Overview

Policy management allows network service providers to implement packet forwarding and routing specifically tailored to their customers' requirements. Using policy management, you can implement policies that selectively cause packets to take different paths without requiring a routing table lookup.

Packets are sorted at ingress or egress into packet flows based on attributes defined in classifier control lists (CLACLs). Policy lists contain rules that associate actions with these CLACLs.

Policy management provides:

• Policy routing—Predefines a classified packet flow to a destination port or IP address. The router does not perform a routing table lookup on the packet. On ingress, the packets are classified into a packet flow and sent to the preconfigured destination port. See the forward forward interface forward next-hop, forward forward interface forward next-hop, and forward forward interface forward next-hop commands for more details.
• Quality of service (QoS) classification and marking—Marks packets in a packet flow. See Creating Classifier Control Lists.
• Packet forwarding—Allows forwarding of packets in a packet flow. See the forward forward interface forward next-hop, forward forward interface forward next-hop, and forward forward interface forward next-hop command.
• Packet filtering—Drops packets in a packet flow. See the filter command.
• Packet logging—Logs packets in a packet flow. See the log command.
• Rate limiting—Enforces line rates below the physical line rate of the port and sets limits on packet flows. See Creating a Rate-Limit Profile.
• RADIUS policy support—Allows you to create and attach a policy to an interface through RADIUS. See Using RADIUS to Create and Apply Policies.
• Packet mirroring—Uses secure policies to mirror packets and send them to an analyzer. See JUNOSe System Basics Configuration Guide, Chapter 8, Packet Mirroring.

Policy Lists

The main tool for implementing policy management is a policy list. A policy list is a set of rules, each of which specifies a policy action. A rule is a policy action optionally combined with a classification. You can apply policy lists to packets:

• Arriving at an interface (input policy); on IP and IPv6 interfaces the packets arrive before route lookup
• Arriving at the interface, but after route lookup (secondary input policy); secondary input policies are supported only on IP and IPv6 interfaces
• Leaving an interface (output policy)

You create a policy rule by specifying a policy action within a classifier group that references a CLACL. These rules become part of a policy list that you can attach to an interface as either an input, secondary-input, or output policy. The router applies the rules in the attached policy list to the packets traversing that interface. Figure 1 shows how a sample IP policy list is constructed.

Figure 1: Constructing an IP Policy List

Secure Policies

Secure policies are used by the JUNOSe software's RADIUS-based packet mirroring feature. The policies are based on packet mirroring-related RADIUS VSAs, which are created by authorized RADIUS administrators. Secure policies are dynamically created when the RADIUS-based mirroring session is initiated at the RADIUS server and then applied to the interface that is created for the user whose traffic is being mirrored. The secure policy is deleted from the interface when the mirroring operation is disabled or if the interface is deleted.

When a secure policy is created, the router creates a name that consists of the string "spl" followed by a hexadecimal integer, such as spl_0x88000008. Authorized users can use the show secure policy-list command to view information about secure policies.

See JUNOSe System Basics Configuration Guide, Chapter 8, Packet Mirroring for information about the JUNOSe software's packet mirroring feature.

Classifier Control Lists

CLACLs specify the criteria by which the router defines a packet flow. Table 4 shows the criteria that you can use to create CLACLs for different types of traffic flows. See Policy Resources for more information about the hardware and software CLACLs that are supported for each interface types.

Table 4: CLACL Criteria 

Type of CLACL	Criteria
Frame Relay	Color Mark discard eligibility (DE) bit Traffic class User packet class
GRE	Color Traffic class Type-of-service (ToS) byte User packet class
IP	Color Destination IP address Destination port Destination route class Internet Control Message Protocol (ICMP) Internet Gateway Management Protocol (IGMP) IP flags IP fragmentation offset Locally destined traffic Protocol Source IP address Source port Source route class Transmission Control Protocol (TCP) Traffic class Type-of-service (ToS) byte User Datagram Protocol (UDP) User packet class
IPv6	Color Destination IPv6 address Destination port Destination route class Internet Control Message Protocol version 6 (ICMPv6) IPv6 traffic class Locally destined traffic Multicast Listener Discovery (MLD) Next header Source IPv6 address Source port Source route class Traffic class Transmission Control Protocol (TCP) User Datagram Protocol (UDP) User packet class
L2TP	Color Traffic class User packet class
MPLS	Color Mark experimental (EXP) bit Traffic class User packet class
VLAN	Color Traffic class User packet class User priority

Rate-Limit Profiles

Rate limiting is the process of limiting a classified packet flow or a source interface to a rate that is less than the physical rate of the port. The E-series router's rate limits are calculated based on the layer 2 packet size.

