Juniper POLICY MANAGEMENT - CONFIGURATION GUIDE V11.1.X, E Series Configuration Manual
JUNOSe™ Software
for E Series™ Broadband Services Routers
Policy Management Configuration Guide
Release 11.1.x
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Published: 2010-04-06
Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc. in
the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or
registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or
otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed
to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,
6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
JUNOSe™ Software for E Series™ Broadband Services Routers Policy Management Configuration Guide
Release 11.1.x
Copyright © 2010, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Writing: Subash Babu Asokan, Krupa Chandrashekar, Diane Florio, Bruce Gillham, Sarah Lesway-Ball, Brian Wesley Simmons, Namrata Mehta
Editing: Benjamin Mann
Illustration: Nathaniel Woodward
Cover Design: Edmonds Design
Revision History
April 2010—FRS JUNOSe 11.1.x
The information in this document is current as of the date listed in the revision history.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. The JUNOS Software has no known time-related limitations through the year
2038. However, the NTP application is known to have some difficulty in the year 2036.
ii ■
END USER LICENSE AGREEMENT
READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING,
INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER
OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS
AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE,
AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.
1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks
(Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii)
the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”)
(collectively, the “Parties”).
2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customer
has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer
purchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “Embedded
Software” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements
which are subsequently embedded in or loaded onto the equipment.
3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusive
and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:
a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper
or an authorized Juniper reseller.
b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer
has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use
such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the
Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether
such computers or virtualizations are physically contained on a single chassis.
c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits to
Customer’s use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls,
connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features,
functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing,
temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software
to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable
licenses.
d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer
may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial
period by re-installing the Software after the 30-day trial period.
e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network.
Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any
commercial network access services.
The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable
license(s) for the Software from Juniper or an authorized Juniper reseller.
4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall
not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as
necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) remove
any proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of
the Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any ‘locked’ or key-restricted
feature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even
if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper
to any third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper
reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the
Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to
any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.
5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish
such records to Juniper and certify its compliance with this Agreement.
■ iii
6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer
shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes
restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.
7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software,
associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in
the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.
8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement that
accompanies the Software (the “Warranty Statement”). Nothing in this Agreement shall give rise to any obligation to support the Software. Support services
may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED
BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,
OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR
JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY
JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW,
JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER
WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION,
OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether
in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or
if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper
has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same
reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss),
and that the same form an essential basis of the bargain between the Parties.
9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license
granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s
possession or control.
10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of
the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior
to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any
applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper
with valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications that
would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder.
Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related
to any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under this
Section shall survive termination or expiration of this Agreement.
11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign
agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or
without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption
or other capabilities restricting Customer’s ability to export the Software without an export license.
12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure
by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212,
FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.
13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface
information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any.
Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable
terms and conditions upon which Juniper makes such information available.
14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology
are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor
shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the
Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and
subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License
(“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate)
available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194
N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and
a copy of the LGPL at http://www.gnu.org/licenses/lgpl.html.
15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions
of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties
hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement
constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous
iv ■
agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a
separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict
with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in
writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the
remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English
version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout
avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be
in the English language)).
■ v
vi ■
Abbreviated Table of Contents
About the Documentation xxiii
Part 1 Policy Management
Chapter 1 Managing Policies on the E Series Router 3
Chapter 2 Creating Classifier Control Lists for Policies 7
Chapter 3 Creating Policy Lists 17
Chapter 4 Creating Classifier Groups and Policy Rules 31
Chapter 5 Creating Rate-Limit Profiles 61
Chapter 6 Merging Policies 101
Chapter 7 Creating Hierarchical Policies for Interface Groups 129
Chapter 8 Policy Resources 159
Chapter 9 Monitoring Policy Management 181
Part 2 Packet Mirroring
Chapter 10 Packet Mirroring Overview 219
Chapter 11 Configuring CLI-Based Packet Mirroring 225
Chapter 12 Configuring RADIUS-Based Mirroring 239
Chapter 13 Managing Packet Mirroring 247
Chapter 14 Monitoring Packet Mirroring 263
Part 3 Index
Index 281
Abbreviated Table of Contents ■ vii
JUNOSe 11.1.x Policy Management Configuration Guide
viii ■
Table of Contents
About the Documentation xxiii
E Series and JUNOSe Documentation and Release Notes ............................xxiii
Audience ....................................................................................................xxiii
E Series and JUNOSe Text and Syntax Conventions ....................................xxiii
Obtaining Documentation ...........................................................................xxv
Documentation Feedback ............................................................................xxv
Requesting Technical Support ......................................................................xxv
Self-Help Online Tools and Resources ..................................................xxvi
Opening a Case with JTAC ....................................................................xxvi
Part 1 Policy Management
Chapter 1 Managing Policies on the E Series Router 3
Policy Management Overview .........................................................................3
Description of a Policy ....................................................................................5
Policy Platform Considerations ........................................................................5
Policy References ............................................................................................6
Policy Management Configuration Tasks .........................................................6
Chapter 2 Creating Classifier Control Lists for Policies 7
Classifier Control Lists Overview .....................................................................7
Creating or Modifying Classifier Control Lists for ATM Policy Lists ................10
Creating or Modifying Classifier Control Lists for Frame-Relay Policy
Creating or Modifying Classifier Control Lists for GRE Tunnel Policy Lists .....10
Creating or Modifying Classifier Control Lists for IP Policy Lists ....................11
Lists ........................................................................................................10
Creating Classifier Control List for Only IP Policy Lists ............................11
Setting Up an IP Classifier Control List to Accept Traffic from All
Sources .............................................................................................11
Classifying IP Traffic Based on Source and Destination Addresses ..........11
Using IP Classifier Control Lists to Match Route Class Values ..................12
Creating IP Classifier Control Lists for TCP and UDP Ports ......................12
Creating an IP Classifier Control List That Matches the ToS Byte .............13
Creating an IP Classifier Control List That Filters ICMP Echo
Requests ...........................................................................................13
Creating IP Classifier Control Lists That Use TCP or IP Flags ...................13
Table of Contents ■ ix
JUNOSe 11.1.x Policy Management Configuration Guide
Creating IP Classifier Control Lists That Match the IP Fragmentation
Offset ...............................................................................................13
Creating or Modifying Classifier Control Lists for IPv6 Policy Lists .................14
Creating or Modifying Classifier Control Lists for L2TP Policy Lists ................14
Creating or Modifying Classifier Control Lists for MPLS Policy Lists ...............14
Creating or Modifying Classifier Control Lists for VLAN Policy Lists ...............15
Chapter 3 Creating Policy Lists 17
Policy Lists Overview ....................................................................................17
Creating Policy Lists for ATM .........................................................................19
Creating Policy Lists for Frame Relay ............................................................21
Creating Policy Lists for GRE Tunnels ............................................................23
Creating Policy Lists for IP .............................................................................24
Creating Policy Lists for IPv6 .........................................................................25
Creating Policy Lists for L2TP ........................................................................27
Creating Policy Lists for MPLS .......................................................................27
Creating Policy Lists for VLANs ......................................................................28
Chapter 4 Creating Classifier Groups and Policy Rules 31
Classifier Groups and Policy Rules Overview .................................................31
Policy Rule Precedence .................................................................................32
Using Policy Rules to Provide Routing Solutions ............................................35
Configuring Policies to Provide Network Security ..........................................35
Creating an Exception Rule within a Policy Classifier Group ..........................36
Defining Policy Rules for Forwarding ............................................................37
Assigning Values to the ATM CLP Bit .............................................................38
Enabling ATM Cell Mode ...............................................................................39
Enabling IP Options Filtering .........................................................................39
Packet Tagging Overview ..............................................................................40
