JUNOS 9.4 Policy Framework Configuration Guide DVD Home Techpubs Home Report an Error Collapse TOC List of Figures List of Tables Index Index of Statements and Commands Entire manual as PDF		About This Guide Objectives Audience Supported Platforms Using the Indexes Using the Examples in This Manual Documentation Conventions List of Technical Publications Documentation Feedback Requesting Technical Support Policy Framework Overview Router Flows Affected by Policies Policy Architecture Control Points Policy Components Default Policies and Actions Configuration Tasks Policy Configuration Recommendations Comparison of Routing Policies and Firewall Filters Routing Policy Framework Overview Importing and Exporting Routing Tables Affected by Routing Policies Default Routing Policies and Actions Creating Routing Policies Configuring a Routing Policy Match Conditions Named Match Conditions Actions Terms Routing Policy Application Routing Protocols Routing Policy Application to Routing Protocols Forwarding Table Evaluating a Routing Policy How a Routing Policy Is Evaluated How a Routing Policy Chain Is Evaluated How a Routing Policy Expression Is Evaluated How a Routing Policy Subroutine Is Evaluated Routing Policy Tests Supported Standards and Drafts Routing Policy Configuration Statements Minimum Routing Policy Configuration Minimum Routing Policy Chain Configuration Minimum Subroutine Configuration Routing Policy Configuration Defining Routing Policies Routing Policy Name Terms Match Conditions Actions Flow Control Actions Actions That Manipulate Route Characteristics Trace Action Final Action Default Action Example: Configure the Default Action for a Policy Route List Actions Examples: Defining Routing Policies Defining a Routing Policy from BGP to IS-IS Using Routing Policy to Set a Preference Importing and Exporting Access and Access-Internal Routes in a Routing Policy Applying Routing Policies Applying Routing Policies to a Routing Protocol Applying a Routing Policy Applying a Routing Policy Chain Applying Policy Expressions Policy Expression Examples How a Policy Expression Is Evaluated Example: Evaluating Policy Expressions Side Effects of Omitting the "from" Statement from an Export Policy Applying Routing Policies to the Forwarding Table Examples: Applying Routing Policies Examples: Routing Policy Configuration Example: Redistributing BGP Routes with a Specific Community Tag into IS-IS Example: Redistributing OSPF Routes into BGP Example: Exporting Direct Routes Into IS-IS Example: Exporting Internal IS-IS Level 1 Routes to Level 2 Example: Exporting IS-IS Level 2 Routes to Level 1 Example: Assigning Different Forwarding Next-Hop LSPs to Different Destination Prefixes Example: Grouping Destination Prefixes Example: Grouping Source Prefixes Example: Grouping Source and Destination Prefixes in a Forwarding Class Example: Accepting Routes with Specific Destination Prefixes Example: Accepting Routes from BGP with a Specific Destination Prefix Example: ISP Network Case Study Requesting a Single Default Route on the Customer 1 Router Requesting Specific Routes on the Customer 2 Router Configuring a Peer Policy on ISP Router 3 Configuring Private and Exchange Peers on ISP Router 1 and 2 Configuring Locally Defined Static Routes on the Exchange Peer 2 Router Configuring Outbound and Generated Routes on the Private Peer 2 Router Configuring the Discard Interface Testing Routing Policies Example: Testing a Routing Policy Extended Match Conditions Configuration Configuring AS Path Regular Expressions Defining AS Path Regular Expressions Null AS Path Example: Null AS Path How AS Path Regular Expressions Are Evaluated Examples: Configuring AS Path Regular Expressions Configuring Communities Defining Communities Configuring the Community Attribute Configuring the Community Attribute Using UNIX Regular Expressions Do Not Advertise Communities to Neighbors Examples: Configuring the Community Attribute Configuring the Extended Communities Attribute Examples: Configuring the Extended Communities Attribute Inverting Community Matches Configuring Link Bandwidth How Communities Are Evaluated Configuring Prefix Lists Prefix List and Route List Differences Defining Prefix Lists How a Prefix List Is Evaluated Configuring a Prefix List Filter Example: Configuring a Prefix List Configuring Route Lists Defining Route Lists How a Route List Is Evaluated How Prefix Order Affects Route List Evaluation Common Configuration Problem with the Longest-Match Lookup Examples: Configuring Route Lists Example: Rejecting Routes with Specific Destination Prefixes and Mask Lengths Example: Rejecting Routes with a Mask Length Greater than Eight Example: Rejecting Routes with Mask Length Between 26 and 29 Example: Rejecting Routes from Specific Hosts Example: Accepting Routes with a Defined Set of Prefixes Example: Rejecting Routes with a Defined Set of Prefixes Example: Rejecting Routes with Prefixes Longer than 24 Bits Example: Rejecting PIM Multicast Traffic Joins Example: Rejecting PIM Traffic Configuring Subroutines Defining Subroutines Termination Actions Example: Configuring a Subroutine Configuring the Condition Statement Extended Actions Configuration Configuring the AS Path Prepend Action Configuring the AS Path Expand Action Configuring the Class-of-Service Action Configuring the Damping Action Configuring Flap Damping Parameters Defining Damping Action Enabling BGP Route Flap Damping Disabling Damping by Prefix