = 155520000 Administrative speed = 0 Discontinuity Time = 721112...
  • Page 138 JUNOSe 11.1.x Policy Management Configuration Guide host1(config-subif)#ip policy output p1 statistics enable merge host1(config-subif)#exit Attach IP policy p2 at atm 5/0.2 as output. Merge policy mpl_5 is now attached. host1(config)#interface atm 5/0.2 host1(config-subif)#ip policy output p2 merge host1(config-subif)#exit Display policies to verify that mpl_5 is created. host1#show policy-list Policy Table ------ -----...
  • Page 139 Chapter 6: Merging Policies Classifier control list: C2, precedence 10 filter Classifier control list: C3, precedence 10 filter Classifier control list: C1, precedence 90 forward Virtual-router: default List: next-hop 10.1.1.1, order 100, rule 2 (active) next-hop 20.1.1.1, order 100, rule 3 (reachable) Classifier control list: *, precedence 1000 forward Referenced by interfaces:...
  • Page 140 JUNOSe 11.1.x Policy Management Configuration Guide Referenced by interfaces: None Referenced by profiles: None Referenced by merge policies: mpl_5 mpl_7 IP Policy p2 Administrative state: enable Reference count: Classifier control list: C3, precedence 10 filter Classifier control list: C1, precedence 90 forward Virtual-router: default List:...
  • Page 141 Chapter 6: Merging Policies List: next-hop 10.1.1.1, order 100, rule 2 (active) next-hop 20.1.1.1, order 100, rule 3 (reachable) Classifier control list: *, precedence 1000 forward Referenced by interfaces: ATM5/0.2 output policy, statistics enabled, virtual-router default Referenced by profiles: None Component policies: IP Policy mpl_7 Administrative state: enable...
  • Page 142 JUNOSe 11.1.x Policy Management Configuration Guide host1#show policy-list Policy Table ------ ----- IP Policy p1 Administrative state: enable Reference count: Classifier control list: C2, precedence 10 filter Classifier control list: C1, precedence 90 forward Virtual-router: default List: next-hop 10.1.1.1, order 100, rule 2 (active) Referenced by interfaces: None Referenced by profiles:...
  • Page 143 Chapter 6: Merging Policies Referenced by merge policies: mpl_8 IP Policy mpl_5 Administrative state: enable Reference count: Classifier control list: C2, precedence 10 filter Classifier control list: C3, precedence 10 filter Classifier control list: C1, precedence 90 forward Virtual-router: default List: next-hop 10.1.1.1, order 100, rule 2 (active) next-hop 20.1.1.1, order 100, rule 3 (reachable)
  • Page 144 JUNOSe 11.1.x Policy Management Configuration Guide host1(config-subif)#exit Display policies to verify that p3 is attached to atm 5/0.1 and mpl_8 is removed. host1#show policy-list Policy Table ------ ----- IP Policy p1 Administrative state: enable Reference count: Classifier control list: C2, precedence 10 filter Classifier control list: C1, precedence 90 forward...
  • Page 145 Chapter 6: Merging Policies Referenced by profiles: None Referenced by merge policies: None IP Policy mpl_5 Administrative state: enable Reference count: Classifier control list: C2, precedence 10 filter Classifier control list: C3, precedence 10 filter Classifier control list: C1, precedence 90 forward Virtual-router: default List:...

  • Page 146: Parent Group Merge Algorithm

    JUNOSe 11.1.x Policy Management Configuration Guide IP Policy p1 Administrative state: enable Reference count: Classifier control list: C2, precedence 10 filter Classifier control list: C1, precedence 90 forward Virtual-router: default List: next-hop 10.1.1.1, order 100, rule 2 (active) IP Policy p2 Administrative state: enable Reference count: Classifier control list: C3, precedence 10...
  • Page 147 Chapter 6: Merging Policies If there is no existing internal parent group with the same name in the merged policy, the system creates a corresponding internal parent group with the same name. If an internal parent group with the same name already exists, the system uses a name built by appending an internally generated sequence number to the name of the internal parent group in the component policy.

  • Page 148: Overlapping Classification For Ip Input Policy

    JUNOSe 11.1.x Policy Management Configuration Guide Classifier control list: D, precedence 100, external parent-group EPG2 parameter abcd forward Parent group: X, parent-group Y rate-limit-profile R3 Parent group: Y rate-limit-profile R4 host1#show policy-list mpl_88000001 Policy Table ------ ----- IP Policy mpl_88000001 Administrative state: enable Reference count: Classifier control list: *, precedence 100, parent-group Z...
  • Page 149 Chapter 6: Merging Policies Each classifier-group has a set of associated actions that is taken if it is the highest priority match. The system performs only one set of actions per policy attachment. By using an input and secondary-input policy, you can have overlapping classification with multiple policy actions on ingress.

  • Page 150: Starting Policy Processing

    JUNOSe 11.1.x Policy Management Configuration Guide Figure 7: Input Policy with Primary Stage and Auxiliary Substage The order of policy action execution for each attachment is: Filter Modify (includes setting of color, traffic class, user packet class) and Log Rate limit profile/color Mark TOS Exception Forward...

  • Page 151: Processing The Classifier Result

    Chapter 6: Merging Policies Processing the Classifier Result The classifier result of the input policy attachment is processed and a set of actions is identified. When you configure filter, it is the first action taken and immediately discards the packet. This is followed by any modification, such as mark or logging. If a rate limit profile is configured, the packet is dropped or colored.
  • Page 152 JUNOSe 11.1.x Policy Management Configuration Guide limit does not run and the associated token buckets are not affected. If you configure more than a single rate limit per interface, it significantly impacts forwarding performance. Attaching two policies with rate limit profiles in the same policy stage is equivalent to having two policies attached in the same order, but in separate stages.

  • Page 153: Table 15: Input Action And Secondary Input Actions

    Chapter 6: Merging Policies Table 15: Input Action and Secondary Input Actions Input Action Secondary Input Action None Exception Filter Next-hop Forward Forward Interface Next-hop None None Exception Filter None Forward Forward Auxiliary Interface Next-hop Auxiliary Auxiliary Exception Exception Exception Filter Exception Exception...
  • Page 154 JUNOSe 11.1.x Policy Management Configuration Guide Overlapping Classification for IP Input Policy...

  • Page 155: Creating Hierarchical Policies For Interface Groups

    Chapter 7 Creating Hierarchical Policies for Interface Groups This chapter provides information for configuring policy-based routing management on E Series routers. This chapter discusses the following topics: Hierarchical Policies for Interface Groups Overview on page 129 External Parent Groups on page 130 Example: Configuring Hierarchical Policy Parameters on page 130 Hierarchical Aggregation Nodes on page 132 RADIUS and Profile Configuration for Hierarchical Policies on page 133...
  • Page 156 JUNOSe 11.1.x Policy Management Configuration Guide attachment to share bandwidth. Bandwidth-sharing between interfaces uses line module global parent group definitions and interface grouping. However, if you need to share bandwidth between two or more interfaces, rate-limits must be chained beyond a single attachment. Policies for interface groups include external parent groups that are implicitly instantiated during policy attachment based on each unique interface group encountered.

  • Page 157: Chapter 7 Creating Hierarchical Policies For Interface Groups

    Chapter 7: Creating Hierarchical Policies for Interface Groups There are two types of values that a hierarchical policy parameter can take: numeric and keyword. Keywords are resolved to numeric values during configuration of a policy parameter at the interface. The following example assigns a value of 10 to policy parameter A in Global Configuration mode.
  • Page 158 JUNOSe 11.1.x Policy Management Configuration Guide Table 16: Shorthand Notation Mapping (continued) Shorthand number Shorthand Value Supported in SVLAN Identifier constructed from slot, adapter, port, IP, IPv6, L2TP, and MPLS policies SVLAN ID. FR-VC Unique identifier of frame relay minor interface IP, IPv6, and MPLS policies Unique identifier of ATM major interface IP, IPv6, and MPLS policies...
  • Page 159 Chapter 7: Creating Hierarchical Policies for Interface Groups group, different rate-limit instances are instantiated if the interfaces are on different line modules. RADIUS and Profile Configuration for Hierarchical Policies You can use profiles to configure policy parameters. There is currently no RADIUS VSA support for policy parameters.
  • Page 160 JUNOSe 11.1.x Policy Management Configuration Guide Loops The system performs basic checks to prevent formation of loops when external parent groups refer to other external parent groups. Also, you cannot chain together more than four rate-limits in a hierarchy. Asynchronous Policy Parameter Configuration You can individually configure the policy parameter configuration in an interface and the policy attachments.