Creating Multiple Forwarding Solutions with IP Policy Lists ...........................40
Creating a Classifier Group for a Policy List ...................................................42
Applying Policy Lists to Interfaces and Profiles Overview ..............................43
Using RADIUS to Create and Apply Policies Overview ...................................46
Construction of IPv6 Classifiers from the Hexadecimal Ascend-Data-Filter
Attribute ...........................................................................................49
Ascend-Data-Filter Attribute for IPv4/IPv6 Subscribers in a Dual
Stack ................................................................................................49
Examples: Using the Ascend-Data-Filter Attribute for IPv4 Subscribers .........51
Examples: Using the Ascend-Data-Filter Attribute for IPv6 Subscribers .........56
Chapter 5 Creating Rate-Limit Profiles 61
Rate Limits for Interfaces Overview ..............................................................62
Hierarchical Rate Limits Overview ................................................................63
x ■ Table of Contents
Hierarchical Classifier Groups .................................................................64
Hierarchical Rate-Limit Profiles ...............................................................64
Hierarchical Rate-Limit Actions ...............................................................65
Table of Contents
Example: Multiple Flows Sharing Preferred Bandwidth Rate-Limiting
Hierarchical Policy ............................................................................67
Example: Multiple Flows Sharing a Rate Limit Hierarchical Policy ..........68
Example: Shared Pool of Additional Bandwidth with Select Flows
Rate-Limiting Hierarchical Policy ......................................................69
Example: Aggregate Marking with Oversubscription Rate-Limiting
Hierarchical Policy ............................................................................70
Color-Aware Configuration for Rate-Limiting Hierarchical Policy .............72
Percent-Based Rates for Rate-Limit Profiles Overview ...................................73
Policy Parameter Reference-Rate ............................................................74
Specifying Rates Within Rate-Limit Profiles ............................................74
Specifying Burst Sizes .............................................................................75
Using Service Manager with Merged Policies ..........................................75
Policy Parameter Configuration Considerations ......................................75
Policy Parameter Quick Configuration ...........................................................77
Creating Rate-Limit Profiles ...........................................................................77
One-Rate Rate-Limit Profiles Overview ..........................................................82
Creating a One-Rate Rate-Limit Profile ..........................................................83
Configuring a TCP-Friendly One-Rate Rate-Limit Profile ................................84
Two-Rate Rate-Limits Overview ....................................................................86
Creating a Two-Rate Rate-Limit Profile ..........................................................88
Setting the Committed Action for a Rate-Limit Profile ...................................89
Setting the Committed Burst for a Rate-Limit Profile .....................................90
Setting the Committed Rate for a Rate-Limit Profile ......................................91
Setting the Conformed Action for a Rate-Limit Profile ...................................91
Setting the Exceeded Action for a Rate-Limit Profile ......................................91
Setting the Excess Burst for a Rate-Limit Profile ............................................92
Setting the Mask Value for MPLS Rate-Limit Profiles ......................................92
Setting the Mask Value for IP and IPv6 Rate-Limit Profiles ............................92
Setting the Peak Burst for Two-Rate Rate-Limit Profiles .................................93
Setting the Peak Rate for Rate-Limit Profiles .................................................93
Setting a One-Rate Rate-Limit Profile ............................................................94
Setting a Two-Rate Rate-Limit-Profile ............................................................95
Bandwidth Management Overview ...............................................................97
Examples: One-Rate Rate-Limit Profile ...................................................98
Examples: Two-Rate Rate-Limit Profile ...................................................98
Examples: Rate-Limiting Individual or Aggregate Packet Flows ...............99
Rate-Limiting Traffic Flows ..........................................................................100
Chapter 6 Merging Policies 101
Merging Policies Overview ..........................................................................101
Resolving Policy Merge Conflicts .................................................................103
Merged Policy Naming Conventions ............................................................105
Reference Counting for Merged Policies ......................................................106
Persistent Configuration Differences for Merged Policies Through Service
Policy Attachment Sequence at Login Through Service Manager .................106
Policy Attachment Rules for Merged Policies ...............................................106
Manager ................................................................................................106
Table of Contents ■ xi
JUNOSe 11.1.x Policy Management Configuration Guide
Error Conditions for Merged Policies ...........................................................108
Merging Policies Configuration ....................................................................108
Parent Group Merge Algorithm ....................................................................120
Overlapping Classification for IP Input Policy ..............................................122
Starting Policy Processing .....................................................................124
Processing the Classifier Result .............................................................125
Processing the Auxiliary-Input Policy Attachment .................................125
Policy Actions .......................................................................................125
Chapter 7 Creating Hierarchical Policies for Interface Groups 129
Hierarchical Policies for Interface Groups Overview ....................................129
External Parent Groups ...............................................................................130
Example: Configuring Hierarchical Policy Parameters .................................130
Hierarchical Aggregation Nodes ..................................................................132
RADIUS and Profile Configuration for Hierarchical Policies .........................133
Applying a Profile to Interfaces with Service Manager .................................133
Hierarchical Policy Configuration Considerations ........................................133
Example: Hierarchical Policy Quick Configuration .......................................134
