Table of Contents

About This Guide

Objectives

Audience

Supported Routing Platforms

Using the Indexes

Using the Examples in This Manual

Documentation Conventions

List of Technical Publications

Documentation Feedback

Requesting Technical Support

Policy Framework

Policy Framework Overview

Router Flows Affected by Policies

Policy Architecture

Control Points

Policy Components

Default Policies and Actions

Configuration Tasks

Policy Configuration Recommendations

Comparison of Routing Policies and Firewall Filters

Routing Policies

Routing Policy Framework Overview

Importing and Exporting

Routing Tables Affected by Routing Policies

Default Routing Policies and Actions

Creating Routing Policies

Configuring a Routing Policy

Match Conditions

Named Match Conditions

Actions

Terms

Routing Policy Application

Routing Protocols

Routing Policy Application to Routing Protocols

Forwarding Table

Evaluating a Routing Policy

How a Routing Policy Is Evaluated

How a Routing Policy Chain Is Evaluated

How a Routing Policy Expression Is Evaluated

How a Routing Policy Subroutine Is Evaluated

Routing Policy Tests

Supported Standards and Drafts

Routing Policy Configuration Statements

Minimum Routing Policy Configuration

Minimum Routing Policy Chain Configuration

Minimum Subroutine Configuration

Routing Policy Configuration

Defining Routing Policies

Routing Policy Name

Terms

Match Conditions

Actions

Flow Control Actions

Actions That Manipulate Route Characteristics

Trace Action

Final Action

Default Action

Example: Configure the Default Action for a Policy

Route List Actions

Examples: Defining Routing Policies

Defining a Routing Policy from BGP to IS-IS

Using Routing Policy to Set a Preference

Importing and Exporting Access and Access-Internal Routes in a Routing Policy

Applying Routing Policies

Applying Routing Policies to a Routing Protocol

Applying a Routing Policy

Applying a Routing Policy Chain

Applying Policy Expressions

Policy Expression Examples

How a Policy Expression Is Evaluated

Example: Evaluating Policy Expressions

Side Effects of Omitting the "from" Statement from an Export Policy

Applying Routing Policies to the Forwarding Table

Examples: Applying Routing Policies

Examples: Routing Policy Configuration

Example: Redistributing BGP Routes with a Specific Community Tag into IS-IS

Example: Redistributing OSPF Routes into BGP

Example: Exporting Direct Routes Into IS-IS

Example: Exporting Internal IS-IS Level 1 Routes to Level 2

Example: Exporting IS-IS Level 2 Routes to Level 1

Example: Assigning Different Forwarding Next-Hop LSPs to Different Destination Prefixes