To configure rate limiting, you first create a rate-limit profile, which is a set of bandwidth attributes and associated actions. Your router supports two types of rate-limit profiles—one-rate and two-rate—for IP, IPv6, LT2P, and MPLS Layer 2 transport traffic.

You next create a policy list with a rule that has rate limit as the action and associate a rate-limit profile with this rule.

Rate-limit actions include drop, transmit, or mark. The default is to transmit committed and conformed packets, and to drop exceeded packets.

A color-coded tag is added automatically to each packet based on categories:

• Committed—Green
• Conformed—Yellow
• Exceeded—Red

The queuing system uses drop eligibility to select packets for dropping when there is congestion on an egress interface. This method is called dynamic color-based threshold dropping. Each packet queue has two color-based thresholds as well as a queue limit:

• Red packets are dropped when congestion causes the queue to fill above the red threshold.
• Yellow packets are dropped when the yellow threshold is reached.
• Green packets are dropped when the queue limit is reached.

See Chapter 2, Configuring Quality of Service for information about configuring queue thresholds.

One-Rate Rate-Limit Profile

The one-rate rate-limit profile attributes are:

• Committed rate—Target rate for a packet flow
• Committed burst—Amount of bandwidth allocated to accommodate bursty traffic in excess of the rate
• Excess burst—Amount of bandwidth allocated to accommodate a packet in progress when the rate is in excess of the burst
• Committed action—Drop, transmit, mark (IP and IPv6), or mark-exp (MPLS) when traffic flow does not exceed the rate
• Conformed action—Drop, transmit, mark (IP and IPv6), or mark-exp (MPLS) when traffic flow exceeds the rate but not the excess burst
• Exceeded action—Drop, transmit, mark (IP and IPv6), or mark-exp (MPLS) when traffic flow exceeds the rate
• Mask value—Mask to be applied with mark values for the ToS byte; applicable only to IP and IPv6 rate-limit profiles
• EXP mask value—Mask to be applied with mark-exp values; applicable only to MPLS rate-limit profiles

Configuring a TCP-Friendly One-Rate Rate-Limit Profile

The E-series router provides a TCP-friendly rate-limiting mechanism that is implemented with token buckets. You can configure a committed rate, committed burst, and excess burst for the token bucket. For example, to configure a rate-limit process with hard tail dropping of packets when tokens are unavailable, set the committed rate and committed burst to a nonzero value, and set the excess burst to zero. Setting the excess burst to a nonzero value causes the router to drop packets in a more friendly way.

The configuration values for the above attributes determine the degree of friendliness of the rate-limit process. The general idea is that instead of tail dropping packets that arrive outside the committed and burst rate envelope, the TCP-friendly bucket allows more tokens to be borrowed, up to a limit determined by the excess burst size. The next packet that borrows tokens in excess of the excess burst size is deemed excessive and is dropped if the exceeded action is set to drop.

The rate-limit algorithm is designed to avoid consecutive packet drops in the initial stages of congestion when the packet flow rate exceeds the committed rate of the token bucket. The intention is that just a few packet drops are sufficient for TCP's congestion control algorithm to drastically scale back its sending rate. Eventually, the packet flow rate falls below the committed rate, which allows the token bucket to replenish faster because of the reduced load.

If the packet flow rate exceeds the committed rate for an extended period of time, the rate-limit algorithm tends toward hard tail dropping. In a properly configured scenario, the rate limiter is consistently driven to borrow tokens because of TCP's aggressive nature, but it replenishes the tokens as TCP backs off, resulting in a delivered rate that is very close to the rate configured in the rate-limit profile.

The recommended burst sizes for TCP-friendly behavior are:

• Committed burst—0.2 to 2.0 seconds of the committed rate
• Excess burst—1.0 to 2.0 seconds of the committed rate, plus the committed burst

For example, if the committed rate is 1,000,000 bps, the recommended burst sizes are as follows:

• Committed burst is 1,000,000 x 1.0 x 1/8 = 125,000 bytes

Multiplying the committed rate by 1.0 converts the rate to bits, then multiplying the number of bits by 1/8 converts the value to bytes.

