Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - POLICY MANAGEMENT CONFIGURATION GUIDE 2010-10-04, JUNOSE 11.3 Configuration Manual

JunosE™ Software
for E Series™ Broadband
Services Routers

Policy Management Configuration Guide

Release

11.3.x

Published: 2010-10-04

Copyright © 2010, Juniper Networks, Inc.

Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are
owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,
6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

JunosE™ Software for E Series™ Broadband Services Routers Policy Management Configuration Guide

Release 11.3.x
Copyright © 2010, Juniper Networks, Inc.
All rights reserved. Printed in USA.

Writing: Subash Babu Asokan, Krupa Chandrashekar, Diane Florio, Bruce Gillham, Sarah Lesway-Ball, Brian Wesley Simmons, Namrata
Mehta
Editing: Benjamin Mann
Illustration: Nathaniel Woodward
Cover Design: Edmonds Design

Revision History
October 2010—FRS JunosE 11.3.x

The information in this document is current as of the date listed in the revision history.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. The Junos OS has no known time-related limitations through
the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

Copyright © 2010, Juniper Networks, Inc.ii

END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE.

BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS
CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO
BIND THE CUSTOMER) CONSENT TO BE BOUND BY THISAGREEMENT. IF YOU DO NOTOR CANNOT AGREE TO THE TERMSCONTAINED
HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS
REGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or
Juniper Networks(Cayman)Limited(if the Customer’s principaloffice is locatedoutside the Americas) (such applicable entity beingreferred
to herein as“Juniper”), and (ii)the person ororganizationthat originally purchased from Juniperor an authorized Juniper reseller the applicable
license(s) for use of the Software (“Customer”) (collectively, the “Parties”).

2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for
which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by
Juniper in equipment which Customer purchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgrades
and new releases of such software. “Embedded Software” means Software which Juniper has embedded in or loaded onto the Juniper
equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment.

3. License Grant. Subject to payment of the applicablefeesand the limitations andrestrictions set forthherein, Juniper grantsto Customer
a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the
following use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by
Customer from Juniper or an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units
for which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access
Client software only, Customer shall use such Software on a single computer containing a single physical random access memory space
and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines
(e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a single
chassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may
specify limitstoCustomer’suse ofthe Software.Such limitsmay restrict use toa maximum number of seats, registeredendpoints, concurrent
users, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of
separate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput,
performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the use
of the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software.
Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable licenses.

d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the
Software. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not
extend or create an additional trial period by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s
enterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the
Steel-Belted Radius software to support any commercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase
the applicable license(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees
not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized
copies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the
Software,in anyform, to anythird party; (d)removeany proprietary notices, labels,or marks on or in any copyof the Software or anyproduct
in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniper
equipment sold in thesecondhandmarket;(f) use any‘locked’ orkey-restricted feature,function, service, application,operation,or capability
without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service, application,
operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the

iiiCopyright © 2010, Juniper Networks, Inc.

Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (i)
use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that
the Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking
of the Software to any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly
provided herein.

5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper,
Customer shall furnish such records to Juniper and certify its compliance with this Agreement.

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper.
As such, Customer shall exercise all reasonable commercialefforts to maintain the Software and associated documentation in confidence,
which at a minimum includes restrictingaccess to the Software to Customer employees and contractors havinga need to use the Software
for Customer’s internal business purposes.

7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to
the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance
of any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies
of the Software.

8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty
statementthataccompaniesthe Software (the “Warranty Statement”). Nothing inthis Agreement shallgive rise to anyobligation tosupport
the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services
agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA,
OR COSTS ORPROCUREMENT OFSUBSTITUTE GOODSOR SERVICES,OR FORANYSPECIAL,INDIRECT, ORCONSEQUENTIALDAMAGES
ARISING OUTOF THIS AGREEMENT,THE SOFTWARE,OR ANY JUNIPEROR JUNIPER-SUPPLIED SOFTWARE. IN NOEVENT SHALL JUNIPER
BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE.
EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY
AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES
JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT
ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’
or licensors’ liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid
by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by
Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in
reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between
the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same
form an essential basis of the bargain between the Parties.

9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination
of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related
documentation in Customer’s possession or control.

10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from
the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction
shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All
payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in
connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing
Customer’s payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to
be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with
all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any
liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under
this Section shall survive termination or expiration of this Agreement.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any
applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such
restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the
Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without
an export license.

Copyright © 2010, Juniper Networks, Inc.iv

12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use,
duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS

227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer
with the interface information needed to achieve interoperability between the Software and another independently created program, on
payment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use
such information in compliance with any applicable terms and conditions upon which Juniper makes such information available.

14. Third Party Software. Any licensor of Juniper whose software is embeddedin the Software and any supplier of Juniper whose products
or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement,
and such licensor or vendor shallhave theright to enforce this Agreement in its own nameas if it were Juniper. In addition, certain third party
software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent
portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such
portions publicly available (such as the GNU General Public License (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper
will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three
years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA
94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL

at http://www.gnu.org/licenses/lgpl.html .

15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws
principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes
arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal
courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer
with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written
(including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an
authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained
herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing
by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity
of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the
Parties agree that the English version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de
même que tous les documents y compris tout avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that
this Agreement and all related documentation is and will be in the English language)).

vCopyright © 2010, Juniper Networks, Inc.