Example: Grouping Destination Prefixes

Example: Grouping Source Prefixes

Example: Grouping Source and Destination Prefixes in a Forwarding Class

Example: Accepting Routes with Specific Destination Prefixes

Example: Accepting Routes from BGP with a Specific Destination Prefix

Example: ISP Network Case Study

Requesting a Single Default Route on the Customer 1 Router

Requesting Specific Routes on the Customer 2 Router

Configuring a Peer Policy on ISP Router 3

Configuring Private and Exchange Peers on ISP Router 1 and 2

Configuring Locally Defined Static Routes on the Exchange Peer 2 Router

Configuring Outbound and Generated Routes on the Private Peer 2 Router

Configuring the Discard Interface

Testing Routing Policies

Example: Testing a Routing Policy

Extended Match Conditions Configuration

Configuring AS Path Regular Expressions

Defining AS Path Regular Expressions

Null AS Path

Example: Null AS Path

How AS Path Regular Expressions Are Evaluated

Examples: Configuring AS Path Regular Expressions

Configuring Communities

Defining Communities

Configuring the Community Attribute

Configuring the Community Attribute Using UNIX Regular Expressions

Do Not Advertise Communities to Neighbors

Examples: Configuring the Community Attribute

Configuring the Extended Communities Attribute

Examples: Configuring the Extended Communities Attribute

Inverting Community Matches

Configuring Link Bandwidth

How Communities Are Evaluated

Configuring Prefix Lists

Prefix List and Route List Differences

Defining Prefix Lists

How a Prefix List Is Evaluated

Configuring a Prefix List Filter

Example: Configuring a Prefix List

Configuring Route Lists

Defining Route Lists

How a Route List Is Evaluated

How Prefix Order Affects Route List Evaluation

Common Configuration Problem with the Longest-Match Lookup

Examples: Configuring Route Lists

Example: Rejecting Routes with Specific Destination Prefixes and Mask Lengths

Example: Rejecting Routes with a Mask Length Greater than Eight

Example: Rejecting Routes with Mask Length Between 26 and 29

Example: Rejecting Routes from Specific Hosts

Example: Accepting Routes with a Defined Set of Prefixes

Example: Rejecting Routes with a Defined Set of Prefixes

Example: Rejecting Routes with Prefixes Longer than 24 Bits

Example: Rejecting PIM Multicast Traffic Joins

Example: Rejecting PIM Traffic

Configuring Subroutines

Defining Subroutines

Termination Actions

Example: Configuring a Subroutine

Configuring the Condition Statement

Extended Actions Configuration

Configuring the AS Path Prepend Action

Configuring the AS Path Expand Action

Configuring the Class-of-Service Action

Configuring the Damping Action

Configuring Flap Damping Parameters

Defining Damping Action

Enabling BGP Route Flap Damping

Disabling Damping by Prefix

Example: Disabling by Prefix

Example: Configuring BGP Flap Damping

Configuring the Load-Balance Per-Packet Action

Load Balancing Based on the MPLS Label Information

Load Balancing Based on Layer 2 MAC Information

Examples: Configuring Per-Packet Load Balancing

Summary of Routing Policy Configuration Statements

apply-path

as-path

as-path-group

community

condition

damping

export

import

policy-options

policy-statement

prefix-list

prefix-list-filter

Firewall Filters

Firewall Filter Overview

Firewall Filter Components

Supported Standards

Firewall Filter Configuration

Minimum Firewall Filter Configuration

Configuring Firewall Filters

Configuring the Family Address Type

Configuring the Filter Name

Configuring the Filter Terms

Configuring a Filter Match Statement

Configuring a Filter Action Statement

Example: Configure a Filter Action Statement

Example: Set the DSCP Bit to 0

How Firewall Filters Are Evaluated

Filter Match Conditions

Specifying Numeric Range Filter Match Conditions

Specifying Address Filter Match Conditions

Specifying Bit-Field Filter Match Conditions

Specifying Class-Based Filter Match Conditions

Filtering Smaller Packets

How Firewall Filters Test a Packet’s Protocol

Example: Do Not Test Packet Protocol

Configuring a Filter Within a Filter

Example: Configuring a Filter Within A Filter

Examples: Defining Firewall Filters

Example: Blocking Telnet and SSH Access

Example: Blocking TFTP Access

Example: Accepting DHCP Packets with Specific Addresses

Example: Defining a Policer for a Destination Class

Example: Counting IP Option Packets

Example: Accepting OSPF Packets from Certain Addresses

Example: Matching Packets Based on Two Unrelated Criteria

Example: Counting Both Accepted and Rejected Packets

Example: Blocking TCP Connections to a Certain Port Except from BGP Peers

Example: Accepting Packets with Specific IPv6 TCP Flags

Example: Setting a Rate Limit for Incoming Layer 2 Control Packets

Configuring Service Filters

Configuring Simple Filters

Example: Configuring a Simple Filter

Applying Firewall Filters to Interfaces

Configuring Interface-Specific Counters

Example: Configuring Interface-Specific Counters

Defining Interface Groups

Example: Defining Interface Groups

Configuring Firewall Filters for Logical Systems

Guidelines for Firewall Configuration in Logical Systems

Scenario 1: Firewall Objects That Reference Other Firewall Objects

Scenario 2: Referencing Firewall Objects from Outside the Firewall Configuration

Scenario 3: Firewall Objects That Reference Objects Outside the Firewall Configuration