  • Page 161: Figure 8: Configuration Process

    Chapter 7: Creating Hierarchical Policies for Interface Groups Figure 8: Configuration Process This procedure uses the following designations: EPG1 and EPG2 are external parent groups. IP1 and IP2 are internal parent groups. ER1, ER2, R1, and R2 are rate-limit profiles. POL is the name of the IP policy.
  • Page 162 JUNOSe 11.1.x Policy Management Configuration Guide Configure two external parent groups EPG1 and EPG2. Create policy-parameter C and two external parent groups: EPG1 and EPG2. host1(config)#policy-parameter C hierarchical host1(config-policy-parameter)#exit host1(config)#parent-group EPG2 host1(config-parent-group)#rate-limit-profile ER2 host1(config-parent-group)#exit host1(config)#parent-group EPG1 host1(config-parent-group)#next-parent EPG2 parameter C host1(config-parent-group)#rate-limit-profile ER1 host1(config-parent-group)#exit EPG1 contains a rate-limit profile ER1 and points to EPG2 as the next parent...
  • Page 163 Chapter 7: Creating Hierarchical Policies for Interface Groups substituted for parameters A, B, and C when you use the policy-parameter command. Because of this policy attachment and the policy-parameter command, the following aggregation nodes are created: (slot 5, ingress, EPG1, 1), (slot 5, ingress, EPG2, 1).

  • Page 164: Figure 9: Vlan Rate-Limit Configuration

    JUNOSe 11.1.x Policy Management Configuration Guide ER1-instance-1 is referenced by parent group instance (EPG1, parameter B), and ER2-instance-2 is referenced by the parent group instance (EPG2, parameter C). Example: VLAN Rate Limit Hierarchical Policy for Interface Groups Configuration In this example, three users from a small business office are connected to an E Series router through the same VLAN interface.
  • Page 165 Chapter 7: Creating Hierarchical Policies for Interface Groups Verify the parent group configuration. host1#show parent-group EPG1 Parent Group Table ------ ----- ------ Parent Group EPG1 Reference count: 0 Rate limit profile: VLAN_RATE Create a policy list to attach to user 1. host1(config)#policy-parameter A hierarchical host1(config-policy-parameter)#exit host1(config)#ip policy-list USER_POL1...
  • Page 166 JUNOSe 11.1.x Policy Management Configuration Guide parameter A host1(config-policy-list-parent-group)#rate-limit-profile USER_RATE host1(config-policy-list-parent-group)#exit host1(config-policy-list)#exit Verify the policy list configuration. host1#show policy-list USER_POL1 Policy Table ------ ----- IP Policy USER_POL2 Administrative state: enable Reference count: Classifier control list: VOICE_CLACL, precedence 100, parent-group IPG1 rate-limit-profile VOICE_RATE Classifier control list: *, precedence 100, parent-group IPG1 forward...
  • Page 167 Chapter 7: Creating Hierarchical Policies for Interface Groups Create the interface for user 2, attach USER_POL2, and map parameter A to the VLAN interface. host1(config)#interface ip 3/0.1.2 host1(config-interface)#ip policy-parameter hierarchical A vlan host1(config-interface)#ip policy input USER_POL2 statistics enabled host1(config-interface)#exit Create the interface for user 3, attach USER_POL3, and map parameter A to the VLAN interface.

  • Page 168: Figure 10: Interface Stack For Wholesale L2Tp Mode

    JUNOSe 11.1.x Policy Management Configuration Guide Figure 10: Interface Stack for Wholesale L2TP Mode To use this example, you must configure the following: At interfaces I1 and I2: IP_RATE, Committed Rate:1 Mbps Peak Rate: 11 Mbps Committed Action: transmit unconditional Conformed Action: transmit conditional Exceeded Action: drop At I3 L2TP_RATE:...

  • Page 169: Figure 11: Wholesale L2Tp Configuration

    Chapter 7: Creating Hierarchical Policies for Interface Groups Figure 11: Wholesale L2TP Configuration Create a rate-limit that can be shared across all forwarding interfaces. Create an external parent group to hold this rate limit. host1(config)#rate-limit-profile VLAN_RATE two-rate hierarchical host1(config-rate-limit-profile)#committed-rate 12000000 host1(config-rate-limit-profile)#committed-action transmit final host1(config-rate-limit-profile)#exit host1(config)#parent-group EPG1...

  • Page 170: Configuration

    JUNOSe 11.1.x Policy Management Configuration Guide In both terminated users' record in RADIUS, you must specify the ingress policy name IP_POL. You must specify the ingress policy name L2TP_POL in the tunneled user's record in RADIUS. However, be sure to specify the policy parameter through a profile.
  • Page 171 Chapter 7: Creating Hierarchical Policies for Interface Groups Conformed Action: drop Exceeded Action: drop At I1, I2, I3, I4: Classified Data Flow. DATA_RATE, Committed Rate: 5 Mbps Peak Rate: 0 Mbps Committed Action: transmit conditional Conformed Action: drop Exceeded Action: drop All classified video flow policers over each VLAN interface feed into a single policer with the following configuration: VIDEO_AGG, Committed Rate: 1.5 Mbps...

  • Page 172: Figure 13: Aggregate Rate Limit For Nonvoice Traffic Configuration

    JUNOSe 11.1.x Policy Management Configuration Guide Figure 13: Aggregate Rate Limit for Nonvoice Traffic Configuration Create a rate limit that can be shared across all video streams. Create an external parent group to hold this rate limit. host1(config)#rate-limit-profile VIDEO_AGG two-rate hierarchical host1(config-rate-limit-profile)#committed-rate 1500000 host1(config-rate-limit-profile)#committed-action transmit final host1(config-rate-limit-profile)#exit...

  • Page 173: Figure 14: Interface Stack For Arbitrary Interface Groups

    Chapter 7: Creating Hierarchical Policies for Interface Groups host1(config-policy-list)#classifier-group VIDEO_CLACL external parent-group EPG1 parameter A host1(config-policy-list-classifier-group)#rate-limit-profile VIDEO_RATE host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group * external parent-group EPG2 parameter B host1(config-policy-list-classifier-group)#rate-limit-profile DATA_RATE host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#exit In all users' records in RADIUS, specify the ingress policy name IP_POL1. However, be sure to specify the policy parameter through the profile.

  • Page 174: Figure 15: Arbitrary Interface Groups Configuration

    JUNOSe 11.1.x Policy Management Configuration Guide VOICE_RATE, Committed Rate: 64 Kbps Peak Rate: 0 Mbps Committed Action: transmit unconditional Conformed Action: drop Exceeded Action: drop At I2 and I4: No policer configured I1 and I2 feed into a single policer with the following configuration: AGG, Committed Rate: 1 Mbps, Peak Rate: 0 Mbps, Committed Action: transmit, Conformed Action: drop, Exceeded Action: drop Figure 15: Arbitrary Interface Groups Configuration...
  • Page 175 Chapter 7: Creating Hierarchical Policies for Interface Groups host1(config)#rate-limit-profile VOICE_RATE two-rate hierarchical host1(config-rate-limit-profile)#committed-rate 64000 host1(config-rate-limit-profile)#committed-action transmit unconditional host1(config-rate-limit-profile)#exit host1(config)#policy-parameter A hierarchical host1(config-policy-parameter)#exit host1(config)#ip policy-list IP_POL1 host1(config-policy-list)#classifier-group * external parent-group EPG1 parameter A host1(config-policy-list-classifier-group)#rate-limit-profile VOICE_RATE host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#exit Create a policy list to attach to all other sessions. host1(config)#ip policy-list IP_POL2 host1(config-policy-list)#classifier-group * external parent-group EPG1 parameter A...

  • Page 176: Figure 16: Interface Stack For Service And User Rate-Limit Hierarchy Overlap

    JUNOSe 11.1.x Policy Management Configuration Guide Example: Service and User Rate-Limit Hierarchy Overlap Hierarchical Policy Configuration In the service and user rate-limit hierarchy overlap configuration example: The service provider has to enforce a bandwidth limit on a video service over a VLAN and wants to limit the maximum bandwidth of each user's total traffic.

  • Page 177: Figure 17: Service And User Rate-Limit Hierarchy Overlap Configuration

    Chapter 7: Creating Hierarchical Policies for Interface Groups Figure 17: Service and User Rate-Limit Hierarchy Overlap Configuration Create an aggregate rate limit that can be applied to each IP session. Create an external parent group to hold this rate limit. host1(config)#rate-limit-profile USER_RATE two-rate hierarchical host1(config-rate-limit-profile)#committed-rate 2000000 host1(config-rate-limit-profile)#committed-action transmit final...

  • Page 178: Example: Percentage-Based Hierarchical Rate-Limit Profile For External Parent Group

    JUNOSe 11.1.x Policy Management Configuration Guide host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#exit Attach IP_POL to each IP session. Specify the same ID for parameter A, but a different ID for parameter B. host1(config)#interface fastEthernet 3/0.1 host1(config-interface)#vlan id 1 host1(config-interface)#exit host1(config)#interface ip 3/0.1.1 host1(config-interface)#ip policy-parameter hierarchical A vlan host1(config-interface)#ip policy-parameter hierarchical B forwarding host1(config-interface)#ip policy input IP_POL statistics enable host1(config-interface)#exit...
  • Page 179 Chapter 7: Creating Hierarchical Policies for Interface Groups Create a policy that references the external parent group. host1(config)#ip policy-list P host1(config-policy)#classifier-group data external parent-group epg1 parameter host1(config-policy-classifier-group)#forward host1(config-policy-classifier-group)#exit host1(config-policy)#exit Attach an IP policy P at interface atm5/0.1 by specifying a different reference-rate value.