Example: Configuring Hierarchical Policies .................................................134
Example: VLAN Rate Limit Hierarchical Policy for Interface Groups
Configuration ........................................................................................138
Example: Wholesale L2TP Model Hierarchical Policy Configuration ............141
Example: Aggregate Rate Limit for All Nonvoice Traffic Hierarchical Policy
Configuration ........................................................................................144
Example: Arbitrary Interface Groups Hierarchical Policy Configuration .......147
Example: Service and User Rate-Limit Hierarchy Overlap Hierarchical Policy
Configuration ........................................................................................150
Example: Percentage-Based Hierarchical Rate-Limit Profile for External Parent
Group ....................................................................................................152
Example: PPP Interfaces Hierarchical Policy Configuration .........................154
Chapter 8 Policy Resources 159
Policy Resources Overview ..........................................................................159
FPGA Hardware Classifiers ..........................................................................161
CAM Hardware Classifiers Overview ...........................................................162
Size Limit for IP and IPv6 CAM Hardware Classifiers ...................................163
Creating and Attaching a Policy with IP Classifiers ......................................168
Variable-Sized CAM Classification for IPv6 Policies Examples .....................171
Performance Impact and Salability Considerations .....................................175
xii ■ Table of Contents
IP Classifiers and Size Limits .................................................................164
IPv6 Classifiers and Size Limits .............................................................166
144-bit IPv6 Classification Example ......................................................171
288-bit IPv6 Classification Example ......................................................172
576-bit IPv6 Classification Example ......................................................173
Performance Impact .............................................................................175
Scalability Considerations .....................................................................175
CAM Device Block Size and CAM Entry Allocation ..........................175
Number of CAM Entries Per Allocation and Free Entries ................176
Table of Contents
Software Classifiers Overview .....................................................................178
Interface Attachment Resources Overview ..................................................179
CAM Hardware Classifiers and Interface Attachment Resources ..................180
Range Vector Hardware Classifiers and Interface Attachment Resources ....180
Chapter 9 Monitoring Policy Management 181
Monitoring Policy Management Overview ...................................................181
Setting a Statistics Baseline for Policies .......................................................182
Monitoring the Policy Configuration of ATM Subinterfaces ..........................183
Monitoring Classifier Control Lists ...............................................................184
Monitoring Color-Mark Profiles ....................................................................187
Monitoring Control Plane Policer Information .............................................187
Monitoring the Policy Configuration of Frame Relay Subinterfaces .............188
Monitoring GRE Tunnel Information ............................................................190
Monitoring Interfaces and Policy Lists .........................................................191
Monitoring the Policy Configuration of IP Interfaces ....................................193
Monitoring the Policy Configuration of IPv6 Interfaces ................................197
Monitoring the Policy Configuration of Layer 2 Services over MPLS ............201
Monitoring External Parent Groups .............................................................203
Monitoring Policy Lists ................................................................................204
Monitoring Policy List Parameters ...............................................................209
Monitoring Rate-Limit Profiles .....................................................................211
Monitoring the Policy Configuration of VLAN Subinterfaces ........................212
Packet Flow Monitoring Overview ...............................................................213
Part 2 Packet Mirroring
Chapter 10 Packet Mirroring Overview 219
Packet Mirroring Overview ..........................................................................219
Comparing CLI-Based Mirroring and RADIUS-Based Mirroring ....................220
Configuration ........................................................................................220
Security .................................................................................................220
Application ...........................................................................................221
Packet-Mirroring Terms ...............................................................................222
Packet Mirroring Platform Considerations ...................................................222
Packet Mirroring References .......................................................................223
Chapter 11 Configuring CLI-Based Packet Mirroring 225
CLI-Based Packet Mirroring Overview .........................................................225
Enabling and Securing CLI-Based Packet Mirroring .....................................226
Reloading a CLI-Based Packet-Mirroring Configuration ................................228
Using TACACS+ and Vty Access Lists to Secure Packet Mirroring ...............228
Using Vty Access Lists to Secure Packet Mirroring .......................................228
CLI-Based Packet Mirroring Sequence of Events ..........................................229
Table of Contents ■ xiii
JUNOSe 11.1.x Policy Management Configuration Guide
Configuring CLI-Based Mirroring ..................................................................231
Configuring Triggers for CLI-Based Mirroring ...............................................232
Configuring the Analyzer Device .................................................................233
Configuring the E Series Router ...................................................................233
Example: Configuring CLI-Based Interface-Specific Mirroring ......................234
Example: Configuring CLI-Based User-Specific Mirroring .............................235
Chapter 12 Configuring RADIUS-Based Mirroring 239
RADIUS-Based Mirroring Overview .............................................................239
RADIUS Attributes Used for Packet Mirroring ..............................................240
RADIUS-Based Packet Mirroring Dynamically Created Secure Policies ........241
RADIUS-Based Packet Mirroring MLPPP Sessions ........................................241
RADIUS-Based Mirroring Sequence of Events ..............................................242
Configuring RADIUS-Based Mirroring ..........................................................243