Copyright © 2010, Juniper Networks, Inc.vi

Abbreviated Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Part 1 Policy Management

Chapter 1 Managing Policies on the E Series Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2 Creating Classifier Control Lists for Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 3 Creating Policy Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 4 Creating Classifier Groups and Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Chapter 5 Creating Rate-Limit Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Chapter 6 Merging Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Chapter 7 Creating Hierarchical Policies for Interface Groups . . . . . . . . . . . . . . . . . . . . 123

Chapter 8 Policy Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Chapter 9 Monitoring Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Part 2 Packet Mirroring

Chapter 10 Packet Mirroring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Chapter 11 Configuring CLI-Based Packet Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Chapter 12 Configuring RADIUS-Based Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Chapter 13 Managing Packet Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Chapter 14 Monitoring Packet Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Part 3 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

viiCopyright © 2010, Juniper Networks, Inc.

JunosE 11.3.x Policy Management Configuration Guide

Copyright © 2010, Juniper Networks, Inc.viii

Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

E Series and JunosE Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . xxi

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

E Series and JunosE Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . xxi

Obtaining Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv

Part 1 Policy Management

Chapter 1 Managing Policies on the E Series Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Policy Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Description of a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Policy Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Policy References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Policy Management Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Chapter 2 Creating Classifier Control Lists for Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Classifier Control Lists Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Creating or Modifying Classifier Control Lists for ATM Policy Lists . . . . . . . . . . . . . . 9

Creating or Modifying Classifier Control Lists for Frame-Relay Policy Lists . . . . . . . 9

Creating or Modifying Classifier Control Lists for GRE Tunnel Policy Lists . . . . . . . 10

Creating or Modifying Classifier Control Lists for IP Policy Lists . . . . . . . . . . . . . . . 10

Creating Classifier Control List for Only IP Policy Lists . . . . . . . . . . . . . . . . . . . 10

Setting Up an IP Classifier Control List to Accept Traffic from All

Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Classifying IP Traffic Based on Source and Destination Addresses . . . . . . . . . 11

Using IP Classifier Control Lists to Match Route Class Values . . . . . . . . . . . . . 11

Creating IP Classifier Control Lists for TCP and UDP Ports . . . . . . . . . . . . . . . . 11

Creating an IP Classifier Control List That Matches the ToS Byte . . . . . . . . . . 12

Creating an IP Classifier Control List That Filters ICMP Echo Requests . . . . . . 12

Creating IP Classifier Control Lists That Use TCP or IP Flags . . . . . . . . . . . . . . 12

Creating IP Classifier Control Lists That Match the IP Fragmentation

Offset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Creating or Modifying Classifier Control Lists for IPv6 Policy Lists . . . . . . . . . . . . . 12

Creating or Modifying Classifier Control Lists for L2TP Policy Lists . . . . . . . . . . . . 13

Creating or Modifying Classifier Control Lists for MPLS Policy Lists . . . . . . . . . . . . 13

Creating or Modifying Classifier Control Lists for VLAN Policy Lists . . . . . . . . . . . . 13

ixCopyright © 2010, Juniper Networks, Inc.

JunosE 11.3.x Policy Management Configuration Guide

Chapter 3 Creating Policy Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Policy Lists Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Creating Policy Lists for ATM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Creating Policy Lists for Frame Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Creating Policy Lists for GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Creating Policy Lists for IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Creating Policy Lists for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Creating Policy Lists for L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Creating Policy Lists for MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Creating Policy Lists for VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Chapter 4 Creating Classifier Groups and Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Classifier Groups and Policy Rules Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Policy Rule Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Using Policy Rules to Provide Routing Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Configuring Policies to Provide Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Creating an Exception Rule within a Policy Classifier Group . . . . . . . . . . . . . . . . . . 32

Defining Policy Rules for Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Assigning Values to the ATM CLP Bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Enabling ATM Cell Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Enabling IP Options Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Packet Tagging Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Creating Multiple Forwarding Solutions with IP Policy Lists . . . . . . . . . . . . . . . . . . 36

Creating a Classifier Group for a Policy List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Applying Policy Lists to Interfaces and Profiles Overview . . . . . . . . . . . . . . . . . . . 39

Using RADIUS to Create and Apply Policies Overview . . . . . . . . . . . . . . . . . . . . . . 42

Construction of IPv6 Classifiers from the Hexadecimal Ascend-Data-Filter

Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Ascend-Data-Filter Attribute for IPv4/IPv6 Subscribers in a Dual Stack . . . . 45

Examples: Using the Ascend-Data-Filter Attribute for IPv4 Subscribers . . . . . . . . 47

Examples: Using the Ascend-Data-Filter Attribute for IPv6 Subscribers . . . . . . . . 52

Chapter 5 Creating Rate-Limit Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Rate Limits for Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Hierarchical Rate Limits Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Hierarchical Classifier Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Hierarchical Rate-Limit Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Hierarchical Rate-Limit Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Example: Multiple Flows Sharing Preferred Bandwidth Rate-Limiting

Hierarchical Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Example: Multiple Flows Sharing a Rate Limit Hierarchical Policy . . . . . . . . . 64

Example: Shared Pool of Additional Bandwidth with Select Flows

Rate-Limiting Hierarchical Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Example: Aggregate Marking with Oversubscription Rate-Limiting

Hierarchical Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Color-Aware Configuration for Rate-Limiting Hierarchical Policy . . . . . . . . . 68

