JUNOSe 9.1.x Policy Management Configuration Guide > Policy Resources > Creating and Attaching a Policy with IP Classifiers

Creating and Attaching a Policy with IP Classifiers

In this example, a policy with a combination of IP classifiers is created and attached. The configuration conforms to the 128 bit limit.

1. Match all TCP SYN packets from 1.1.1.1 to any DA with port 2000.

host1(config)#ip classifier-list tcpCLACL tcp host 1.1.1.1 any eq 2000 tcp-flags 
"SYN"

2. Match all IP packets with the don't fragment flag set to host 2.2.2.2.

host1(config)#ip classifier-list ipCLACL ip any host 2.2.2.2 ip-flags 
"dont-fragment"

3. Match all ICMP echo packets.

host1(config)#ip classifier-list icmpCLACL icmp any any 8 0

4. Match all frames with the color red.

host1(config)#ip classifier-list colorCLACL color red ip any any

5. Create a policy list.

host1(config)#ip policy-list ipPol 

host1(config-policy-list)#classifier-group colorCLACL 

host1(config-policy-list-classifier-group)#filter

host1(config-policy-list-classifier-group)#classifier-group tcpCLACL 

host1(config-policy-list-classifier-group)#filter

host1(config-policy-list-classifier-group)#classifier-group icmpCLACL 

host1(config-policy-list-classifier-group)#filter

host1(config-policy-list-classifier-group)#classifier-group ipCLACL

host1(config-policy-list-classifier-group)#filter

6. Apply the policy list to an interface.

host1(config)#interface atm 5/0.1

host1(config-if)#ip policy input ipPol

Table 19 lists the active classifiers in the policy named ipPol and the size of each classifier.

Table 19: Classification Fields for Example 1

Classifiers	Size (Bits)
Source address	32
Destination address	32
Destination port, ICMP type, ICMP code	16
Protocol	8
Color and TCP flags	8
TOS	8
IP flags	8

The total value of the classifiers requested in the ipPol policy is 112, which is less than 128 bit CAM entry size limit.

In this example, a policy with a combination of IP classifiers is created and attached. The configuration exceeds the 128 bit limit.

1. Match all TCP packets from 1.1.1.1 port 10 to 2.2.2.2 port 20.

host1(config)#ip classifier-list tcpCLACL tcp host 1.1.1.1 eq 10 host 2.2.2.2 eq 
20

2. Match all IP fragmentation offset equal to 1.

host1(config)#ip classifier-list ipFragCLACL ip any any ip-frag-offset eq 1

3. Match all frames with the color red.

host1(config)#ip classifier-list colorCLACL color red traffic-class best-effort ip any 
any

4. Match all frames with UPC 1.

host1(config)#ip classifier-group upcCLACL user-packet-class 1 ip any any

5. Create a policy list.

host1(config)#ip policy-list ipPol

host1(config-policy-list)#classifier-group colorCLACL

host1(config-policy-list-classifier-group)#filter

host1(config-policy-list-classifier-group)#classifier-group ipFragCLACL

host1(config-policy-list-classifier-group)#filter

host1(config-policy-list-classifier-group)#classifier-group igmpCLACL

host1(config-policy-list-classifier-group)#forward

host1(config-policy-list-classifier-group)#classifier-group lowDelayCLACL

host1(config-policy-list-classifier-group)#traffic-class strict-priority

host1(config-policy-list-classifier-group)#classifier-group tcpCLACL

host1(config-policy-list-classifier-group)#forward

host1(config-policy-list-classifier-group)#classifier-group *

host1(config-policy-list-classifier-group)#filter

6. Apply the policy list to an interface.

host1(config)#interface atm 5/0.1

host1(config-if)#ip policy input ipPol

% too many classifier fields in policy

Table 20 lists the active classifiers in the policy named ipPol and the size of each classifier.

 Table 20:  Classification Fields for Example 2 

 Classifiers
 Size (Bits)

 Source address

 32


 Source port

 16


 Destination port

 16


 Protocol

 8


 User packet class

 8


 Color

 8


 IP fragmentation

 8


 ToS

 8



 

The configuration fails because the total value of the classifiers requested in the ipPol policy is 136, which is greater than 128 bit CAM entry size limit.