Configuring the RADIUS Server .............................................................244
Disabling RADIUS-Based Mirroring .......................................................244
Configuring the Analyzer Device ...........................................................244
Configuring Router to Start Mirroring When User Logs On ..........................245
Configuring Router to Mirror Users Already Logged In ................................245
Chapter 13 Managing Packet Mirroring 247
Avoiding Conflicts Between Multiple Packet Mirroring Configurations .........247
Understanding the Prepended Header During a Packet Mirroring Session ....249
Format of the Mirror Header Attributes ................................................251
8-Byte Format ................................................................................251
4-Byte Format ................................................................................252
Resolving and Tracking the Analyzer Device’s Address ...............................252
Using Multiple Triggers for CLI-Based Packet Mirroring ...............................253
Optimizing Packet Mirroring Performance ..................................................254
Determine Traffic Loads .......................................................................254
Establish Resource Guidelines ...............................................................255
Logging Packet Mirroring Information .........................................................255
Using SNMP Secure Packet Mirroring Traps .................................................256
Additional Packet-Mirroring Traps for CALEA Compliance ....................257
Packet Mirroring Trap Severity Levels ...................................................258
Configuring SNMP Secure Packet Mirroring Traps .......................................259
Capturing SNMP Secure Audit Logs .............................................................260
Chapter 14 Monitoring Packet Mirroring 263
Monitoring Packet Mirroring Overview ........................................................263
Monitoring CLI-Based Packet Mirroring .......................................................264
Monitoring the Packet Mirroring Configuration of IP Interfaces ...................265
Monitoring Failure Messages for Secure Policies ..........................................266
Monitoring Packet Mirroring Triggers ..........................................................267
Monitoring Packet Mirroring Subscriber Information ...................................268
Monitoring RADIUS Dynamic-Request Server Information ..........................269
xiv ■ Table of Contents
Monitoring Secure CLACL Configurations ....................................................271
Monitoring Secure Policy Lists .....................................................................273
Monitoring Information for Secure Policies .................................................274
Monitoring SNMP Secure Packet Mirroring Traps ........................................275
Monitoring SNMP Secure Audit Logs ...........................................................277
Part 3 Index
Index ...........................................................................................................281
Table of Contents
Table of Contents ■ xv
JUNOSe 11.1.x Policy Management Configuration Guide
xvi ■ Table of Contents
List of Figures
Part 1 Policy Management
Chapter 3 Creating Policy Lists 17
Figure 1: Constructing an IP Policy List .........................................................18
Chapter 5 Creating Rate-Limit Profiles 61
Figure 2: Multiple Flows Sharing Preferred Bandwidth ..................................67
Figure 3: Multiple Packet Flows Sharing a Rate Limit ....................................68
Figure 4: Shared Pool of Additional Bandwidth with Select Flows ..................69
Figure 5: Aggregate Marking with Oversubscription ......................................71
Figure 6: Congestion Management ................................................................98
Chapter 6 Merging Policies 101
Figure 7: Input Policy with Primary Stage and Auxiliary Substage ...............124
Chapter 7 Creating Hierarchical Policies for Interface Groups 129
Figure 8: Configuration Process ...................................................................135
Figure 9: VLAN Rate-Limit Configuration .....................................................138
Figure 10: Interface Stack for Wholesale L2TP Mode ...................................142
Figure 11: Wholesale L2TP Configuration ....................................................143
Figure 12: Interface Stack for Aggregate Rate Limit .....................................144
Figure 13: Aggregate Rate Limit for Nonvoice Traffic Configuration ............146
Figure 14: Interface Stack for Arbitrary Interface Groups .............................147
Figure 15: Arbitrary Interface Groups Configuration ....................................148
Figure 16: Interface Stack for Service and User Rate-Limit Hierarchy
Overlap .................................................................................................150
Figure 17: Service and User Rate-Limit Hierarchy Overlap Configuration ....151
Figure 18: Interface Stack for Hierarchical Policy Configuration ..................155
Part 2 Packet Mirroring
Chapter 11 Configuring CLI-Based Packet Mirroring 225
Figure 19: CLI-Based Interface Mirroring .....................................................226
Figure 20: CLI-Based Packet Mirroring .........................................................229
Chapter 12 Configuring RADIUS-Based Mirroring 239
Figure 21: RADIUS-Based Packet Mirroring .................................................242
Chapter 13 Managing Packet Mirroring 247
Figure 22: Prepended Header ......................................................................250
Figure 23: 8-Byte Format of VSA 26-59 .......................................................252
Figure 24: 4-Byte Format of VSA 26-59 .......................................................252
List of Figures ■ xvii
JUNOSe 11.1.x Policy Management Configuration Guide
xviii ■ List of Figures
List of Tables
About the Documentation xxiii
Table 1: Notice Icons ..................................................................................xxiv
Table 2: Text and Syntax Conventions ........................................................xxiv
Part 1 Policy Management
Chapter 2 Creating Classifier Control Lists for Policies 7
Table 3: CLACL Criteria ...................................................................................7
Chapter 4 Creating Classifier Groups and Policy Rules 31
Table 4: Policy Rule Commands and Precedence ..........................................33
Table 5: Ascend-Data-Filter Fields .................................................................47
Table 6: Ascend-Data-Filter Attribute for an Input Policy on an IPv4
Interface .................................................................................................51
Table 7: Ascend-Data-Filter Attribute Values for a RADIUS Record ................55
Table 8: Ascend-Data-Filter Attribute for an Output Policy on an IPv6
Interface .................................................................................................56
Table 9: Ascend-Data-Filter Attribute for an Input Policy on an IPv6