Percent-Based Rates for Rate-Limit Profiles Overview . . . . . . . . . . . . . . . . . . . . . 69

Policy Parameter Reference-Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Specifying Rates Within Rate-Limit Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Copyright © 2010, Juniper Networks, Inc.x

Table of Contents

Specifying Burst Sizes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Using Service Manager with Merged Policies . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Policy Parameter Configuration Considerations . . . . . . . . . . . . . . . . . . . . . . . . 71

Policy Parameter Quick Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Creating Rate-Limit Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

One-Rate Rate-Limit Profiles Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Creating a One-Rate Rate-Limit Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Configuring a TCP-Friendly One-Rate Rate-Limit Profile . . . . . . . . . . . . . . . . . . . . 79

Two-Rate Rate-Limits Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Creating a Two-Rate Rate-Limit Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Setting the Committed Action for a Rate-Limit Profile . . . . . . . . . . . . . . . . . . . . . 85

Setting the Committed Burst for a Rate-Limit Profile . . . . . . . . . . . . . . . . . . . . . . 85

Setting the Committed Rate for a Rate-Limit Profile . . . . . . . . . . . . . . . . . . . . . . . 86

Setting the Conformed Action for a Rate-Limit Profile . . . . . . . . . . . . . . . . . . . . . 86

Setting the Exceeded Action for a Rate-Limit Profile . . . . . . . . . . . . . . . . . . . . . . . 87

Setting the Excess Burst for a Rate-Limit Profile . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Setting the Mask Value for MPLS Rate-Limit Profiles . . . . . . . . . . . . . . . . . . . . . . 88

Setting the Mask Value for IP and IPv6 Rate-Limit Profiles . . . . . . . . . . . . . . . . . . 88

Setting the Peak Burst for Two-Rate Rate-Limit Profiles . . . . . . . . . . . . . . . . . . . . 88

Setting the Peak Rate for Rate-Limit Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Setting a One-Rate Rate-Limit Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Setting a Two-Rate Rate-Limit-Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Bandwidth Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Examples: One-Rate Rate-Limit Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Examples: Two-Rate Rate-Limit Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Examples: Rate-Limiting Individual or Aggregate Packet Flows . . . . . . . . . . . 94

Rate-Limiting Traffic Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Chapter 6 Merging Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Merging Policies Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Resolving Policy Merge Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Merged Policy Naming Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Reference Counting for Merged Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Persistent Configuration Differences for Merged Policies Through Service

Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Policy Attachment Sequence at Login Through Service Manager . . . . . . . . . . . . 102

Policy Attachment Rules for Merged Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Error Conditions for Merged Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Merging Policies Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Parent Group Merge Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Overlapping Classification for IP Input Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Starting Policy Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Processing the Classifier Result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Processing the Auxiliary-Input Policy Attachment . . . . . . . . . . . . . . . . . . . . . 120

Policy Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Chapter 7 Creating Hierarchical Policies for Interface Groups . . . . . . . . . . . . . . . . . . . . 123

Hierarchical Policies for Interface Groups Overview . . . . . . . . . . . . . . . . . . . . . . . 123

External Parent Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Example: Configuring Hierarchical Policy Parameters . . . . . . . . . . . . . . . . . . . . . 124

xiCopyright © 2010, Juniper Networks, Inc.

JunosE 11.3.x Policy Management Configuration Guide

Hierarchical Aggregation Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

RADIUS and Profile Configuration for Hierarchical Policies . . . . . . . . . . . . . . . . . . 127

Applying a Profile to Interfaces with Service Manager . . . . . . . . . . . . . . . . . . . . . . 127

Hierarchical Policy Configuration Considerations . . . . . . . . . . . . . . . . . . . . . . . . . 127

Example: Hierarchical Policy Quick Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 128

Example: Configuring Hierarchical Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Example: VLAN Rate Limit Hierarchical Policy for Interface Groups

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Example: Wholesale L2TP Model Hierarchical Policy Configuration . . . . . . . . . . 135

Example: Aggregate Rate Limit for All Nonvoice Traffic Hierarchical Policy

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Example: Arbitrary Interface Groups Hierarchical Policy Configuration . . . . . . . . 140

Example: Service and User Rate-Limit Hierarchy Overlap Hierarchical Policy

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Example: Percentage-Based Hierarchical Rate-Limit Profile for External Parent

Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Example: PPP Interfaces Hierarchical Policy Configuration . . . . . . . . . . . . . . . . . 147

Chapter 8 Policy Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Policy Resources Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

FPGA Hardware Classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

CAM Hardware Classifiers Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Size Limit for IP and IPv6 CAM Hardware Classifiers . . . . . . . . . . . . . . . . . . . . . . 155

IP Classifiers and Size Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

IPv6 Classifiers and Size Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Creating and Attaching a Policy with IP Classifiers . . . . . . . . . . . . . . . . . . . . . . . . 160

Variable-Sized CAM Classification for IPv6 Policies Examples . . . . . . . . . . . . . . . 162

144-bit IPv6 Classification Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

288-bit IPv6 Classification Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

576-bit IPv6 Classification Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Performance Impact and Scalability Considerations . . . . . . . . . . . . . . . . . . . . . . 166

Performance Impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Scalability Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

CAM Device Block Size and CAM Entry Allocation . . . . . . . . . . . . . . . . . 167

Number of CAM Entries Per Allocation and Free Entries . . . . . . . . . . . . 167