  • Page 180: Example: Ppp Interfaces Hierarchical Policy Configuration

    JUNOSe 11.1.x Policy Management Configuration Guide committed rate: 500000 bps, committed burst: 8192 bytes (default) peak rate: 5000000 bps, peak burst: 62500 bytes (default) committed: 0 packets, 0 bytes, action: transmit conditional conformed: 0 packets, 0 bytes, action: transmit conditional exceeded: 0 packets, 0 bytes, action: drop unconditional: 0 packets, 0 bytes...

  • Page 181: Figure 18: Interface Stack For Hierarchical Policy Configuration

    Chapter 7: Creating Hierarchical Policies for Interface Groups Committed Action: transmit unconditional Conformed Action: drop Exceeded Action: drop At I2 and I4: Classified Video Flow. VIDEO_RATE, Committed Rate: 1 Mbps Peak Rate: 0 Mbps Committed Action: transmit unconditional Conformed Action: drop Exceeded Action: drop All classified video flow policers over each PPP interface feed into a single policer with the following configuration:...
  • Page 182 JUNOSe 11.1.x Policy Management Configuration Guide host1(config)#policy-parameter P1_PPP hierarchical host1(config-policy-parameter)#exit Create a reference rate parameter to be used in external parent groups associated with PPP sessions. host1(config)#policy-parameter sessionRlpRate reference-rate host1(config-policy-parameter)#reference-rate 3000000 host1(config-policy-parameter)#exit Create an aggregate session rate-limit (using reference-rate) that can be shared between IPv4 and IPv6 interfaces of each PPP session.
  • Page 183 Chapter 7: Creating Hierarchical Policies for Interface Groups host(config-policy-list)#exit Specify the policy parameter and attachments through the profile. host(config)#profile PPPOE_PROF1 host(config-profile)#ip policy-parameter hierarchical P1_PPP ppp-interface host(config-profile)#ip policy input IP_POL1 sta enabled merge host(config-profile)#ipv6 policy-parameter hierarchical P1_PPP ppp-interface host(config-profile)#ipv6 policy input IP_POL2 sta enabled merge host(config-profile)#exit Use another profile for the second subscriber to specify a different session rate of 5 Mbps by overriding the default rate of 3 Mbps , and specify the policy...
  • Page 184 JUNOSe 11.1.x Policy Management Configuration Guide Example: PPP Interfaces Hierarchical Policy Configuration...

  • Page 185: Policy Resources

    Chapter 8 Policy Resources This chapter provides information about configuring policy resources. The chapter discusses the following topics: Policy Resources Overview on page 159 FPGA Hardware Classifiers on page 161 CAM Hardware Classifiers Overview on page 162 Size Limit for IP and IPv6 CAM Hardware Classifiers on page 163 Creating and Attaching a Policy with IP Classifiers on page 168 Variable-Sized CAM Classification for IPv6 Policies Examples on page 171 Performance Impact and Salability Considerations on page 175...

  • Page 186: Table 17: Classifier Support

    JUNOSe 11.1.x Policy Management Configuration Guide Table 17: Classifier Support (OC48/STM16, GE-2, and GE-HDE Line Modules) Interface Type Hardware Classifier Software Classifier All interface types – Color (except IP and Traffic class IPv6) User packet class Frame Relay Not supported DE bit GRE tunnels Not supported...

  • Page 187: Table 18: Classifier Support (All Line Modules Except Oc48/Stm16, Ge-2, And Ge-Hde)

    Chapter 8: Policy Resources Table 17: Classifier Support (OC48/STM16, GE-2, and GE-HDE Line Modules) (continued) Interface Type Hardware Classifier Software Classifier VLAN Not supported User priority Table 18: Classifier Support (All Line Modules Except OC48/STM16, GE-2, and GE-HDE) Interface Type Hardware Classifier Software Classifier All interface types...

  • Page 188: Fpga Hardware Classifiers

    JUNOSe 11.1.x Policy Management Configuration Guide FPGA hardware classifiers are supported on all line modules except the OC48/STM16, GE-2, and GE-HDE line modules. Table 18 on page 161 lists the FPGA classifiers and software classifiers supported for each interface type. An E Series router supports two versions of policies that are based on FPGA hardware classifiers.

  • Page 189: Size Limit For Ip And Ipv6 Cam Hardware Classifiers

    Chapter 8: Policy Resources host1(config)#ip policy-list policy1 host1(config-policy-list)#classifier-group clacl1 host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group clacl2 host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group * host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#exit A single classifier entry consumes more than one CAM entry when: A classifier entry contains a port range. For example: host1(config)#ip classifier-list clacl3 tcp any any range 5 8 A classifier entry contains the not keyword.

  • Page 190: Ip Classifiers And Size Limits

    JUNOSe 11.1.x Policy Management Configuration Guide NOTE: OC48/STM16 line modules on ERX14xx models, ERX7xx models, and the ERX310 router support only 128-bit IPv6 classification. Based on the size limit for a combined IPv6 classifier entry, a maximum of 336 bits of CAM entry is supported for full IPv6 classification.

  • Page 191: Table 20: Size Limit Of Combined Ip Classifiers

    Chapter 8: Policy Resources Table 19: Size Limit of Individual IP Classifiers (continued) IP Classifier Size Limit (Bits) Traffic class User packet class Table 20 on page 165 lists the IP classifiers that share the same classifier entry location and those that are combined to form a larger classifier field. The table also lists the rules that apply to these types of classifier combinations.

  • Page 192: Ipv6 Classifiers And Size Limits

    JUNOSe 11.1.x Policy Management Configuration Guide Table 20: Size Limit of Combined IP Classifiers (continued) Size IP Classifier Entry Limit Combination (Bits) Rule Source address – [ not Source port ] and [ not When you do not specify the source port and Destination port ] and destination port classifiers, but you specify one or [ [ ICMP type ] | [ ICMP code ]...

  • Page 193: Table 22: Size Limit Of Combined Ipv6 Classifiers

    Chapter 8: Policy Resources Table 21: Size Limit of Individual IPv6 Classifiers (continued) IPv6 Classifier Entry Size Limit (Bits) TCP Flags Traffic class User packet class Table 22 on page 167 lists the IPv6 classifiers that share the same classifier entry location and those that are combined to form a larger classifier field.

  • Page 194: Creating And Attaching A Policy With Ip Classifiers

    JUNOSe 11.1.x Policy Management Configuration Guide Table 22: Size Limit of Combined IPv6 Classifiers (continued) Size Limit IPv6 Classifier Entry Combination (Bits) Rule Protocol – Source address (first word) – Source address (second word) – Source address (third word) – Source address (fourth word) –...

  • Page 195: Table 23: Classification Fields For Example 1

    Chapter 8: Policy Resources host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#classifier-group tcpCLACL host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#classifier-group icmpCLACL host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#classifier-group ipCLACL host1(config-policy-list-classifier-group)#filter Apply the policy list to an interface. host1(config)#interface atm 5/0/0.1 host1(config-if)#ip policy input ipPol Table 23 on page 169 lists the active classifiers in the policy named ipPol and the size of each classifier.

  • Page 196: Table 24: Classification Fields For Example 2

    JUNOSe 11.1.x Policy Management Configuration Guide Match all frames with UPC 1. host1(config)#ip classifier-group upcCLACL user-packet-class 1 ip any any Create a policy list. host1(config)#ip policy-list ipPol host1(config-policy-list)#classifier-group colorCLACL host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#classifier-group ipFragCLACL host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#classifier-group igmpCLACL host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#classifier-group lowDelayCLACL host1(config-policy-list-classifier-group)#traffic-class strict-priority host1(config-policy-list-classifier-group)#classifier-group tcpCLACL host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#classifier-group *...

  • Page 197: Variable-Sized Cam Classification For Ipv6 Policies Examples

    Chapter 8: Policy Resources Variable-Sized CAM Classification for IPv6 Policies Examples Variable-sized CAM entries are supported for IPv6 policies to avoid wasting memory space. For example, if the classifier entries in a policy consume a 576-bit CAM entry when a 144-bit CAM entry is sufficient to store the classifier, over 400 bits of CAM memory are wasted.

  • Page 198: 288-Bit Ipv6 Classification Example

    JUNOSe 11.1.x Policy Management Configuration Guide Match all ICMPv6 echo packets. host1(config)#ipv6 classifier-list icmpv6CLACL icmpv6 icmp-type 8 icmp-code Match all frames with the color red. host1(config)#ipv6 classifier-list colorCLACL color red Create an IPv6 policy list. host1(config)#ipv6 policy-list ipv6Pol host1(config-policy-list)#classifier-group colorCLACL host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#classifier-group tcpCLACL host1(config-policy-list-classifier-group)#filter...

