Table of Contents

About the Documentation

E-series and JUNOSe Documentation and Release Notes

Audience

E-series and JUNOSe Text and Syntax Conventions

Related E-series and JUNOSe Documentation

Obtaining Documentation

Documentation Feedback

Requesting Technical Support

Policy Management

Managing Policies on the E-series Router

Policy Management Overview

Description of a Policy

Policy Platform Considerations

Policy References

Policy Management Configuration Tasks

Creating Classifier Control Lists for Policies

Classifier Control Lists Overview

Creating or Modifying Classifier Control Lists for ATM Policy Lists

Creating or Modifying Classifier Control Lists for Frame-Relay Policy Lists

Creating or Modifying Classifier Control Lists for GRE Tunnel Policy Lists

Creating or Modifying Classifier Control Lists for IP Policy Lists

Creating Classifier Control List for Only IP Policy Lists

Setting Up an IP Classifier Control List to Accept Traffic from All Sources

Classifying IP Traffic Based on Source and Destination Addresses

Using IP Classifier Control Lists to Match Route Class Values

Creating IP Classifier Control Lists for TCP and UDP Ports

Creating an IP Classifier Control List That Matches the ToS Byte

Creating an IP Classifier Control List That Filters ICMP Echo Requests

Creating IP Classifier Control Lists That Use TCP or IP Flags

Creating IP Classifier Control Lists That Match the IP Fragmentation Offset

Creating or Modifying Classifier Control Lists for IPv6 Policy Lists

Creating or Modifying Classifier Control Lists for L2TP Policy Lists

Creating or Modifying Classifier Control Lists for MPLS Policy Lists

Creating or Modifying Classifier Control Lists for VLAN Policy Lists

Creating Policy Lists

Policy Lists Overview

Creating Policy Lists for ATM

Creating Policy Lists for Frame Relay

Creating Policy Lists for GRE Tunnels

Creating Policy Lists for IP

Creating Policy Lists for IPv6

Creating Policy Lists for L2TP

Creating Policy Lists for MPLS

Creating Policy Lists for VLANs

Creating Classifier Groups and Policy Rules

Classifier Groups and Policy Rules Overview

Policy Rule Precedence

Using Policy Rules to Provide Routing Solutions

Configuring Policies to Provide Network Security

Creating an Exception Rule within a Policy Classifier Group

Defining Policy Rules for Forwarding

Assigning Values to the ATM CLP Bit

Enabling ATM Cell Mode

Enabling IP Options Filtering

Packet Tagging Overview

Creating Multiple Forwarding Solutions with IP Policy Lists

Creating a Classifier Group for a Policy List

Creating Rate-Limit Profiles

Rate Limits for Interfaces Overview

Hierarchical Rate Limits Overview

Hierarchical Classifier Groups

Hierarchical Rate-Limit Profiles

Hierarchical Rate-Limit Actions

Example: Multiple Flows Sharing Preferred Bandwidth Rate-Limiting Hierarchical Policy

Example: Multiple Flows Sharing a Rate Limit Hierarchical Policy

Example: Shared Pool of Additional Bandwidth with Select Flows Rate-Limiting Hierarchical Policy

Example: Aggregate Marking with Oversubscription Rate-Limiting Hierarchical Policy