Software Classifiers Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Interface Attachment Resources Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

CAM Hardware Classifiers and Interface Attachment Resources . . . . . . . . . . . . . 171

Range Vector Hardware Classifiers and Interface Attachment Resources . . . . . . 171

Chapter 9 Monitoring Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Monitoring Policy Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Setting a Statistics Baseline for Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Monitoring the Policy Configuration of ATM Subinterfaces . . . . . . . . . . . . . . . . . . 175

Monitoring Classifier Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Monitoring Color-Mark Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Monitoring Control Plane Policer Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Monitoring the Policy Configuration of Frame Relay Subinterfaces . . . . . . . . . . . 180

Monitoring GRE Tunnel Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Monitoring Interfaces and Policy Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Copyright © 2010, Juniper Networks, Inc.xii

Table of Contents

Monitoring the Policy Configuration of IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . 185

Monitoring the Policy Configuration of IPv6 Interfaces . . . . . . . . . . . . . . . . . . . . . 189

Monitoring the Policy Configuration of Layer 2 Services over MPLS . . . . . . . . . . . 193

Monitoring External Parent Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Monitoring Policy Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Monitoring Policy List Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Monitoring Rate-Limit Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Monitoring the Policy Configuration of VLAN Subinterfaces . . . . . . . . . . . . . . . . 205

Packet Flow Monitoring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Part 2 Packet Mirroring

Chapter 10 Packet Mirroring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Packet Mirroring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Comparing CLI-Based Mirroring and RADIUS-Based Mirroring . . . . . . . . . . . . . . 214

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Packet-Mirroring Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Packet Mirroring Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Packet Mirroring References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Chapter 11 Configuring CLI-Based Packet Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

CLI-Based Packet Mirroring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Enabling and Securing CLI-Based Packet Mirroring . . . . . . . . . . . . . . . . . . . . . . . 220

Reloading a CLI-Based Packet-Mirroring Configuration . . . . . . . . . . . . . . . . . . . . 222

Using TACACS+ and Vty Access Lists to Secure Packet Mirroring . . . . . . . . . . . . 222

Using Vty Access Lists to Secure Packet Mirroring . . . . . . . . . . . . . . . . . . . . . . . . 222

CLI-Based Packet Mirroring Sequence of Events . . . . . . . . . . . . . . . . . . . . . . . . . 223

Configuring CLI-Based Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Configuring Triggers for CLI-Based Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Configuring the Analyzer Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Configuring the E Series Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Example: Configuring CLI-Based Interface-Specific Mirroring . . . . . . . . . . . . . . . 228

Example: Configuring CLI-Based User-Specific Mirroring . . . . . . . . . . . . . . . . . . 229

Chapter 12 Configuring RADIUS-Based Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

RADIUS-Based Mirroring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

RADIUS Attributes Used for Packet Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

RADIUS-Based Packet Mirroring Dynamically Created Secure Policies . . . . . . . . 235

RADIUS-Based Packet Mirroring MLPPP Sessions . . . . . . . . . . . . . . . . . . . . . . . . 235

RADIUS-Based Mirroring Sequence of Events . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Configuring Router to Start Mirroring When User Logs On . . . . . . . . . . . . . . . . . . 237

Configuring Router to Mirror Users Already Logged In . . . . . . . . . . . . . . . . . . . . . 238

xiiiCopyright © 2010, Juniper Networks, Inc.

JunosE 11.3.x Policy Management Configuration Guide

Chapter 13 Managing Packet Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Avoiding Conflicts Between Multiple Packet Mirroring Configurations . . . . . . . . . 241

Understanding the Prepended Header During a Packet Mirroring Session . . . . . 243

Format of the Mirror Header Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

8-Byte Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

4-Byte Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Resolving and Tracking the Analyzer Device’s Address . . . . . . . . . . . . . . . . . . . . 246

Using Multiple Triggers for CLI-Based Packet Mirroring . . . . . . . . . . . . . . . . . . . . 247

Optimizing Packet Mirroring Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Determine Traffic Loads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Establish Resource Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Logging Packet Mirroring Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Using SNMP Secure Packet Mirroring Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Additional Packet-Mirroring Traps for CALEA Compliance . . . . . . . . . . . . . . 251

Packet Mirroring Trap Severity Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Configuring SNMP Secure Packet Mirroring Traps . . . . . . . . . . . . . . . . . . . . . . . . 253

Capturing SNMP Secure Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Chapter 14 Monitoring Packet Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Monitoring Packet Mirroring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Monitoring CLI-Based Packet Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Monitoring the Packet Mirroring Configuration of IP Interfaces . . . . . . . . . . . . . . 259

Monitoring Failure Messages for Secure Policies . . . . . . . . . . . . . . . . . . . . . . . . . 260

Monitoring Packet Mirroring Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Monitoring Packet Mirroring Subscriber Information . . . . . . . . . . . . . . . . . . . . . . 262

Monitoring RADIUS Dynamic-Request Server Information . . . . . . . . . . . . . . . . . 263

Monitoring Secure CLACL Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Monitoring Secure Policy Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Monitoring Information for Secure Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Monitoring SNMP Secure Packet Mirroring Traps . . . . . . . . . . . . . . . . . . . . . . . . . 269

Monitoring SNMP Secure Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Part 3 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Copyright © 2010, Juniper Networks, Inc.xiv

