Juniper POLICY MANAGEMENT - CONFIGURATION GUIDE V11.1.X Configuration Manual page 31

Description of a Policy
A policy is a condition and an action that is attached to an interface. The condition
and action cause the router to handle the packets passing through the interface in a
certain way. A policy can be attached to IP interfaces and certain layer 2 interfaces
such as Frame Relay, L2TP, MPLS, and VLAN interfaces. The policies do not need to
be the same in both directions.
Packets are sorted at ingress or egress into packet flows based on attributes defined
in classifier control lists. Policy lists contain rules that associate actions with these
CLACLs. A rule is a policy action optionally combined with a classification.
When packets arrive on an interface, you can have a policy evaluate a condition
before the normal route lookup; this kind of policy is known as an input policy. You
can also have conditions evaluated after a route lookup; this kind of policy is known
as a secondary input policy. You can use secondary input policies to defeat
denial-of-service attacks directed at a router's local interface or to protect a router
from being overwhelmed by legitimate local traffic. If you have a policy applied to
packets before they leave an interface, this is known as an output policy.
Classification is the process of taking a single data stream in and sorting it into
multiple output substreams. The classifier engine on an E Series router is a
combination of PowerPC processors, working with a Field Programmable Gate Array
(FPGA) for a hardware assist.
In the Differentiated Services (DiffServ) architecture, two basic types of classifiers
exist. The first classifier type is a multifield (MF) classifier, which examines multiple
fields in the IP datagram header to determine the service class to which a packet
belongs. The second type of classifier is a behavior aggregate (BA) classifier, which
examines a single field in an IP datagram header and assigns the packet to a service
class based on what it finds.
There are two categories of hardware classifiers, depending on the type of line module
being used. ES2 4G LM, ES2 10G Uplink LM, ES2 10G LM, OC48/STM16, GE-2, and
GE-HDE line modules support content-addressable memory (CAM) hardware
classifiers all other line modules support FPGA hardware classifiers.
The maximum number of policies that you can attach to interfaces on an E Series
router depends on the classifier entries that make up the policy and the number of
attachment resources available on the interface. JUNOSe software allocates interface
attachment resources when you attach policies to interfaces. E Series routers support
software and hardware classifiers. A policy can be made up of any combination of
software and hardware classifiers.
Policy Platform Considerations
Policy services are supported on all E Series routers.
For information about the modules supported on E Series routers:
Chapter 1: Managing Policies on the E Series Router
Description of a Policy
5