  • Page 199: 576-Bit Ipv6 Classification Example

    Chapter 8: Policy Resources Match all TCP packets from host 1:1:1:1:1:1:1:1 to any DA host1(config)#ipv6 classifier-list sourceCLACL source-address 1:1:1:1:1:1:1:1/128 tcp Create an IPv6 policy list. host1(config)#ipv6 policy-list ipv6Pol host1(config-policy-list)#classifier-group sourceCLACL host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#classifier-group * host1(config-policy-list-classifier-group)#filter The policy ipv6Pol is requesting classification on Source Address (all 4 words) and Protocol.

  • Page 200: Table 27: Ipv6 Classification Fields For A 576-Bit Cam Entry

    JUNOSe 11.1.x Policy Management Configuration Guide host1(config)#ipv6 policy-list ipv6Pol host1(config-policy-list)#classifier-group tcpCLACL host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#classifier-group colorCLACL host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#classifier-group * host1(config-policy-list-classifier-group)#filter The policy ipv6Pol is requesting classification on Source Address (all 4 words), Destination address (all 4 words) and Protocol. Table 27 on page 174 lists the active classifiers in the policy named ipv6Pol and the size of each classifier.

  • Page 201: Performance Impact And Salability Considerations

    Chapter 8: Policy Resources Performance Impact and Salability Considerations The following sections describe how the memory usage and performance of the line modules on which the variable-sized CAM entries are supported is affected, and also of the maximum number of policies that can be supported with variable-sized CAM entries.

  • Page 202: Table 28: Maximum Policies With One Classifier Per Policy For Ge-2 Lms

    JUNOSe 11.1.x Policy Management Configuration Guide Number of CAM Entries Per Allocation and Free Entries The total number of CAM blocks is divided into two equal partitions. The first or lower half of the CAM blocks is reserved for 144-bit CAM entries, and the second or higher half of CAM blocks is reserved for the combination of 288-bit and 576-bit CAM entries, when an IPv6 policy that contains 288-bit or 576-bit CAM entries is attached to an interface.

  • Page 203: Table 29: Maximum Policies With Four Classifiers Per Policy For Ge-2 Lms

    Chapter 8: Policy Resources Table 28: Maximum Policies with One Classifier per Policy for GE-2 LMs (continued) Number of maximum Number of Number of Number of policies per IPv4 policies Number of IPv6 policies IPv6 policies LM (one (144-bit) with IPv6 policies (288-bit) with (576-bit) with...

  • Page 204: Software Classifiers Overview

    JUNOSe 11.1.x Policy Management Configuration Guide Table 29: Maximum Policies with Four Classifiers per Policy for GE-2 LMs (continued) Number of maximum Number of Number of Number of Number of policies per IPv4 policies IPv6 policies IPv6 policies IPv6 policies LM (four Number/Type of Total 144-bit...

  • Page 205: Table 30: Resource Consumption

    Chapter 8: Policy Resources host1(config-policy-list)#classifier-group clacl100 host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group clacl200 host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group clacl300 host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group clacl400 host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group * host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#exit For a given line module, the policy list named polWestford5 consumes a total of one FPGA hardware classifier resource and two software classifier resources, as indicated in Table 30 on page 179.
  • Page 206 JUNOSe 11.1.x Policy Management Configuration Guide On FPGA-based line modules, you can have a maximum of 8191 IP policy attachments and 8191 layer 2 policy attachments per forwarding controller. CAM Hardware Classifiers and Interface Attachment Resources CAM hardware classifiers are supported on OC48/STM16, GE-2, and GE-HDE ASIC-based line modules.

  • Page 207: Chapter 9 Monitoring Policy Management

    Chapter 9 Monitoring Policy Management This chapter explains how to set a statistics baseline and use the show command to display your policy configuration and monitor policy statistics. This chapter discusses the following topics: Monitoring Policy Management Overview on page 181 Setting a Statistics Baseline for Policies on page 182 Monitoring the Policy Configuration of ATM Subinterfaces on page 183 Monitoring Classifier Control Lists on page 184...

  • Page 208: Setting A Statistics Baseline For Policies

    JUNOSe 11.1.x Policy Management Configuration Guide NOTE: You can use the output filtering feature of the show command to include or exclude lines of output based on a text string you specify. See chapter Command Line Interface in JUNOSe System Basics Configuration Guide for details. Setting a Statistics Baseline for Policies You can set a baseline for policy statistics by using the baseline interface command Purpose...

  • Page 209: Table 31: Show Atm Subinterface Output Fields

    Chapter 9: Monitoring Policy Management Out Scheduler Drops Packets 0, Bytes 0 Out Policed Packets 5, Bytes 540 Out Discarded Packets 0 IP Policy input routeForXYZCorp classifier-group * filter 5 Packets 540 Bytes dropped atm policy Related Topics frame-relay policy gre-tunnel policy ip policy ipv6 policy...

  • Page 210: Monitoring Classifier Control Lists

    JUNOSe 11.1.x Policy Management Configuration Guide Table 31: show atm subinterface Output Fields (continued) Field Name Field Description traffic-class Traffic class in the policy list user packet class User packet class in the policy list show atm interface Related Topics Monitoring Classifier Control Lists Display a list of classifier control lists or details of classifier control lists.

  • Page 211: Table 32: Show Classifier-List Output Fields

    Chapter 9: Monitoring Policy Management Destination IP WildcardMask:255.255.255.255 Not Destination Ip Address: false GRE Tunnel Classifier Control List greClass Reference count: Entry count: Classifier-List greClass Entry 1 User Packet Class: DS Field: Classifier-List greClass Entry 2 Color: yellow VLAN Classifier Control List bestEffort Reference count: Entry count: 1 Classifier-List bestEffort Entry 1...
  • Page 212 JUNOSe 11.1.x Policy Management Configuration Guide Table 32: show classifier-list Output Fields (continued) Field Name Field Description Color Packet color to match: green, yellow, or red Protocol Protocol type Not Protocol If true, matches any protocol except the preceding protocol; if false, matches the preceding protocol Source IP Address Address of the network or host from which the...

  • Page 213: Table 33: Show Color-Mark-Profile Output Fields

    Chapter 9: Monitoring Policy Management Table 32: show classifier-list Output Fields (continued) Field Name Field Description Local If true, matches packets destined to a local interface; if false, matches packets that are traversing the router show classifier-list Related Topics Monitoring Color-Mark Profiles Display information about color-mark profiles.

  • Page 214: Table 34: Show Control-Plane Policer Output Fields

    JUNOSe 11.1.x Policy Management Configuration Guide host1#show control-plane policer protocol Burst Rate Size Packets Packets Protocol Enabled (pps) (pkts) Committed Exceeded ----------------------------- ------- ----- ------ ---------- ---------- PppEchoRequest false PppEchoReply false PppEchoReplyFast false PppControl false AtmControl false AtmOam false AtmDynamicIf false AtmInverseArp false...

  • Page 215: Table 35: Show Frame-Relay Subinterface Output Fields

    Chapter 9: Monitoring Policy Management Number of sub-interface down transitions is 0 Time since last status change 03:04:59 No baseline has been set In bytes: 660 Out bytes: 660 In frames: 5 Out frames: 5 In errors: 0 Out errors: 0 In discards: 0 Out discards: 0 In unknown protos: 0...

  • Page 216: Table 36: Show Gre Tunnel Output Fields

    JUNOSe 11.1.x Policy Management Configuration Guide show frame-relay subinterface Related Topics Monitoring GRE Tunnel Information Display information about GRE tunnels. The state keyword displays tunnels that are Purpose in a specific state: disabled, down, enabled, not-present, or up. The ip keyword to display tunnels associated with an IP address.

  • Page 217: Monitoring Interfaces And Policy Lists

    Chapter 9: Monitoring Policy Management Table 36: show gre tunnel Output Fields (continued) Field Name Field Description packets Number of packets bytes Number of bytes mark ToS byte setting for the classifier control list mask Mask value corresponding to the ToS show gre tunnel Related Topics Monitoring Interfaces and Policy Lists...
  • Page 218 JUNOSe 11.1.x Policy Management Configuration Guide In Received Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Multicast Packets 0, Bytes 0 In Policed Packets 0, Bytes 0 In Error Packets 0 In Invalid Source Address Packets 0 In Discarded Packets 0 Out Forwarded Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Multicast Routed Packets 0, Bytes 0...

  • Page 219: Table 37: Show Interfaces Output Fields

    Chapter 9: Monitoring Policy Management conformed: 0 packets, 0 bytes, action: transmit exceeded: 0 packets, 0 bytes, action: drop Table 37 on page 193 lists the show interfaces command output fields. Meaning Table 37: show interfaces Output Fields Field Name Field Description Subinterface number Location of the subinterface that carries the...
  • Page 220 JUNOSe 11.1.x Policy Management Configuration Guide Network Protocols: IP Internet address is 10.12.1.1/255.255.255.0 Broadcast address is 255.255.255.255 Operational MTU = 0 Administrative MTU = 0 Operational speed = 100000000 Administrative speed = 0 Discontinuity Time = 0 Router advertisement = disabled Proxy Arp = disabled ARP spoof checking = enabled Network Address Translation is disabled...