List of Figures

Part 1 Policy Management

Chapter 3 Creating Policy Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Figure 1: Constructing an IP Policy List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Chapter 5 Creating Rate-Limit Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Figure 2: Multiple Flows Sharing Preferred Bandwidth . . . . . . . . . . . . . . . . . . . . . . 63

Figure 3: Multiple Packet Flows Sharing a Rate Limit . . . . . . . . . . . . . . . . . . . . . . . 64

Figure 4: Shared Pool of Additional Bandwidth with Select Flows . . . . . . . . . . . . 65

Figure 5: Aggregate Marking with Oversubscription . . . . . . . . . . . . . . . . . . . . . . . . 67

Figure 6: Congestion Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Chapter 6 Merging Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Figure 7: Input Policy with Primary Stage and Auxiliary Substage . . . . . . . . . . . . . 119

Chapter 7 Creating Hierarchical Policies for Interface Groups . . . . . . . . . . . . . . . . . . . . 123

Figure 8: Configuration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Figure 9: VLAN Rate-Limit Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Figure 10: Interface Stack for Wholesale L2TP Mode . . . . . . . . . . . . . . . . . . . . . . 135

Figure 11: Wholesale L2TP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Figure 12: Interface Stack for Aggregate Rate Limit . . . . . . . . . . . . . . . . . . . . . . . . 138

Figure 13: Aggregate Rate Limit for Nonvoice Traffic Configuration . . . . . . . . . . . 139

Figure 14: Interface Stack for Arbitrary Interface Groups . . . . . . . . . . . . . . . . . . . . 141

Figure 15: Arbitrary Interface Groups Configuration . . . . . . . . . . . . . . . . . . . . . . . . 141

Figure 16: Interface Stack for Service and User Rate-Limit Hierarchy Overlap . . . 143

Figure 17: Service and User Rate-Limit Hierarchy Overlap Configuration . . . . . . . 144

Figure 18: Interface Stack for Hierarchical Policy Configuration . . . . . . . . . . . . . . 148

Part 2 Packet Mirroring

Chapter 11 Configuring CLI-Based Packet Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Figure 19: CLI-Based Interface Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Figure 20: CLI-Based Packet Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Chapter 12 Configuring RADIUS-Based Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Figure 21: RADIUS-Based Packet Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Chapter 13 Managing Packet Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Figure 22: Prepended Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Figure 23: 8-Byte Format of VSA 26-59 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Figure 24: 4-Byte Format of VSA 26-59 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

xvCopyright © 2010, Juniper Networks, Inc.

JunosE 11.3.x Policy Management Configuration Guide

Copyright © 2010, Juniper Networks, Inc.xvi

List of Tables

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii

Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii

Part 1 Policy Management

Chapter 2 Creating Classifier Control Lists for Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Table 3: CLACL Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 4 Creating Classifier Groups and Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Table 4: Policy Rule Commands and Precedence . . . . . . . . . . . . . . . . . . . . . . . . . 29

Table 5: Ascend-Data-Filter Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Table 6: Ascend-Data-Filter Attribute for an Input Policy on an IPv4

Table 7: Ascend-Data-Filter Attribute Values for a RADIUS Record . . . . . . . . . . . . 51

Table 8: Ascend-Data-Filter Attribute for an Output Policy on an IPv6

Table 9: Ascend-Data-Filter Attribute for an Input Policy on an IPv6

Chapter 5 Creating Rate-Limit Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Table 10: TCP-Friendly One-Rate Rate-Limit Profile Algorithms . . . . . . . . . . . . . . 81

Table 11: Policy Action Applied Based on Rate Settings and Traffic Rate . . . . . . . 83

Table 12: Two-Rate Rate-Limit Profile Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . 83

Table 13: One-Rate Rate-Limit-Profile Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Table 14: Two-Rate Rate-Limit-Profile Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Chapter 6 Merging Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Table 15: Input Action and Secondary Input Actions . . . . . . . . . . . . . . . . . . . . . . . 121

Chapter 7 Creating Hierarchical Policies for Interface Groups . . . . . . . . . . . . . . . . . . . . 123

Table 16: Shorthand Notation Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Chapter 8 Policy Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Table 17: Classifier Support (OC48/STM16, GE-2, and GE-HDE Line

Table 18: Classifier Support (All Line Modules Except OC48/STM16, GE-2, and

Table 19: Size Limit of Individual IP Classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Table 20: Size Limit of Combined IP Classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Table 21: Size Limit of Individual IPv6 Classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Table 22: Size Limit of Combined IPv6 Classifiers . . . . . . . . . . . . . . . . . . . . . . . . . 159

Table 23: Classification Fields for Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Modules) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

GE-HDE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

xviiCopyright © 2010, Juniper Networks, Inc.