• Excess burst is 1,000,000 x 1.5 x 1/8 + 125,000 = 312,500 bytes

Multiplying the committed rate by 1.5 converts the rate to bits, then multiplying the number of bits by 1/8 converts the value to bytes.

Two-Rate Rate-Limit Profile

The two-rate rate-limit profile attributes are:

• Committed rate—Target rate for a packet flow
• Committed burst—Amount of bandwidth allocated to accommodate bursty traffic in excess of the committed rate
• Peak rate—Amount of bandwidth allocated to accommodate excess traffic flow over the committed rate
• Peak burst—Amount of bandwidth allocated to accommodate bursty traffic in excess of the peak rate
• Committed action—Drop, transmit, mark (IP and IPv6), or mark-exp (MPLS) when traffic flow does not exceed the committed rate
• Conformed action—Drop, transmit, mark (IP and IPv6), or mark-exp (MPLS) when traffic flow exceeds the committed rate but remains below the peak rate
• Exceeded action—Drop, transmit, mark (IP and IPv6), or mark-exp (MPLS) when traffic flow exceeds the peak rate
• Mask value—Mask to be applied with mark values for the ToS byte; applicable only to IP and IPv6 rate-limit profiles
• EXP mask value—Mask to be applied with mark-exp values; applicable only to MPLS rate-limit profiles

Table 5 shows the interaction between the rate settings and the actual traffic rate to determine the action taken by a rate-limit rule in a policy when applied to a traffic flow.

 Table 5:  Policy Action Applied Based on Rate Settings and Traffic Rate  

 Peak Rate
 Committed Rate = 0
 Committed Rate Not 0

 Peak rate = 0


  
 All traffic assigned the exceeded action



  
 Traffic <= committed rate assigned the committed action
  
 Traffic > committed rate assigned the exceeded action



 Peak rate not 0


  
 Traffic <= peak rate assigned the conformed action
  
 Traffic > peak rate assigned the exceeded action



  
 Traffic <= committed rate assigned the committed action
  
 Committed rate < Traffic < peak rate assigned the conformed action
  
 Traffic > peak rate assigned the exceeded action




 

This implementation is known as a two-rate, three-color marking mechanism. Token buckets control how many packets per second are accepted at each of the configured rates. The token buckets provide flexibility in dealing with the bursty nature of data traffic. The committed burst sets the depth of the committed token bucket. The committed rate is the speed at which the committed token bucket is filled. The peak burst sets the depth of the peak token bucket. The peak rate is the speed at which the peak token bucket is filled.

At the beginning of each sample period, the two buckets are filled with tokens based on the configured burst sizes. Traffic is metered to measure its volume. When traffic is received, if tokens remain in both buckets, one token is removed from each bucket for every byte of data processed. As long as there are still tokens in the committed burst bucket, the traffic is treated as committed.

When the committed burst token bucket is empty but tokens remain in the peak burst bucket, traffic is treated as conformed. When the peak burst token bucket is empty, traffic is treated as exceeded.

Table 6 shows equations that can also represent the algorithm for the two-rate rate-limit profile.

 Table 6:  Two-Rate Rate-Limit Profile Algorithms

 Step
 Result

 If B > Tp (t) 


  
 Packet is marked as red and treated as exceeded



 If B < Tp (t)
 and 
 B > Tc (t) 


  
 Packet is marked as yellow and treated as conformed 
  
 Tp is decremented by B



 If B < Tp (t)
 and
 B < Tc (t) 


  
 Packet is marked as green and treated as committed
  
 Tp is decremented by B 
  
 Tc is decremented by B 



 

 where:
 B     = size of packet in bytes
 Tp     = size of peak token bucket in bytes. The maximum size of this bucket is the configured peak burst. 
 Tc     = size of the committed token bucket in bytes. The maximum size of this bucket is the configured committed burst. 
 t     = time



 

To configure a single-rate hard limit, set the committed rate and burst rate to the desired values, the committed action to transmit, the conformed action to drop, and the exceeded action to drop. The peak rate must be set to zero.

NOTE: You can also achieve the characteristics of the single-rate hard limit by configuring a one-rate rate-limit profile with the extended burst rate set to zero.