  • Page 221: Table 38: Show Ip Interfaces Output Fields

    Chapter 9: Monitoring Policy Management Table 38: show ip interfaces Output Fields Field Name Field Description Network Protocols Protocols configured on the interface Internet address IP address of the interface Broadcast address Broadcast address used by the interface Operational MTU Operational maximum transmission unit (MTU) for packets sent on this interface Administrative MTU...
  • Page 222 JUNOSe 11.1.x Policy Management Configuration Guide Table 38: show ip interfaces Output Fields (continued) Field Name Field Description In Invalid Source Address Packets Number of packets determined to have originated from an invalid source address Out Forwarded Packets Number of packets forwarded from the interface;...

  • Page 223: Monitoring The Policy Configuration Of Ipv6 Interfaces

    Chapter 9: Monitoring Policy Management Table 38: show ip interfaces Output Fields (continued) Field Name Field Description rate-limit-profile Name of the rate-limit profile committed Number of packets and bytes within the committed rate limit conformed Number of packets and bytes exceeding the committed rate limit but within the peak rate exceeded Number of packets and bytes exceeding the...

  • Page 224: Table 39: Show Ipv6 Interface Output Fields

    JUNOSe 11.1.x Policy Management Configuration Guide In Invalid Source Address Packets 0 In Error Packets 0 In Discarded Packets 0 Out Forwarded Packets 8, Bytes 768 Unicast Packets 8, Bytes 768 Multicast Routed Packets 0, Bytes 0 Out Total Dropped Packets 5, Bytes 0 Out Scheduler Dropped Packets 0, Bytes 0 Out Policed Packets 0 Out Discarded Packets 5...
  • Page 225 Chapter 9: Monitoring Policy Management Table 39: show ipv6 interface Output Fields (continued) Field Name Field Description Operational MTU Value of the MTU Administrative MTU Value of the MTU if it has been administratively overridden using the configuration Operational speed Speed of the interface Administrative speed Value of the speed if it has been administratively...
  • Page 226 JUNOSe 11.1.x Policy Management Configuration Guide Table 39: show ipv6 interface Output Fields (continued) Field Name Field Description Multicast Packets, Bytes Number of multicast packets and bytes received on the IPv6 interface, which are then multicast-routed and counted as multicast packets In Total Dropped Packets, Bytes Total number of inbound packets and bytes...

  • Page 227: Monitoring The Policy Configuration Of Layer 2 Services Over Mpls

    Chapter 9: Monitoring Policy Management Table 39: show ipv6 interface Output Fields (continued) Field Name Field Description Conformed Number of packets and bytes that exceed the committed access rate but conform to the peak access rate Exceeded Number of packets and bytes that exceed the peak access rate queue, traffic class, bound to ipv6 Queue and traffic class bound to the specified...

  • Page 228: Table 40: Show Mpls L2Transport Interface Output Fields

    JUNOSe 11.1.x Policy Management Configuration Guide MPLS policy input mplsInputPolicy classifier-group claclWst50 entry 1 0 packets, 0 bytes rate-limit-profile rlp committed: 0 packets, 0 bytes, action: transmit conformed: 0 packets, 0 bytes, action: transmit exceeded: 0 packets, 0 bytes, action drop MPLS policy output mplsOutputPolicy classifier-group claclWst75 entry 1 0 packets, 0 bytes...

  • Page 229: Monitoring External Parent Groups

    Chapter 9: Monitoring Policy Management Table 40: show mpls l2transport interface Output Fields (continued) Field Name Field Description Queue length Number of bytes in queue Forwarded packets, bytes Total number of packets and bytes forwarded by this interface Dropped committed packets, bytes Total number of committed packets and bytes dropped by this interface Dropped conformed packets, bytes...

  • Page 230: Table 41: Show Parent-Group Output Fields

    JUNOSe 11.1.x Policy Management Configuration Guide Table 41 on page 204 lists the show parent-group command output fields. Meaning Table 41: show parent-group Output Fields Field Name Field Description Reference count Number of references within policies and other external parent groups. Rate limit profile Name of hierarchical rate limit profile.
  • Page 231 Chapter 9: Monitoring Policy Management atm-cell-mode: enabled Classifier control list: ipCLACL10, precedence 75 exception http-redirect forward Virtual-router: default List: next-hop 192.0.2.12, order 10, rule 2 (active) next-hop 192.0.100.109, order 20, rule 3 (reachable) next-hop 192.120.17.5, order 30, rule 4 (reachable) interface ip3/1, order 40, rule 5 mark tos 125 rate-limit-profile ipRLP25...
  • Page 232 JUNOSe 11.1.x Policy Management Configuration Guide Classifier control list: bestEffort, precedence 100 traffic-class bestEffort To display component policies: host 1#show policy-list comp_p1 Policy Table ------ ----- IP Policy comp_p1 Administrative state: enable Reference count: Classifier control list: C1, precedence 90 forward Virtual-router: default List:...
  • Page 233 Chapter 9: Monitoring Policy Management Classifier control list: C3, precedence 10 filter Classifier control list: *, precedence 1000 forward Referenced by interfaces: ATM5/0.1 input policy, statistics enabled, virtual-router default Referenced by profiles: None Component policies: comp_p1 comp_p3 To display the configuration of an IP policy list that contains inactive references to the interface to which it is attached: host1#show policy-list pv4 Policy Table...

  • Page 234: Table 42: Show Policy-List Output Fields

    JUNOSe 11.1.x Policy Management Configuration Guide Referenced by profile(s): No profile references Table 42 on page 208 lists the show policy-list command output fields. Meaning Table 42: show policy-list Output Fields Field Name Field Description Policy Name of the policy list. Administrative state For SNMP use;...

  • Page 235: Monitoring Policy List Parameters

    Chapter 9: Monitoring Policy Management Table 42: show policy-list Output Fields (continued) Field Name Field Description next-interface Next-interface policy action next-hop Next-hop policy action rate-limit-profile Rate-limit-profile policy action color Color of a packet; green, yellow, or red traffic-class Traffic class in a policy list Log policy action mark tos ToS byte in the IP header to a specified value...

  • Page 236: Table 43: Show Policy-Parameter Output Fields

    JUNOSe 11.1.x Policy Management Configuration Guide policy2 policy3 Policy Parameter hierGroup2 Type: hierarchical Reference count: 3 Aggregation node: 3 Referenced by interfaces: 1 references IP ATM5/0.2: atm-vp 1 Referenced by policies: 2 references policy1 Referenced by parent groups: 1 references extPg1 To display list information: host1(config)#show policy-parameter...

  • Page 237: Table 44: Show Rate-Limit-Profile Output Fields

    Chapter 9: Monitoring Policy Management show policy-parameter Related Topics Monitoring Rate-Limit Profiles Display information about rate-limit profiles. Purpose To display information about rate-limit profiles: Action host1#show rate-limit-profile Rate Limit Profile Table ---- ----- ------- ----- IP Rate-Limit-Profile: rlp Profile Type: one-rate Reference count: Committed rate:...

  • Page 238: Monitoring The Policy Configuration Of Vlan Subinterfaces

    JUNOSe 11.1.x Policy Management Configuration Guide Table 44: show rate-limit-profile Output Fields (continued) Field Name Field Description Reference count Number of policy lists that reference this rate-limit profile Color-aware Color-aware action (yes or no) taken for profile Committed rate Target rate for the traffic, in bits per second Committed burst Amount of bandwidth allocated to accommodate bursty traffic, in bytes...

  • Page 239: Table 45: Show Vlan Subinterface Output Fields

    Chapter 9: Monitoring Policy Management 5 packets, 730 bytes filter Table 45 on page 213 lists the show vlan subinterface command output fields. Meaning Table 45: show vlan subinterface Output Fields Field Name Field Description Subinterface number Location of the subinterface that carries the VLAN traffic VLAN ID Domain number of the VLAN...
  • Page 240 JUNOSe 11.1.x Policy Management Configuration Guide host1(config-subif)#exit host1(config)#log destination console severity info host1(config)#log severity info policyMgrPacketLog host1(config)#log verbosity low policyMgrPacketLog host1(config)#log here This example provides a more detailed procedure that an ISP might use to log information during a ping attack on the network. The procedure includes the creation of the classifier and policy lists to specify the desired packet flow to monitor, the logging of the output of the classification operation, and the output of the show command.
  • Page 241 Chapter 9: Monitoring Policy Management host1:vr1#show ip interface gigabitEthernet 0/0 GigabitEthernet0/0 line protocol Ethernet is up, ip is up Network Protocols: IP Internet address is 10.10.10.1/255.255.255.0 Broadcast address is 255.255.255.255 Operational MTU = 1500 Administrative MTU = 0 Operational speed = 1000000000 Administrative speed = 0 Discontinuity Time = 1092358 Router advertisement = disabled...
  • Page 242 JUNOSe 11.1.x Policy Management Configuration Guide host1(config)#log severity info policyMgrPacketLog host1(config)#log severity info policyMgrPacketLog policy-list all host(config)#ip policy-list test host(config-policy-list)#classifier-group * host1(config-policy-list-classifier-group)#log host1(config)#interface fastEthernet 2/0.100 host1(config-if)#vlan id 100 host1(config-if)#ip address 100.1.1.1 255.255.255.0 host1(config-if)#ip policy input test host1(config-if)#ip policy output test The packet capture can also be done for any source and destination defined in the classifier list.