JunosE 11.3.x Policy Management Configuration Guide

Table 24: Classification Fields for Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Table 25: IPv6 Classification Fields for a 144-bit CAM Entry . . . . . . . . . . . . . . . . . 164

Table 26: IPv6 Classification Fields for a 288-bit CAM Entry . . . . . . . . . . . . . . . . 164

Table 27: IPv6 Classification Fields for a 576-bit CAM Entry . . . . . . . . . . . . . . . . . 165

Table 28: Maximum Policies with One Classifier per Policy for GE-2 LMs . . . . . . 168

Table 29: Maximum Policies with Four Classifiers per Policy for GE-2 LMs . . . . . 169

Table 30: Resource Consumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Chapter 9 Monitoring Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Table 31: show atm subinterface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Table 32: show classifier-list Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Table 33: show color-mark-profile Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 179

Table 34: show control-plane policer Output Fields . . . . . . . . . . . . . . . . . . . . . . . 180

Table 35: show frame-relay subinterface Output Fields . . . . . . . . . . . . . . . . . . . . 181

Table 36: show gre tunnel Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Table 37: show interfaces Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Table 38: show ip interfaces Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Table 39: show ipv6 interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Table 40: show mpls l2transport interface Output Fields . . . . . . . . . . . . . . . . . . 194

Table 41: show parent-group Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Table 42: show policy-list Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Table 43: show policy-parameter Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 203

Table 44: show rate-limit-profile Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Table 45: show vlan subinterface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 205

Part 2 Packet Mirroring

Chapter 10 Packet Mirroring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Table 46: Packet-Mirroring Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Chapter 11 Configuring CLI-Based Packet Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Table 47: Commands Made Visible by the mirror-enable Command . . . . . . . . . . 221

Table 48: Setting Up the CLI-Based Packet-Mirroring Environment . . . . . . . . . . 223

Table 49: CLI-Based User-Specific Mirroring During Session Start . . . . . . . . . . . 224

Table 50: CLI-Based Mirroring of Currently Running Session . . . . . . . . . . . . . . . . 224

Chapter 12 Configuring RADIUS-Based Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Table 51: RADIUS Attributes Used as Packet Mirroring Triggers (Vendor ID

4874) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

Table 52: RADIUS Attributes Used as Packet Mirroring Triggers (Vendor ID

3561) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

Table 53: RADIUS-Based Mirroring Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Table 54: Setting Up the RADIUS-Based Packet-Mirroring Environment . . . . . . 236

Table 55: RADIUS-Based Mirroring During Session Start (User-Initiated) . . . . . . 237

Table 56: RADIUS-Based Mirroring of Currently Running Session

(RADIUS-Initiated) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Chapter 13 Managing Packet Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Table 57: Prepended Header Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Table 58: Packet-Mirroring SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Table 59: Packet-Mirroring Traps for CALEA Compliance . . . . . . . . . . . . . . . . . . 252

Copyright © 2010, Juniper Networks, Inc.xviii

List of Tables

Table 60: Packet Mirroring Trap Severity Levels . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Chapter 14 Monitoring Packet Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Table 61: show ip interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

Table 62: show ip mirror interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 260

Table 63: show mirror log Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

Table 64: show mirror rules Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Table 65: show mirror subscribers Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 262

Table 66: show radius dynamic-request statistics Output Fields . . . . . . . . . . . . 263

Table 67: show secure classifier-list Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 265

Table 68: show secure policy-list Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 268

Table 69: show mirror log Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Table 70: show snmp trap Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

Table 71: show snmp secure-log Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

xixCopyright © 2010, Juniper Networks, Inc.

JunosE 11.3.x Policy Management Configuration Guide

Copyright © 2010, Juniper Networks, Inc.xx

About the Documentation

•

E Series and JunosE Documentation and Release Notes on page xxi

•

Audience on page xxi

•

E Series and JunosE Text and Syntax Conventions on page xxi

•

Obtaining Documentation on page xxiii

•

Documentation Feedback on page xxiii

•

Requesting Technical Support on page xxiii

E Series and JunosE Documentation and Release Notes

For a list of related JunosE documentation, see

http://www.juniper.net/techpubs/software/index.html .

If the information in the latest release notes differs from the information in the
documentation, follow the JunosE Release Notes.

To obtain the most current version of all Juniper Networks®technical documentation,
see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

Audience

This guide is intended for experienced system and network specialists working with
Juniper Networks E SeriesBroadband Services Routers in an Internet access environment.

E Series and JunosE Text and Syntax Conventions

Table 1 on page xxii defines notice icons used in this documentation.

xxiCopyright © 2010, Juniper Networks, Inc.

JunosE 11.3.x Policy Management Configuration Guide

Table 1: Notice Icons

Table 2 on page xxii defines text and syntax conventions that we use throughout the
E Series and JunosE documentation.

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Table 2: Text and Syntax Conventions

Representscommandsand keywordsin text.Bold text like this

Fixed-width text like this

Italic text like this

Plus sign (+) linking key names

Syntax Conventions in the Command Reference Guide

Representsinformationas displayedon your
terminal’s screen.

•

Emphasizes words.

•

Identifies variables.

•

Identifies chapter, appendix, and book
names.

keys simultaneously.

ExamplesDescriptionConvention

•

Issue the clock source command.

•

Specify the keyword exp-msg.

host1(config)#traffic class low-loss1Represents text that the user must type.Bold text like this

host1#show ip ospf 2

Routing Process OSPF 2 with Router
ID 5.5.0.250

Router is an Area Border Router
(ABR)

•

There are two levels of access: user and
privileged.

•

clusterId, ipAddress.

•

Appendix A, System Specifications

Press Ctrl + b.Indicates that you must press two or more

terminal lengthRepresents keywords.Plain text like this

mask, accessListNameRepresents variables.Italic text like this

Copyright © 2010, Juniper Networks, Inc.xxii

Table 2: Text and Syntax Conventions (continued)

About the Documentation

ExamplesDescriptionConvention

| (pipe symbol)

or variable to the left or to the right of this
symbol. (The keyword or variable can be
either optional or required.)