Interface .................................................................................................57
Chapter 5 Creating Rate-Limit Profiles 61
Table 10: TCP-Friendly One-Rate Rate-Limit Profile Algorithms ....................85
Table 11: Policy Action Applied Based on Rate Settings and Traffic Rate .......87
Table 12: Two-Rate Rate-Limit Profile Algorithms .........................................88
Table 13: One-Rate Rate-Limit-Profile Defaults ..............................................94
Table 14: Two-Rate Rate-Limit-Profile Defaults ..............................................96
Chapter 6 Merging Policies 101
Table 15: Input Action and Secondary Input Actions ...................................127
Chapter 7 Creating Hierarchical Policies for Interface Groups 129
Table 16: Shorthand Notation Mapping .......................................................131
Chapter 8 Policy Resources 159
Table 17: Classifier Support (OC48/STM16, GE-2, and GE-HDE Line
Modules) ...............................................................................................160
Table 18: Classifier Support (All Line Modules Except OC48/STM16, GE-2,
and GE-HDE) .........................................................................................161
Table 19: Size Limit of Individual IP Classifiers ............................................164
Table 20: Size Limit of Combined IP Classifiers ...........................................165
Table 21: Size Limit of Individual IPv6 Classifiers ........................................166
Table 22: Size Limit of Combined IPv6 Classifiers .......................................167
Table 23: Classification Fields for Example 1 ..............................................169
Table 24: Classification Fields for Example 2 ..............................................170
Table 25: IPv6 Classification Fields for a 144-bit CAM Entry ........................172
List of Tables ■ xix
JUNOSe 11.1.x Policy Management Configuration Guide
Table 26: IPv6 Classification Fields for a 288-bit CAM Entry ........................173
Table 27: IPv6 Classification Fields for a 576-bit CAM Entry ........................174
Table 28: Maximum Policies with One Classifier per Policy for GE-2 LMs ....176
Table 29: Maximum Policies with Four Classifiers per Policy for GE-2
LMs .......................................................................................................177
Table 30: Resource Consumption ................................................................179
Chapter 9 Monitoring Policy Management 181
Table 31: show atm subinterface Output Fields ...........................................183
Table 32: show classifier-list Output Fields ..................................................185
Table 33: show color-mark-profile Output Fields .........................................187
Table 34: show control-plane policer Output Fields .....................................188
Table 35: show frame-relay subinterface Output Fields ...............................189
Table 36: show gre tunnel Output Fields .....................................................190
Table 37: show interfaces Output Fields ......................................................193
Table 38: show ip interfaces Output Fields ..................................................195
Table 39: show ipv6 interface Output Fields ................................................198
Table 40: show mpls l2transport interface Output Fields .............................202
Table 41: show parent-group Output Fields .................................................204
Table 42: show policy-list Output Fields ......................................................208
Table 43: show policy-parameter Output Fields ...........................................210
Table 44: show rate-limit-profile Output Fields ............................................211
Table 45: show vlan subinterface Output Fields ..........................................213
Part 2 Packet Mirroring
Chapter 10 Packet Mirroring Overview 219
Table 46: Packet-Mirroring Terminology .....................................................222
Chapter 11 Configuring CLI-Based Packet Mirroring 225
Table 47: Commands Made Visible by the mirror-enable Command ...........227
Table 48: Setting Up the CLI-Based Packet-Mirroring Environment .............230
Table 49: CLI-Based User-Specific Mirroring During Session Start ................230
Table 50: CLI-Based Mirroring of Currently Running Session .......................230
Chapter 12 Configuring RADIUS-Based Mirroring 239
Table 51: RADIUS Attributes Used as Packet Mirroring Triggers (Vendor ID
4874) ....................................................................................................240
Table 52: RADIUS Attributes Used as Packet Mirroring Triggers (Vendor ID
3561) ....................................................................................................240
Table 53: RADIUS-Based Mirroring Attributes ..............................................241
Table 54: Setting Up the RADIUS-Based Packet-Mirroring Environment ......242
Table 55: RADIUS-Based Mirroring During Session Start (User-Initiated) .....243
Table 56: RADIUS-Based Mirroring of Currently Running Session
(RADIUS-Initiated) .................................................................................243
Chapter 13 Managing Packet Mirroring 247
Table 57: Prepended Header Field Descriptions ..........................................250
Table 58: Packet-Mirroring SNMP Traps ......................................................257
Table 59: Packet-Mirroring Traps for CALEA Compliance ............................258
Table 60: Packet Mirroring Trap Severity Levels ..........................................258
Chapter 14 Monitoring Packet Mirroring 263
Table 61: show ip interface Output Fields ...................................................265
xx ■ List of Tables
List of Tables
Table 62: show ip mirror interface Output Fields ........................................266
Table 63: show mirror log Output Fields .....................................................267
Table 64: show mirror rules Output Fields ..................................................268
Table 65: show mirror subscribers Output Fields ........................................268
Table 66: show radius dynamic-request statistics Output Fields ..................270
Table 67: show secure classifier-list Output Fields .......................................271
Table 68: show secure policy-list Output Fields ...........................................274
Table 69: show mirror log Output Fields .....................................................275
Table 70: show snmp trap Output Fields .....................................................276
Table 71: show snmp secure-log Output Fields ............................................278
List of Tables ■ xxi
JUNOSe 11.1.x Policy Management Configuration Guide
xxii ■ List of Tables
About the Documentation
■ E Series and JUNOSe Documentation and Release Notes on page xxiii
■ Audience on page xxiii
■ E Series and JUNOSe Text and Syntax Conventions on page xxiii
■ Obtaining Documentation on page xxv
■ Documentation Feedback on page xxv
■ Requesting Technical Support on page xxv
E Series and JUNOSe Documentation and Release Notes
For a list of related JUNOSe documentation, see
http://www.juniper.net/techpubs/software/index.html .