  • Page 243: Packet Mirroring

    Part 2 Packet Mirroring Packet Mirroring Overview on page 219 Configuring CLI-Based Packet Mirroring on page 225 Configuring RADIUS-Based Mirroring on page 239 Managing Packet Mirroring on page 247 Monitoring Packet Mirroring on page 263 Packet Mirroring...
  • Page 244 JUNOSe 11.1.x Policy Management Configuration Guide Packet Mirroring...

  • Page 245: Figure 20: Cli-Based Packet Mirroring

    Chapter 10 Packet Mirroring Overview This chapter contains the following sections: Packet Mirroring Overview on page 219 Comparing CLI-Based Mirroring and RADIUS-Based Mirroring on page 220 Packet-Mirroring Terms on page 222 Packet Mirroring Platform Considerations on page 222 Packet Mirroring References on page 223 Packet Mirroring Overview Packet mirroring enables you to automatically send a copy of a packet to an external host for analysis.
  • Page 246 JUNOSe 11.1.x Policy Management Configuration Guide ERX routers. See E120 and E320 Module Guide, Appendix A, IOA Protocol Support for information about modules supported on the E120 and E320 Broadband Services Routers. Comparing CLI-Based Mirroring and RADIUS-Based Mirroring This section compares the characteristics of CLI-based and RADIUS-based mirroring techniques.
  • Page 247 Chapter 10: Packet Mirroring Overview CLI-based packet mirroring All packet mirroring commands are hidden by default. You must execute the mirror-enable command to make the mirroring commands visible. You can optionally configure authorization methods to control access to the mirror-enable command, which makes the packet mirroring commands available only to authorized users.

  • Page 248: Table 46: Packet-Mirroring Terminology

    JUNOSe 11.1.x Policy Management Configuration Guide Packet-Mirroring Terms Table 46 on page 222 defines terms used in this discussion of packet mirroring. Table 46: Packet-Mirroring Terminology Term Meaning Analyzer device Device that receives the mirrored traffic from the E Series router. Also called the mediation device.
  • Page 249 Chapter 10: Packet Mirroring Overview See E120 and E320 Module Guide, Appendix A, IOA Protocol Support for information about the protocols and applications that support packet mirroring. Packet Mirroring References For more information about RADIUS-based packet mirroring, consult the following resources: RFC 3576 Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) (July 2003)
  • Page 250 JUNOSe 11.1.x Policy Management Configuration Guide Packet Mirroring References...

  • Page 251: Chapter 11 Configuring Cli-Based Packet Mirroring

    Chapter 11 Configuring CLI-Based Packet Mirroring Packet mirroring enables you to send a copy of a packet to an external host for analysis. Packet mirroring has many uses, including traffic debugging and troubleshooting user networking problems. This chapter contains the following sections: CLI-Based Packet Mirroring Overview on page 225 Enabling and Securing CLI-Based Packet Mirroring on page 226 Reloading a CLI-Based Packet-Mirroring Configuration on page 228...

  • Page 252: Figure 19: Cli-Based Interface Mirroring

    JUNOSe 11.1.x Policy Management Configuration Guide Figure 19 on page 226 shows the traffic flow for ingress and egress IP interface mirroring. Figure 19: CLI-Based Interface Mirroring Enabling and Securing CLI-Based Packet Mirroring The JUNOSe software enables you to create a secure environment for your packet-mirroring operation by restricting access to the packet mirroring CLI commands and information.

  • Page 253: Table 47: Commands Made Visible By The Mirror-Enable Command

    Chapter 11: Configuring CLI-Based Packet Mirroring command. Authorized users can then issue the mirror-enable command, making the packet mirroring commands visible. However, the commands are still hidden from unauthorized users. Table 47 on page 227 lists the commands whose visibility is controlled by the mirror-enable command.
  • Page 254 JUNOSe 11.1.x Policy Management Configuration Guide mirroring commands. For example, if you are using TACACS+, the mirror-enable command is the only packet mirroring command that is sent to the TACACS+ server. You can also use TACACS+ to prevent unauthorized individuals from modifying the configuration of analyzed ports.
  • Page 255 Chapter 11: Configuring CLI-Based Packet Mirroring Configure TACACS+ authorization for the mirror-enable command privilege level. Specify that authorization is denied if TACACS+ is not available. Because TACACS+ is not being used, authorization always fails. Configure the majority of the vty lines and the console to use the authorization configuration from Step 1.

  • Page 256: Table 48: Setting Up The Cli-Based Packet-Mirroring Environment

    JUNOSe 11.1.x Policy Management Configuration Guide Table 48: Setting Up the CLI-Based Packet-Mirroring Environment Process Description The authorized individual requests packet mirroring of a user’s or interface’s traffic and configures the analyzer device to receive mirrored traffic. An individual who is authorized to use the packet mirroring CLI commands configures the packet mirroring environment, including the secure policy, analyzer interface connection to the analyzer device, and the interface or trigger information.
  • Page 257 Chapter 11: Configuring CLI-Based Packet Mirroring Configuring CLI-Based Mirroring To configure the CLI-based packet-mirroring environment, you must coordinate the mirroring operations of two devices in the network: the E Series router and the analyzer device. The configuration of the analyzer device is mentioned in this section for reference only.
  • Page 258 JUNOSe 11.1.x Policy Management Configuration Guide Secure IP classifier lists are the only type of classifier lists allowed in secure IP policy lists. Secure L2TP policies do not support classification. Therefore, the only classifier group you can use for secure L2TP policies is classifier-group *. You cannot delete a secure policy list that is currently attached to an interface.
  • Page 259 Chapter 11: Configuring CLI-Based Packet Mirroring The following considerations apply to trigger rules: A new trigger rule is not applied to matching connected subscribers if any of the subscribers is mirrored by another rule. CLI-initiated mirroring per account session ID creates a rule that continues to exist after the subscriber logs out.
  • Page 260 JUNOSe 11.1.x Policy Management Configuration Guide Configure the analyzer interface, the route to the analyzer device, and any static ARP entries. Allow authorized users to have access to the mirror-enable command. The users can then make the packet mirroring CLI commands visible and perform the following steps.

  • Page 261: Example: Configuring Cli-Based User-Specific Mirroring

    Chapter 11: Configuring CLI-Based Packet Mirroring Attach the secure policy to the interfaces whose traffic you want to mirror. This example mirrors input traffic at interface ATM 5/0.1 and output traffic at interface ATM 5/0.2. host1:vr1(config)#interface atm 5/0.1 host1:vr1(config-if)#ip policy secure-input secureIpPolicy1 host1:vr1(config)#interface atm 5/0.2 host1:vr1(config-if)#ip policy secure-output secureIpPolicy1 Verify the secure policy configuration.
  • Page 262 JUNOSe 11.1.x Policy Management Configuration Guide host1(config)#secure l2tp policy-list l2tp_toMirrorHQ host1(config-policy-list)#classifier-group * host1(config-policy-list-classifier-group)#mirror analyzer-ip-address 192.168.99.2 analyzer-virtual-router default analyzer-udp-port 6500 mirror-identifier 1 session-identifier 1 For DHCP and PPP subscribers: host1(config)#secure ip policy-list secure-ipv4-policy host1(config-policy-list)#classifier-group * host1(config-policy-list-classifier-group)#mirror analyzer-ip-address 19.0.0.2 analyzer-virtual-router default analyzer-udp-port 2500 mirror-identifier 1 session-identifier 1 Configure packet mirroring for the subscriber and associate the secure policy with the user.
  • Page 263 Chapter 11: Configuring CLI-Based Packet Mirroring Reference count: Classifier control list: * mirror analyzer-ip-address 192.168.99.2 analyzer-virtual-router default analyzer-udp-port 6500 mirror-id 1 session-id 1 Referenced by interface(s): TUNNEL l2tp:5/1/5 secure-input policy TUNNEL l2tp:5/1/5 secure-output policy Secure IP Policy secure-ipv4-policy Administrative state: enable Reference count: Classifier control list: * mirror analyzer-ip-address 19.0.0.2 analyzer-virtual-router default...
  • Page 264 JUNOSe 11.1.x Policy Management Configuration Guide Example: Configuring CLI-Based User-Specific Mirroring...

  • Page 265: Chapter 12 Configuring Radius-Based Mirroring

    Chapter 12 Configuring RADIUS-Based Mirroring Packet mirroring enables you to send a copy of a packet to an external host for analysis. Packet mirroring has many uses, including traffic debugging and troubleshooting user networking problems. This chapter contains the following sections: RADIUS-Based Mirroring Overview on page 239 RADIUS Attributes Used for Packet Mirroring on page 240 RADIUS-Based Packet Mirroring Dynamically Created Secure Policies on page 241...