[ ]* (brackets and asterisk)

that can be entered more than once.

Represent required keywords or variables.{ } (braces)

Obtaining Documentation

To obtain the most current version of all Juniper Networks technical documentation, see
the Technical Documentation page on the Juniper Networks Web site at

http://www.juniper.net/.

To download complete sets of technical documentation to create your own
documentation CD-ROMs or DVD-ROMs, see the Portable Libraries page at

http://www.juniper.net/techpubs/resources/index.html

diagnostic | lineRepresents a choice to select one keyword

[ internal | external ]Represent optional keywords or variables.[ ] (brackets)

[ level1 | level2 | l1 ]*Represent optional keywords or variables

{ permit | deny } { in | out }

{ clusterId | ipAddress }

Copies of the Management Information Bases (MIBs) for a particular software release
are available for download in the software image bundle from the Juniper Networks Web
site athttp://www.juniper.net/.

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation to better meet your needs. Send your comments to

techpubs-comments@juniper.net, or fill out the documentation feedback form at

https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include

the following information with your comments:

•

Document or topic name

•

URL or page number

•

Software release version

Requesting Technical Support

Technical productsupport isavailable through theJuniper NetworksTechnical Assistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,

xxiiiCopyright © 2010, Juniper Networks, Inc.

JunosE 11.3.x Policy Management Configuration Guide

or are covered under warranty, and need post-sales technical support, you can access
our tools and resources online or open a case with JTAC.

•

JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .

•

Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/ .

•

JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:

•

Find CSC offerings: http://www.juniper.net/customers/support/

•

Search for known bugs: http://www2.juniper.net/kb/

•

Find product documentation: http://www.juniper.net/techpubs/

•

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

•

Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

•

Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

•

Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

•

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verifyservice entitlement by product serialnumber, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

•

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

•

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html .

Copyright © 2010, Juniper Networks, Inc.xxiv

PART 1

Policy Management

•

Managing Policies on the E Series Router on page 3

•

Creating Classifier Control Lists for Policies on page 7

•

Creating Policy Lists on page 15

•

Creating Classifier Groups and Policy Rules on page 27

•

Creating Rate-Limit Profiles on page 57

•

Merging Policies on page 97

•

Creating Hierarchical Policies for Interface Groups on page 123

•

Policy Resources on page 151

•

Monitoring Policy Management on page 173

1Copyright © 2010, Juniper Networks, Inc.

JunosE 11.3.x Policy Management Configuration Guide

Copyright © 2010, Juniper Networks, Inc.2

CHAPTER 1

Managing Policies on the E Series Router

This chapter discusses the following topics:

•

Policy Management Overview on page 3

•

Description of a Policy on page 5

•

Policy Platform Considerations on page 5

•

Policy References on page 6

•

Policy Management Configuration Tasks on page 6

Policy Management Overview

This chapter introduces policy-based routing management on E Series routers. Policy
management enables you to configure, manage, and monitor policies that selectively
cause packets to take different pathswithout requiring a routingtablelookup.The JunosE
Software’s packet-mirroring feature uses secure policies.

Policy management enables network service providers to configure services that
customize the treatment of individual packet flows received on a subscriber’s interface.
The main tool for implementing policy management is a policy list. A policy list is a set
of rules, each of which specifies a policy action. A rule is a policy action optionally
combined with a classification.

Packets are sorted at ingress or egress into packet flows based on attributes defined in
classifier control lists (CLACLs). You can apply policy lists to packets arriving and leaving
an interface. You can use policy management on ATM, Frame Relay, generic routing
encapsulation (GRE), IP, IPv6, Layer 2 Tunneling Protocol (L2TP), Multiprotocol Label
Switching (MPLS), and virtual local area network (VLAN) traffic.

Policy management provides:

•

Policy routing—Predefines a classified packet flow to a destination port or IP address.
The router doesnot perform arouting table lookup onthe packet. This provides superior
performance for real-time applications.

•

Bandwidth management—Rate-limits a classified packet flow at ingress to enforce
ingress data rates below thephysical line rateof a port, A rate-limit profile with a policy
rate-limit profile rule provides this capability. You can construct policies to provide rate
limiting for individual packet flowsor for the aggregate of multiple packetflows. Juniper

3Copyright © 2010, Juniper Networks, Inc.

JunosE 11.3.x Policy Management Configuration Guide

Networks E Series Broadband Services Router rate limits are calculated based on the
layer 2 packet size. To configure rate limiting, you first create a rate-limit profile, which
is a set of bandwidth attributes and associated actions. You next create a policy list
with a rule that has rate limit as the action and associate a rate-limit profile with this
rule. You can configure rate-limit profiles to provide a variety of services, including
tiered bandwidth service where traffic conforming to configured bandwidth levels is
treated differently than traffic that exceeds the configured values, and a hard-limit
service where a fixed bandwidth limit is applied to a traffic flow. Finally, you can
configure rate-limit profiles to provide a TCP-friendly rate-limiting service that works
in conjunction with TCP’s native flow-control functionality.

•

Security—Provides a level of network security by using policy rules that selectively
forwardor filter packet flows. Youcan use a filter rule to stop adenial-of-service attack.
You can use secure policies to mirror packets and send them to an analyzer.

•

RADIUS policy support—Enables you to create and attach a policy to an interface
through RADIUS.