If the information in the latest release notes differs from the information in the
documentation, follow the JUNOSe Release Notes.
To obtain the most current version of all Juniper Networks® technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
Audience
This guide is intended for experienced system and network specialists working with
Juniper Networks E Series Broadband Services Routers in an Internet access
environment.
E Series and JUNOSe Text and Syntax Conventions
Table 1 on page xxiv defines notice icons used in this documentation.
E Series and JUNOSe Documentation and Release Notes ■ xxiii
JUNOSe 11.1.x Policy Management Configuration Guide
Table 1: Notice Icons
Table 2 on page xxiv defines text and syntax conventions that we use throughout the
E Series and JUNOSe documentation.
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardware damage.Caution
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Table 2: Text and Syntax Conventions
Represents commands and keywords in text.Bold text like this
Bold text like this
Fixed-width text like this
Represents text that the user must type.
Represents information as displayed on your
terminal’s screen.
Italic text like this
Emphasizes words.
■
Identifies variables.
■
Identifies chapter, appendix, and book
■
names.
Plus sign (+) linking key names
keys simultaneously.
Syntax Conventions in the Command Reference Guide
ExamplesDescriptionConvention
Issue the clock source command.
■
Specify the keyword exp-msg.
■
host1(config)#traffic class low-loss1
host1#show ip ospf 2
Routing Process OSPF 2 with Router
ID 5.5.0.250
Router is an Area Border Router
(ABR)
There are two levels of access: user and
■
privileged.
clusterId, ipAddress.
■
Appendix A, System Specifications
■
Press Ctrl + b.Indicates that you must press two or more
terminal lengthRepresents keywords.Plain text like this
| (pipe symbol)
xxiv ■ E Series and JUNOSe Text and Syntax Conventions
mask, accessListNameRepresents variables.Italic text like this
diagnostic | lineRepresents a choice to select one keyword
or variable to the left or to the right of this
symbol. (The keyword or variable can be
either optional or required.)
Table 2: Text and Syntax Conventions (continued)
About the Documentation
ExamplesDescriptionConvention
[ internal | external ]Represent optional keywords or variables.[ ] (brackets)
[ ]* (brackets and asterisk)
that can be entered more than once.
Represent required keywords or variables.{ } (braces)
Obtaining Documentation
To obtain the most current version of all Juniper Networks technical documentation,
see the Technical Documentation page on the Juniper Networks Web site at
http://www.juniper.net/.
To download complete sets of technical documentation to create your own
documentation CD-ROMs or DVD-ROMs, see the Offline Documentation page at
http://www.juniper.net/techpubs/resources/cdrom.html
Copies of the Management Information Bases (MIBs) for a particular software release
are available for download in the software image bundle from the Juniper Networks
Web site athttp://www.juniper.net/.
Documentation Feedback
[ level1 | level2 | l1 ]*Represent optional keywords or variables
{ permit | deny } { in | out }
{ clusterId | ipAddress }
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation to better meet your needs. Send your comments to
techpubs-comments@juniper.net, or fill out the documentation feedback form at
https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include
the following information with your comments:
■ Document or topic name
■ URL or page number
■ Software release version
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical
Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support
contract, or are covered under warranty, and need post-sales technical support, you
can access our tools and resources online or open a case with JTAC.
■ JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/customers/support/downloads/7100059-EN.pdf .
Obtaining Documentation ■ xxv
JUNOSe 11.1.x Policy Management Configuration Guide
■ Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/ .