  • Page 266: Table 51: Radius Attributes Used As Packet Mirroring Triggers

    JUNOSe 11.1.x Policy Management Configuration Guide RADIUS Attributes Used for Packet Mirroring Table 51 on page 240 and Table 52 on page 240 list the packet mirroring triggers. The triggers are RADIUS attributes that identify a user whose traffic is to be mirrored. A packet mirroring session starts when the router receives a RADIUS packet that contains mirroring attributes and then applies the mirroring configuration to the appropriate interface.

  • Page 267: Table 53: Radius-Based Mirroring Attributes

    Chapter 12: Configuring RADIUS-Based Mirroring Table 53: RADIUS-Based Mirroring Attributes Standard Number Attribute Name Setting [26-58] LI-Action 0 = disable mirroring 1 = enable mirroring 2 = no action [26-59] Med-Dev-Handle String (not null-terminated) [26-60] Med-IP-Address IP address of analyzer device [26-61] Med-Port-Number UDP port number of monitoring...

  • Page 268: Figure 21: Radius-Based Packet Mirroring

    JUNOSe 11.1.x Policy Management Configuration Guide JUNOSe software creates one secure policy that packet mirroring uses for all links in the MLPPP bundle. If you use the User-Name attribute, a secure policy is created for the first link, then removed and re-created for every other link. RADIUS-Based Mirroring Sequence of Events Figure 21 on page 242 shows the sequence of events that take place during RADIUS-based mirroring.

  • Page 269: Table 55: Radius-Based Mirroring During Session Start (User-Initiated)

    Chapter 12: Configuring RADIUS-Based Mirroring Table 55: RADIUS-Based Mirroring During Session Start (User-Initiated) Step Description A user logs in to an E Series router, requesting authentication by the RADIUS server. Attributres in the logon request are examined to determine whether any match a configured trigger.
  • Page 270 JUNOSe 11.1.x Policy Management Configuration Guide Configuring the RADIUS Server Table 53 on page 241 lists the VSAs that are included for both types of RADIUS-based mirroring user-initiated (when the user logs in to start a new session), and RADIUS-initiated (when the user is already logged in). Disabling RADIUS-Based Mirroring To disable mirroring, you include the RADIUS attribute (for example, Acct-Session-ID) and set the Mirror-Action attribute to 0 in the mirrored user’s RADIUS record.
  • Page 271 Chapter 12: Configuring RADIUS-Based Mirroring drop all nonmirrored traffic. Policies are not supported. When you configure an analyzer interface, existing policies are disabled, and no new policies are accepted. authorization change Related Topics ip analyzer mirror disable radius dynamic-request server udp-port Configuring Router to Start Mirroring When User Logs On To configure the router to support user-initiated mirroring, which starts when the...
  • Page 272 JUNOSe 11.1.x Policy Management Configuration Guide host1(config-radius)#udp-port 3799 Create the key used to communicate with the RADIUS server. host1(config-radius)#key mysecret Configure the router to receive change-of-authorization messages from the RADIUS server. host1(config-radius)#authorization change host1(config-radius)#exit host1(config)#exit Verify your RADIUS-initiated mirroring configuration. host1#show radius dynamic-request servers RADIUS Request Configuration ----------------------------...

  • Page 273: Chapter 13 Managing Packet Mirroring

    Chapter 13 Managing Packet Mirroring Packet mirroring enables you to send a copy of a packet to an external host for analysis. Packet mirroring has many uses, including traffic debugging and troubleshooting user networking problems. This chapter contains the following topics: Avoiding Conflicts Between Multiple Packet Mirroring Configurations on page 247 Understanding the Prepended Header During a Packet Mirroring Session on page 249...
  • Page 274 JUNOSe 11.1.x Policy Management Configuration Guide IP address associated with the virtual router where the subscriber logs in Username associated with the virtual router where the subscriber logs in NAS port ID A RADIUS log-in configuration always implicitly uses the Acct-Session-ID to identify the subscriber.
  • Page 275 Chapter 13: Managing Packet Mirroring Ten more subscribers with the username joe@example.com log in through VR boston1. None of these new subscribers is mirrored because the RADIUS CoA configuration makes no persistent rules. You create a CLI configuration to mirror subscribers with username joe@example.com logging in through VR boston1.

  • Page 276: Figure 22: Prepended Header

    JUNOSe 11.1.x Policy Management Configuration Guide NOTE: For IP mirroring, you must include both VSA 26-59 and VSA 26-61, or you must omit both of these VSAs. If you use only one of these VSAs, the configuration fails. Figure 22 on page 250 shows the structure of the prepended header. The values in parentheses indicate the fixed value for individual fields.

  • Page 277: Format Of The Mirror Header Attributes

    Chapter 13: Managing Packet Mirroring Table 57: Prepended Header Field Descriptions (continued) Field Value Length (Bits) Time to Live Protocol Header Checksum Dynamically computed Source Address Analyzer interface IP address Destination Address VSA 26-60 UDP Header Source Port VSA 26-61 Destination Port VSA 26-61 Length...

  • Page 278: Figure 23: 8-Byte Format Of Vsa 26-59

    JUNOSe 11.1.x Policy Management Configuration Guide For example, a value of 0000030000000090 in VSA 26-59 configures the following fields in the mirror header, as shown in Figure 23 on page 252: MHV = 0 Mirror Identifier = 0x300 Session-ID = 0x90 Figure 23: 8-Byte Format of VSA 26-59 4-Byte Format To use the 4-byte format of VSA 26-59, you configure the first two most significant...
  • Page 279 Chapter 13: Managing Packet Mirroring If the analyzer device is unreachable, then the mirror action in the secure policy is disabled, and no packets are mirrored. The show secure policy-list command output indicates that the mirror action is disabled and the analyzer device is unreachable. The router tracks the analyzer device’s IP address for any route changes within the router.
  • Page 280 JUNOSe 11.1.x Policy Management Configuration Guide If the Acct-Session-Id does not match, then the subscriber information is next examined to determine whether the Calling-Station-Id matches the rule. This process continues for all configured rules. If none of the trigger rules are matched, then that subscriber’s traffic is not mirrored. If the packet mirroring request is a RADIUS-initiated session (a RADIUS-based packet mirroring session for a subscriber who is already logged in), the router verifies the validity of all of the mirroring rules related to the particular subscriber.
  • Page 281 (2X + Y) must be less than 100Mbps (the enforced queue limit). The 100 Mbps limit does not apply to the following line modules: GE-2 line module (Juniper Networks ERX310 and ERX1440 Broadband Services Routers) GE-HDE line module (ERX310 and ERX1440 router)
  • Page 282 JUNOSe 11.1.x Policy Management Configuration Guide SNMP agent also implements a secure audit logging facility for the debugging of packet mirroring traps and packet Mirror-MIB accesses. When secure audit logging is enabled, SNMP agent logs reported mirror traps and packet Mirror-MIB get/set operations to local volatile memory on the router.

  • Page 283: Table 58: Packet-Mirroring Snmp Traps

    Chapter 13: Managing Packet Mirroring Table 58: Packet-Mirroring SNMP Traps Trap Information Sent Event That Triggers the Trap A secure policy failed A secure policy during CLI An interface failed during trigger or with secure CoA-based or CLI-based policies An analyzer RADIUS-initiated packet attached is...

  • Page 284: Table 59: Packet-Mirroring Traps For Calea Compliance

    JUNOSe 11.1.x Policy Management Configuration Guide Table 59: Packet-Mirroring Traps for CALEA Compliance Trap Description juniPacketMirrorSessionStart A grant has been issued to a mirrored subscriber. juniPacketMirrorSessionEnd A mirrored session has been terminated; includes the termination reason. juniPacketMirrorInterfaceSessionActivated A secure policy has been attached to an existing interface or to an existing session.
  • Page 285 Chapter 13: Managing Packet Mirroring See Configuring SNMP in JUNOSe System Basics Configuration Guide for Related Topics information about JUNOSe software SNMP support. Configuring SNMP Secure Packet Mirroring Traps on page 259 mirror trap-enable snmp-server clear secure-log snmp-server enable traps snmp-server host snmp-server secure-log show mirror trap...

  • Page 286: Capturing Snmp Secure Audit Logs

    JUNOSe 11.1.x Policy Management Configuration Guide Trap Proxy: enabled Global Trap Severity Level: 6 - informational Address Security String Port Trap Categories --------------- -------------------------------- ----- ---------------- 192.168.1.1 host1 192.168.57.103 fredMirrorUser CliPacketMirror 192.168.57.162 host2 Sonet Address TrapSeverityFilter Ping Maximum Queue Queue Full TimeOut QueueSize DrainRate discrd methd --------------- ------------------ ------- --------- --------- ------------- 192.168.1.1...
  • Page 287 Chapter 13: Managing Packet Mirroring The secure log configuration and data are not persistent. Secure audit logs are not available after a warm or cold restart of the SNMP agent, because the SNMP agent does not store the secure logs in NVS. The SNMP agent can store a maximum of 100 secure logs before overwriting the logs.
  • Page 288 JUNOSe 11.1.x Policy Management Configuration Guide Capturing SNMP Secure Audit Logs...