•

Packet tagging—Enables the traffic-class rule in policies to tag a packet flow so that
the Quality of Service (QoS) application can providetraffic-class queuing. Policies can
perform both in-band and out-of-band packet tagging.

•

Packet forwarding—Allows forwarding of packets in a packet flow.

•

Packet filtering—Drops packets in a packet flow.

•

Packetmirroring—Uses secure policiesto mirror packets and send them to an analyzer.

•

Packet logging—Logs packets in a packet flow.

Policy management gives you the CLI tools to build databases, which can then be drawn
from to implement a policy. Each database contains global traffic specifications. When
building a policy, you specify input from one or more of these databases and then attach
the policy to an interface. By combining the information from the various databases into
policies, you can deploy a wide variety of services.

NOTE: When applying policies to interfaces that are managed by the SRC,

avoid using any other policy management tools, such as CLI, RADIUS, CoA,
or Service Manager. SRC is not compatible with other types of policy
management tools. When policies are applied to the interface before SRC
management begins, such as at access-accept time, these policies are
properly replaced.However,if other policy managers change existing policies
while SRC management is active, problems can occur. The precedence of
each source when modifying configurations is:

•

If you have a pre-configured policy through CLI as part of subscriber
PVC/VLANprovisioning,SRC overwritesthe policy when the SRC manages
the interface

•

If you have a policy in the Access-Accept, SRC overwrites the policy when
the SRC manages the interface

Copyright © 2010, Juniper Networks, Inc.4

Description of a Policy

A policy is a condition and an action that is attached to an interface. The condition and
action cause the router to handle the packets passing through the interface in a certain
way. A policycan beattachedto IP interfaces and certainlayer2 interfacessuch as Frame
Relay, L2TP, MPLS,and VLAN interfaces. The policies do not need to be the same in both
directions.

Packets are sorted at ingress or egress into packet flows based on attributes defined in
classifier control lists. Policy lists contain rules that associate actions with these CLACLs.
A rule is a policy action optionally combined with a classification.

When packets arrive on an interface, you can have a policy evaluate a condition before
the normal route lookup; this kind of policy is known as an input policy. You can also have
conditions evaluated after a route lookup; this kind of policy is known as a secondary
input policy. You can use secondary input policies to defeat denial-of-service attacks
directed at a router’s local interface or to protect a router from being overwhelmed by
legitimate local traffic. If you have a policy applied to packets before they leave an
interface, this is known as an output policy.

Chapter 1: Managing Policies on the E Series Router

Classification is the process of taking a single data stream in and sorting it into multiple
output substreams. The classifier engine on an E Series router is a combination of PowerPC
processors, working with a Field ProgrammableGate Array (FPGA) for a hardware assist.

In the Differentiated Services (DiffServ) architecture, two basic types of classifiers exist.
The first classifier type is a multifield (MF) classifier, which examines multiple fields in
the IP datagram header to determine the service class to which a packet belongs. The
second type of classifier is a behavior aggregate (BA) classifier, which examines a single
field in an IP datagram header and assigns the packet to a service class based on what
it finds.

There are two categories of hardware classifiers, depending on the type of line module
being used. ES2 4G LM, ES210G Uplink LM, ES210G LM, OC48/STM16,GE-2, and GE-HDE
line modules support content-addressable memory (CAM) hardware classifiers—all
other line modules support FPGA hardware classifiers.

The maximum number of policies that you can attach to interfaces on an E Series router
depends on the classifier entries that make up the policy and the number of attachment
resources available on the interface. JunosE Software allocates interface attachment
resources when you attach policies to interfaces. E Series routers support software and
hardware classifiers. A policy can be made up of any combination of software and
hardware classifiers.

Policy Platform Considerations

Policy services are supported on all E Series routers.

For information about the modules supported on E Series routers:

5Copyright © 2010, Juniper Networks, Inc.

JunosE 11.3.x Policy Management Configuration Guide

•

See the ERXModuleGuide for modulessupportedon ERX7xx models,ERX14xx models,
and the Juniper Networks ERX310 Broadband Services Router.

•

See the E120 and E320 Module Guide for modules supported on the Juniper Networks
E120 and E320 Broadband Services Routers.

Policy References

For more information about policy management, see the following resources:

•

RFC 2474—Definition of the Differentiated Services Field (DS Field) in the IPv4 and
IPv6 Headers (December 1998)

•

RFC 2475—An Architecture for Differentiated Services (December 1998)

•

RFC 2697—A Single Rate Three Color Marker (September 1999)

•

RFC 2698—A Two Rate Three Color Marker (September 1999)

•

RFC 3198—Terminology for Policy-Based Management (November 2001)

Policy Management Configuration Tasks

Perform the required tasks and also any optional tasks that you need for your policy
management configuration:

1. Create a CLACL (optional).

See “Classifier Control Lists Overview” on page 7

2. Create a rate-limit profile (optional).

See “Creating Rate-Limit Profiles” on page 73

3. Create a policy list.

See “Policy Lists Overview” on page 15

4. Create a classifier group.

See “Classifier Groups and Policy Rules Overview” on page 27

5. Create one or more policy rules within the classifier group.

See “Rate Limits for Interfaces Overview” on page 58

6. Apply a policy list to an interface or profile.

See “Classifier Groups and Policy Rules Overview” on page 27

Copyright © 2010, Juniper Networks, Inc.6