Unsupported Configuration Statements, Actions, and Action Modifiers

Configuring Accounting

Configuring a Firewall Filter Accounting Profile

Configuring Filter-Based Forwarding

Examples: Configuring Filter-Based Forwarding

Configuring Forwarding Table Filters

Overview of Forwarding Table Filters

Configuring a Forwarding Table Filter

Configuring Firewall Filter System Logging

Example: Configuring Firewall Filter System Logging

Policer Overview

Policer Configuration

Minimum Policer Configuration

Configuring Policers

Configuring Rate Limiting

Configuring a Policer Action

Example: Configuring a Policer Action

Configuring Multifield Classification and Policing

Configuring Filter-Specific Policers

Configuring Prefix-Specific Actions

Examples: Configuring Prefix-Specific Actions

Examples: Classifying Traffic

Configuring an Interface Set

Applying an Interface Policer

Example: Applying an Interface Policer

Configuring an Aggregate Policer

Example: Configuring an Aggregate Policer

Configuring a Bandwidth Policer

Example: Configuring a Bandwidth Policer

Configuring a Load-Balance Group

Configuring Tricolor Marking

Configuring a Tricolor Marking Policer

Example: Configuring a Tricolor Marking Policer

Configuring an Interface Policer Using Tricolor Marking Policing

Example: Rate-Limiting Bandwidth Using Tricolor Marking Policing

Examples: Configuring Policing

Summary of Firewall Filter and Policer Configuration Statements

accounting-profile

action

family

filter

filter-specific

firewall

if-exceeding

interface-set

interface-specific

load-balance-group

logical-bandwidth-policer

logical-interface-policer

policer

prefix-action

service-filter

simple-filter

term

three-color-policer

three-color-policer (Applying)

three-color-policer (Configuring)

virtual-channel

Traffic Sampling and Forwarding

Traffic Sampling and Forwarding Overview

Traffic Sampling and Forwarding Configuration

Minimum Traffic Sampling or Forwarding Configuration

Configuring a Forwarding Table Filter

Configuring IPv6 Accounting

Configuring Traffic Sampling

Configuring Discard Accounting

Configuring Flow Monitoring

Configuring a Next-Hop Group

Configuring Per-Flow Load-Balancing Information

Configuring Per-Prefix Load Balancing

Configuring Per-Flow Load Balancing Based on Hash Values

Configuring the Router or Interface to Act as a DHCP/BOOTP Relay Agent

Configuring DNS and TFTP Packet Forwarding

Tracing BOOTP, DNS, and TFTP Forwarding Operations

Configuring the Log Filename

Configuring the Number and Size of Log Files

Configuring Access to the Log File

Configuring a Regular Expression for Lines to Be Logged

Configuring the Trace Operations

Example: Configuring DNS Packet Forwarding

Configuring the Extended DHCP Relay Agent

Interaction Between the DHCP Relay Agent, DHCP Client, and DHCP Servers

Access and Access-Internal Routes

DHCP State Persistence

Graceful Routing Engine Switchover

Overriding the Default DHCP Relay Configuration

Overwriting giaddr Information

Overriding Option 82 Information

Using Layer 2 Unicast Transmission for DHCP Packets

Trusting Option 82 Information

Disabling DHCP Relay

Using Option 60 Information to Forward Client Traffic to Specific DHCP Servers

Using Matching Option 60 Strings to Process DHCP Client Traffic

Using Nonmatching Option 60 Strings to Process DHCP Client Traffic

Displaying a Count of Discarded DHCP Packets with Option 60 Information

Enabling and Disabling Insertion of Option 82 Information

Configuring Agent-Circuit-Id Information

Configuring an Option 82 Prefix

Configuring Server Groups

Configuring Active Server Groups

Grouping Interfaces with Common DHCP Relay Configuration

Configuring Group-Specific DHCP Relay Options

Enabling the DHCP Relay Agent on Specified Interfaces

Using External AAA Authentication Services

Verifying and Managing DHCP Relay Agent Clients

Tracing Extended DHCP Relay Agent Operations

Configuring the Extended DHCP Relay Agent Log Filename

Configuring the Number and Size of Extended DHCP Relay Agent Log Files

Configuring Access to the Extended DHCP Relay Agent Log File

Configuring a Regular Expression for Extended DHCP Relay Agent Lines to Be Logged