■ JTAC hours of operation—The JTAC centers have resources available 24 hours a
day, 7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with
the following features:
■
Find CSC offerings: http://www.juniper.net/customers/support/
■
Search for known bugs: http://www2.juniper.net/kb/
■
Find product documentation: http://www.juniper.net/techpubs/
■ Find solutions and answer questions using our Knowledge Base:
http://kb.juniper.net/
■ Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
■ Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
■ Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
■
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number
Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
■
Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
■ Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting support.html .
xxvi ■ Requesting Technical Support
Part 1
Policy Management
■ Managing Policies on the E Series Router on page 3
■ Creating Classifier Control Lists for Policies on page 7
■ Creating Policy Lists on page 17
■ Creating Classifier Groups and Policy Rules on page 31
■ Creating Rate-Limit Profiles on page 61
■ Merging Policies on page 101
■ Creating Hierarchical Policies for Interface Groups on page 129
■ Policy Resources on page 159
■ Monitoring Policy Management on page 181
Policy Management ■ 1
JUNOSe 11.1.x Policy Management Configuration Guide
2 ■ Policy Management
Chapter 1
Managing Policies on the E Series Router
This chapter discusses the following topics:
■ Policy Management Overview on page 3
■ Description of a Policy on page 5
■ Policy Platform Considerations on page 5
■ Policy References on page 6
■ Policy Management Configuration Tasks on page 6
Policy Management Overview
This chapter introduces policy-based routing management on E Series routers. Policy
management enables you to configure, manage, and monitor policies that selectively
cause packets to take different paths without requiring a routing table lookup. The
JUNOSe software’s packet-mirroring feature uses secure policies.
Policy management enables network service providers to configure services that
customize the treatment of individual packet flows received on a subscriber’s
interface. The main tool for implementing policy management is a policy list. A policy
list is a set of rules, each of which specifies a policy action. A rule is a policy action
optionally combined with a classification.
Packets are sorted at ingress or egress into packet flows based on attributes defined
in classifier control lists (CLACLs). You can apply policy lists to packets arriving and
leaving an interface. You can use policy management on ATM, Frame Relay, generic
routing encapsulation (GRE), IP, IPv6, Layer 2 Tunneling Protocol (L2TP), Multiprotocol
Label Switching (MPLS), and virtual local area network (VLAN) traffic.
Policy management provides:
■ Policy routing—Predefines a classified packet flow to a destination port or IP
address. The router does not perform a routing table lookup on the packet. This
provides superior performance for real-time applications.
■ Bandwidth management—Rate-limits a classified packet flow at ingress to enforce
ingress data rates below the physical line rate of a port, A rate-limit profile with
a policy rate-limit profile rule provides this capability. You can construct policies
to provide rate limiting for individual packet flows or for the aggregate of multiple
packet flows. Juniper Networks E Series Broadband Services Router rate limits
are calculated based on the layer 2 packet size. To configure rate limiting, you
first create a rate-limit profile, which is a set of bandwidth attributes and
Policy Management Overview ■ 3
JUNOSe 11.1.x Policy Management Configuration Guide
associated actions. You next create a policy list with a rule that has rate limit as
the action and associate a rate-limit profile with this rule. You can configure
rate-limit profiles to provide a variety of services, including tiered bandwidth
service where traffic conforming to configured bandwidth levels is treated
differently than traffic that exceeds the configured values, and a hard-limit service
where a fixed bandwidth limit is applied to a traffic flow. Finally, you can
configure rate-limit profiles to provide a TCP-friendly rate-limiting service that
works in conjunction with TCP’s native flow-control functionality.
■ Security—Provides a level of network security by using policy rules that selectively
forward or filter packet flows. You can use a filter rule to stop a denial-of-service
attack. You can use secure policies to mirror packets and send them to an
analyzer.
■ RADIUS policy support—Enables you to create and attach a policy to an interface
through RADIUS.
■ Packet tagging—Enables the traffic-class rule in policies to tag a packet flow so
that the Quality of Service (QoS) application can provide traffic-class queuing.
Policies can perform both in-band and out-of-band packet tagging.
■ Packet forwarding—Allows forwarding of packets in a packet flow.
■ Packet filtering—Drops packets in a packet flow.
■ Packet mirroring—Uses secure policies to mirror packets and send them to an
analyzer.
■ Packet logging—Logs packets in a packet flow.
Policy management gives you the CLI tools to build databases, which can then be
drawn from to implement a policy. Each database contains global traffic specifications.
When building a policy, you specify input from one or more of these databases and
then attach the policy to an interface. By combining the information from the various
databases into policies, you can deploy a wide variety of services.
NOTE: When applying policies to interfaces that are managed by the SRC, avoid
using any other policy management tools, such as CLI, RADIUS, CoA, or Service
Manager. SRC is not compatible with other types of policy management tools. When
policies are applied to the interface before SRC management begins, such as at
access-accept time, these policies are properly replaced. However, if other policy
managers change existing policies while SRC management is active, problems can
occur. The precedence of each source when modifying configurations is:
■ If you have a pre-configured policy through CLI as part of subscriber PVC/VLAN
provisioning, SRC overwrites the policy when the SRC manages the interface
■ If you have a policy in the Access-Accept, SRC overwrites the policy when the
SRC manages the interface
4 ■ Policy Management Overview
Loading...