  • Page 289: Chapter 14 Monitoring Packet Mirroring

    Chapter 14 Monitoring Packet Mirroring Packet mirroring enables you to send a copy of a packet to an external host for analysis. Packet mirroring has many uses, including traffic debugging and troubleshooting user networking problems. This chapter contains the following topics: Monitoring Packet Mirroring Overview on page 263 Monitoring CLI-Based Packet Mirroring on page 264 Monitoring the Packet Mirroring Configuration of IP Interfaces on page 265...

  • Page 290: Monitoring Cli-Based Packet Mirroring

    JUNOSe 11.1.x Policy Management Configuration Guide Monitoring CLI-Based Packet Mirroring Display brief or default (normal) information about your CLI-based packet mirroring Purpose environment, including interface analyzer information. To display secure packet mirroring information you must enable the mirror-enable command before using this command.

  • Page 291: Table 61: Show Ip Interface Output Fields

    Chapter 14: Monitoring Packet Mirroring Multicast Packets 0, Bytes 0 In Policed Packets 0, Bytes 0 In Error Packets 0 In Invalid Source Address Packets 0 In Discarded Packets 0 Out Forwarded Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Multicast Routed Packets 0, Bytes 0 Out Scheduler Dropped Packets 0, Bytes 0 Out Policed Packets 0, Bytes 0...

  • Page 292: Table 62: Show Ip Mirror Interface Output Fields

    JUNOSe 11.1.x Policy Management Configuration Guide NOTE: This command is deprecated and might be removed completely in a future release. The function provided by this command has been replaced by the show secure policy-list command. To display information about a specific interface or for all interfaces: Action host1#show ip mirror interface atm 5/0.1 Interface...

  • Page 293: Table 63: Show Mirror Log Output Fields

    Chapter 14: Monitoring Packet Mirroring Table 63: show mirror log Output Fields Field Name Field Description Time Day, date, and time of failure Mirror-ID Unique identifier of the mirrored session Session-ID Unique identifier of the user session User User login name Error Status Description of error condition show mirror log...

  • Page 294: Table 64: Show Mirror Rules Output Fields

    JUNOSe 11.1.x Policy Management Configuration Guide Table 64: show mirror rules Output Fields Field Name Field Description Subscriber ID Identification of the subscriber ID Method Method used to identify the subscriber Secure Policy Type Type of secure policy; IP, IPv6, or L2TP Secure Policy List Name of secure policy list used for packet mirroring Sessions Mirrored...

  • Page 295: Monitoring Radius Dynamic-Request Server Information

    Chapter 14: Monitoring Packet Mirroring Table 65: show mirror subscribers Output Fields (continued) Field Name Field Description Subscriber ID Method Method used to identify the subscriber Secure Policy Type Type of secure policy; IP, IPv6, or L2TP Secure Policy List Name of secure policy list used for packet mirroring Sessions Mirrored Number of sessions being mirrored...

  • Page 296: Table 66: Show Radius Dynamic-Request Statistics Output Fields

    JUNOSe 11.1.x Policy Management Configuration Guide Table 66 on page 270 lists show radius dynamic-request statistics command output Meaning fields. Table 66: show radius dynamic-request statistics Output Fields Field Name Field Description IP Address IP address of the RADIUS server Udp Port Port on which the router listens for RADIUS server Disconnect...

  • Page 297: Table 67: Show Secure Classifier-List Output Fields

    Chapter 14: Monitoring Packet Mirroring Monitoring Secure CLACL Configurations Display information about only secure CLACL configurations. This command and Purpose the output are visible only to authorized users the mirror-enable command must be enabled before using this command. Use the brief or detail keywords with the show secure classifier-list command to display different levels of information.
  • Page 298 JUNOSe 11.1.x Policy Management Configuration Guide Table 67: show secure classifier-list Output Fields (continued) Field Name Field Description Not Protocol If true, matches any protocol except the preceding protocol; if false, matches the preceding protocol Source IP Address Address of the network or host from which the packet is sent Source IP WildcardMask Mask that indicates addresses to be matched when specific...

  • Page 299: Monitoring Secure Policy Lists

    Chapter 14: Monitoring Packet Mirroring show secure classifier-list Related Topics Monitoring Secure Policy Lists Display information about only secure policy lists. This command and the output are Purpose visible only to authorized users the mirror-enable command must be enabled before using this command. Use the name keyword to display information for a specific secure policy list.

  • Page 300: Table 68: Show Secure Policy-List Output Fields

    JUNOSe 11.1.x Policy Management Configuration Guide Table 68: show secure policy-list Output Fields Field Name Field Description Policy Type (IP, IPv6, or L2TP) and name of the policy list Administrative state Status of administrative state, enable or disable; set to enable when the policy list is created Reference count Number of attachments to interfaces or profiles Classifier control list...

  • Page 301: Table 69: Show Mirror Log Output Fields

    Chapter 14: Monitoring Packet Mirroring Table 69 on page 275 lists the show mirror log command output fields. Meaning Table 69: show mirror log Output Fields Field Name Field Description Time Day, date, and time of failure Mirror-ID Unique identifier of the mirrored session Session-ID Unique identifier of the user session...

  • Page 302: Table 70: Show Snmp Trap Output Fields

    JUNOSe 11.1.x Policy Management Configuration Guide Table 70 on page 276 lists the show snmp trap command output fields. Meaning Table 70: show snmp trap Output Fields Field Name Field Description Enabled Categories Trap categories that are enabled on the router SNMP authentication failure trap Enabled or disabled Trap Source...

  • Page 303: Monitoring Snmp Secure Audit Logs

    Chapter 14: Monitoring Packet Mirroring snmp-server secure-log show mirror trap show snmp trap NOTE: Secure packet-mirroring trap configuration information appears in the Enabled Categories and Trap Categories fields only if the mirror-enable command is enabled. Monitoring SNMP Secure Audit Logs Display output when the secure audit log data is available.

  • Page 304: Table 71: Show Snmp Secure-Log Output Fields

    JUNOSe 11.1.x Policy Management Configuration Guide Table 71: show snmp secure-log Output Fields Field Name Field Description Agent’s Context Owner of the secure log entry LogData Contents of the secure audit log snmp-server clear secure-log Related Topics show snmp secure-log Monitoring SNMP Secure Audit Logs...
  • Page 305 Part 3 Index Index on page 281 Index...
  • Page 306 JUNOSe 11.1.x Policy Management Configuration Guide Index...

  • Page 307: Index

    Index CAM entries configured on line moduels Symbols calculation of CAM bit size......171 144–bit CAM entries division into blocks to store policies example of IPv6 classifiers in a policy example for GE-2 LMs........175 supported by CAM classifiers.......171 number per allocation 288–bit CAM entries formula for scaling limits on GE-2 LMs..176 example of IPv6 classifiers in a policy...
  • Page 308 JUNOSe 11.1.x Policy Management Configuration Guide conventions IP fragmentation notice icons............xxiii offset, matching in a policy........13 text and syntax..........xxiv IP options, filtering ............39 customer support............xxv IP policies contacting JTAC...........xxv scalability improvement for using optimum CAM entry size....171 IPv4 classifier number of bits consumed default classifier for CAM entries..........175 allocation of CAM blocks...
  • Page 309 Index merged policy naming conventions......105 peak-burst command...........93 merging policies............101 peak-rate command.............93 configuration example........108 percent-based rates............73 error conditions..........108 platform considerations naming conventions...........105 packet mirroring..........222 persistent configuration differences....106 policies policy attachment rules........106 analyzer interfaces..........244 policy attachment sequence........106 using RADIUS to create reference counting..........106 overview............46 resolving conflicts..........103 policy attachment rules..........106...
  • Page 310 JUNOSe 11.1.x Policy Management Configuration Guide policy parameter show ipv6 interface..........197 considerations............75 show parent-group....203, 204, 209, 211, 212 quick configuration..........77 show policy-parameter........209 reference-rate............73 show rate-limit-profile ........211 policy rule commands show secure classifier-list........271 forward..............37 show vlan subinterfaces......183, 212 forward interface..........37 show ip commands forward next-hop..........37 show ip interface........193, 264 policy rules...
  • Page 311 Index 576–bit size active classifiers in the example policy..171 creation and attachment of an IPv6 policy, example...........171 size of each classifier in the IPv6 policy example...........171 factors to determine available CAM resources......175 for IPv6 classification supported bit sizes........171 maximum IPv6 policies supported with four classifiers per policy.....176 with one classifier per policy.......176 performance impact...
  • Page 312 JUNOSe 11.1.x Policy Management Configuration Guide Index...

This manual is also suitable for:

E series

Table of Contents