Configuring the Extended DHCP Relay Agent Tracing Flags

Example: Minimum DHCP Relay Agent Configuration

Example: DHCP Relay Agent Configuration with Multiple Clients and Servers

Example: Using Option 60 Strings to Forward DHCP Client Traffic

Example: Using Option 60 Strings to Drop DHCP Client Traffic

Disabling Traffic Sampling

Examples: Configuring Traffic Sampling

Sampling a Single SONET/SDH Interface

Sampling All Traffic from a Single IP Address

Sampling All FTP Traffic

Configuring Traffic Sampling Output

Traffic Sampling Output Files

Tracing Traffic Sampling Operations

Configuring Flow Aggregation (cflowd)

Debugging cflowd Flow Aggregation

Configuring Active Flow Monitoring Using Version 9

Example: Configuring Active Flow Monitoring Using Version 9

Configuring Port Mirroring

Configuring Packet Capture

Summary of Traffic Sampling and Forwarding Options Configuration Statements

accounting

active-server-group

aggregation

always-write-giaddr

always-write-option-82

authentication

autonomous-system-type

bootp

cflowd

cflowd (Discard Accounting)

cflowd (Flow Monitoring)

cflowd (Sampling)

circuit-id

circuit-type

client-response-ttl

default-local-server-group

default-relay-server-group

delimiter

description

description (Interface)

description (Service)

dhcp-relay

disable

disable (Packet Capture)

disable (Sampling)

disable-relay

domain

domain-name

drop

export-format

family

family (Filtering)

family (Sampling)

family inet

family inet (Load Balancing)

family inet (Monitoring)

family mpls

family multiservice

file

file (Helpers Trace Options)

file (Packet Capture)

file (Sampling)

file (Trace Options)

filename

filename (Packet Capture)

filename (Sampling)

files

files (Packet Capture)

files (Sampling)

filter

flood

flow-active-timeout

flow-export-destination

flow-inactive-timeout

forwarding-options

group

hash-key

helpers

indexed-next-hop

input

input (Forwarding Table)

input (Port Mirroring)

input (Sampling)

interface

interface (Accounting or Sampling)

interface (BOOTP)

interface (DHCP Relay Agent)

interface (DNS and TFTP Packet Forwarding or Relay Agent)

interface (Monitoring)

interface (Next-Hop Group)

interface (Port Mirroring)

layer2-unicast-replies

load-balance

local-dump

local-server-group

logical-system-name

mac-address

maximum-capture-size

maximum-hop-count

max-packets-per-second

minimum-wait-time

monitoring

next-hop

next-hop-group

no-filter-check

no-listen

no-local-dump

no-stamp

no-world-readable

option-60

option-82

output

output (Accounting)

output (Forwarding Table)

output (Monitoring)

output (Port Mirroring)

output (Sampling)

overrides

packet-capture

password

per-flow

per-prefix

port

port-mirroring

prefix

rate

relay-option-60

relay-option-82

relay-server-group

route-accounting

routing-instance

routing-instance-name

run-length

sampling

server

server (DHCP or BOOTP Service)

server (DNS and TFTP Service)

server-group

size

size (Packet Capture)

size (Sampling)

stamp

tftp

traceoptions

traceoptions (DNS and TFTP Packet Forwarding)

traceoptions (Extended DHCP Relay Agent)

traceoptions (Port Mirroring and Traffic Sampling)

trust-option-82

username-include

user-prefix

vendor-option

version

version9

world-readable

Indexes

Index

Index of Statements and Commands

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.