Color-Aware Configuration for Rate-Limiting Hierarchical Policy

Percent-Based Rates for Rate-Limit Profiles Overview

Policy Parameter Reference-Rate

Specifying Rates Within Rate-Limit Profiles

Specifying Burst Sizes

Using Service Manager with Merged Policies

Policy Parameter Configuration Considerations

Policy Parameter Quick Configuration

Creating Rate-Limit Profiles

One-Rate Rate-Limit Profiles Overview

Creating a One-Rate Rate-Limit Profile

Configuring a TCP-Friendly One-Rate Rate-Limit Profile

Two-Rate Rate-Limits Overview

Creating a Two-Rate Rate-Limit Profile

Setting the Committed Action for a Rate-Limit Profile

Setting the Committed Burst for a Rate-Limit Profile

Setting the Committed Rate for a Rate-Limit Profile

Setting the Conformed Action for a Rate-Limit Profile

Setting the Exceeded Action for a Rate-Limit Profile

Setting the Excess Burst for a Rate-Limit Profile

Setting the Mask Value for MPLS Rate-Limit Profiles

Setting the Mask Value for IP and IPv6 Rate-Limit Profiles

Setting the Peak Burst for Two-Rate Rate-Limit Profiles

Setting the Peak Rate for Rate-Limit Profiles

Setting a One-Rate Rate-Limit Profile

Setting a Two-Rate Rate-Limit-Profile

Bandwidth Management Overview

Examples: One-Rate Rate-Limit Profile

Examples: Two-Rate Rate-Limit Profile

Examples: Rate-Limiting Individual or Aggregate Packet Flows

Rate-Limiting Traffic Flows

Merging Policies

Merging Policies Overview

Resolving Policy Merge Conflicts

Merged Policy Naming Conventions

Reference Counting for Merged Policies

Persistent Configuration Differences for Merged Policies Through Service Manager

Policy Attachment Sequence at Login Through Service Manager

Policy Attachment Rules for Merged Policies

Error Conditions for Merged Policies

Merging Policies Configuration

Parent Group Merge Algorithm

Overlapping Classification for IP Input Policy

Starting Policy Processing

Processing the Classifier Result

Processing the Auxiliary-Input Policy Attachment

Policy Actions

Creating Hierarchical Policies for Interface Groups

Hierarchical Policies for Interface Groups Overview

External Parent Groups

Example: Configuring Hierarchical Policy Parameters

Hierarchical Aggregation Nodes

RADIUS and Profile Configuration for Hierarchical Policies

Applying a Profile to Interfaces with Service Manager

Hierarchical Policy Configuration Considerations

Example: Hierarchical Policy Quick Configuration

Example: Configuring Hierarchical Policies

Example: VLAN Rate Limit Hierarchical Policy for Interface Groups Configuration

Example: Wholesale L2TP Model Hierarchical Policy Configuration

Example: Aggregate Rate Limit for All Nonvoice Traffic Hierarchical Policy Configuration

Example: Arbitrary Interface Groups Hierarchical Policy Configuration

Example: Service and User Rate-Limit Hierarchy Overlap Hierarchical Policy Configuration

Policy Resources

Policy Resources Overview

FPGA Hardware Classifiers

CAM Hardware Classifiers Overview

Size Limit for IP and IPv6 CAM Hardware Classifiers

IP Classifiers and Size Limits

IPv6 Classifiers and Size Limits

Creating and Attaching a Policy with IP Classifiers

Software Classifiers Overview

Interface Attachment Resources Overview

CAM Hardware Classifiers and Interface Attachment Resources

Range Vector Hardware Classifiers and Interface Attachment Resources

Monitoring Policy Management

Monitoring Policy Management Overview

Setting a Statistics Baseline for Policies

Monitoring the Policy Configuration of ATM Subinterfaces

Monitoring Classifier Control Lists

Monitoring Color-Mark Profiles

Monitoring Control Plane Policer Information

Monitoring the Policy Configuration of Frame Relay Subinterfaces

Monitoring GRE Tunnel Information

Monitoring Interfaces and Policy Lists

Monitoring the Policy Configuration of IP Interfaces

Monitoring the Policy Configuration of IPv6 Interfaces

Monitoring the Policy Configuration of Layer 2 Services over MPLS

Monitoring External Parent Groups

Monitoring Policy Lists

Monitoring Policy List Parameters

Monitoring Rate-Limit Profiles

Monitoring the Policy Configuration of VLAN Subinterfaces

Packet Flow Monitoring Overview

Packet Mirroring

Packet Mirroring Overview

Packet Mirroring Overview

Comparing CLI-Based Mirroring and RADIUS-Based Mirroring

Configuration

Security

Application

Packet-Mirroring Terms

Packet Mirroring Platform Considerations

Packet Mirroring References

Configuring CLI-Based Packet Mirroring

CLI-Based Packet Mirroring Overview

Enabling and Securing CLI-Based Packet Mirroring

Reloading a CLI-Based Packet-Mirroring Configuration

Using TACACS+ and Vty Access Lists to Secure Packet Mirroring

Using Vty Access Lists to Secure Packet Mirroring

CLI-Based Packet Mirroring Sequence of Events

Configuring CLI-Based Mirroring

Configuring Triggers for CLI-Based Mirroring

Configuring the Analyzer Device

Configuring the E-series Router

Example: Configuring CLI-Based Interface-Specific Mirroring

Example: Configuring CLI-Based User-Specific Mirroring

Configuring RADIUS-Based Mirroring

RADIUS-Based Mirroring Overview

RADIUS Attributes Used for Packet Mirroring

RADIUS-Based Packet Mirroring Dynamically Created Secure Policies

RADIUS-Based Packet Mirroring MLPPP Sessions

RADIUS-Based Mirroring Sequence of Events

Configuring RADIUS-Based Mirroring

Configuring the RADIUS Server

Disabling RADIUS-Based Mirroring

Configuring the Analyzer Device

Configuring Router to Start Mirroring When User Logs On

Configuring Router to Mirror Users Already Logged In

Managing Packet Mirroring

Avoiding Conflicts Between Multiple Packet Mirroring Configurations

Understanding the Prepended Header During a Packet Mirroring Session

Format of the Mirror Header Attributes

8-Byte Format

4-Byte Format

Resolving and Tracking the Analyzer Device’s Address

Using Multiple Triggers for CLI-Based Packet Mirroring

Optimizing Packet Mirroring Performance

Determine Traffic Loads

Establish Resource Guidelines

Logging Packet Mirroring Information

Using SNMP Secure Packet Mirroring Traps

Additional Packet-Mirroring Traps for CALEA Compliance

Packet Mirroring Trap Severity Levels

Configuring SNMP Secure Packet Mirroring Traps

Capturing SNMP Secure Audit Logs

Monitoring Packet Mirroring

Monitoring Packet Mirroring Overview

Monitoring CLI-Based Packet Mirroring

Monitoring the Packet Mirroring Configuration of IP Interfaces

Monitoring Failure Messages for Secure Policies

Monitoring Packet Mirroring Triggers

Monitoring Packet Mirroring Subscriber Information

Monitoring RADIUS Dynamic-Request Server Information

Monitoring Secure CLACL Configurations

Monitoring Secure Policy Lists

Monitoring Information for Secure Policies

Monitoring SNMP Secure Packet Mirroring Traps

Monitoring SNMP Secure Audit Logs

Index

Index

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.