Example: Disabling by Prefix Example: Configuring BGP Flap Damping Configuring the Load-Balance Per-Packet Action Load Balancing Based on the MPLS Label Information Load Balancing for Ethernet Pseudowires Load Balancing Based on Layer 2 MAC Information VPLS Load Balancing Based on IP and MPLS Information Examples: Configuring Per-Packet Load Balancing Summary of Routing Policy Configuration Statements apply-path as-path as-path-group community condition damping export import policy-options policy-statement prefix-list prefix-list-filter Firewall Filter Overview Firewall Filter Components Supported Standards Firewall Filter Configuration Minimum Firewall Filter Configuration Configuring Firewall Filters Configuring the Family Address Type Configuring the Filter Name Configuring the Filter Terms Configuring a Filter Match Statement Configuring a Filter Action Statement Example: Configure a Filter Action Statement Example: Set the DSCP Bit to 0 How Firewall Filters Are Evaluated Filter Match Conditions Specifying Numeric Range Filter Match Conditions Specifying Address Filter Match Conditions Specifying Bit-Field Filter Match Conditions Specifying Class-Based Filter Match Conditions Filtering Smaller Packets How Firewall Filters Test a Packet’s Protocol Example: Do Not Test Packet Protocol Configuring a Filter Within a Filter Example: Configuring a Filter Within a Filter Examples: Defining Firewall Filters Example: Blocking Telnet and SSH Access Example: Blocking TFTP Access Example: Accepting DHCP Packets with Specific Addresses Example: Defining a Policer for a Destination Class Example: Counting IP Option Packets Example: Accepting OSPF Packets from Certain Addresses Example: Matching Packets Based on Two Unrelated Criteria Example: Counting Both Accepted and Rejected Packets Example: Blocking TCP Connections to a Certain Port Except from BGP Peers Example: Accepting Packets with Specific IPv6 TCP Flags Example: Setting a Rate Limit for Incoming Layer 2 Control Packets Configuring Service Filters Configuring Simple Filters Example: Configuring a Simple Filter Applying Firewall Filters to Interfaces Configuring Interface-Specific Counters Example: Configuring Interface-Specific Counters Defining Interface Groups Example: Defining Interface Groups Configuring Firewall Filters for Logical Systems Guidelines for Firewall Configuration in Logical Systems Scenario 1: Referencing Other Firewall Objects Scenario 2: Referencing Firewall Objects from Outside the Firewall Configuration Scenario 3: Firewall Objects That Reference Objects Outside the Firewall Configuration Unsupported Configuration Statements, Actions, and Action Modifiers Configuring Accounting Configuring a Firewall Filter Accounting Profile Configuring Filter-Based Forwarding Examples: Configuring Filter-Based Forwarding Configuring Forwarding Table Filters Overview of Forwarding Table Filters Configuring a Forwarding Table Filter Configuring Firewall Filter System Logging Example: Configuring Firewall Filter System Logging Policer Overview Policer Configuration Minimum Policer Configuration Configuring Policers Configuring Rate Limiting Configuring a Policer Action Example: Configuring a Policer Action Configuring Multifield Classification and Policing Configuring Filter-Specific Policers Configuring Prefix-Specific Actions Examples: Configuring Prefix-Specific Actions Examples: Classifying Traffic Configuring an Interface Set Applying an Interface Policer Example: Applying an Interface Policer Configuring an Aggregate Policer Example: Configuring an Aggregate Policer Configuring a Bandwidth Policer Example: Configuring a Bandwidth Policer Configuring a Load-Balance Group Configuring Tricolor Marking Configuring a Tricolor Marking Policer Example: Configuring a Tricolor Marking Policer Configuring an Interface Policer Using Tricolor Marking Policing Example: Rate-Limiting Bandwidth Using Tricolor Marking Policing Examples: Configuring Policing Summary of Firewall Filter and Policer Configuration Statements accounting-profile action family filter filter-specific firewall if-exceeding interface-set interface-specific load-balance-group logical-bandwidth-policer logical-interface-policer policer prefix-action service-filter simple-filter term three-color-policer three-color-policer (Applying) three-color-policer (Configuring) virtual-channel Traffic Sampling and Forwarding Overview Traffic Sampling and Forwarding Configuration Minimum Traffic Sampling or Forwarding Configuration Configuring a Forwarding Table Filter Configuring IPv6 Accounting Configuring Traffic Sampling Configuring Discard Accounting Configuring Flow Monitoring Configuring a Next-Hop Group Configuring Per-Flow Load-Balancing Information Configuring Per-Prefix Load Balancing Configuring Per-Flow Load Balancing Based on Hash Values Configuring the Router or Interface to Act as a DHCP/BOOTP Relay Agent Configuring DNS and TFTP Packet Forwarding Tracing BOOTP, DNS, and TFTP Forwarding Operations Configuring the Log Filename Configuring the Number and Size of Log Files Configuring Access to the Log File Configuring a Regular Expression for Lines to Be Logged Configuring the Trace Operations Example: Configuring DNS Packet Forwarding Configuring the Extended DHCP Relay Agent Interaction Between the DHCP Relay Agent, DHCP Client, and DHCP Servers Access and Access-Internal Routes DHCP State Persistence Graceful Routing Engine Switchover Overriding the Default DHCP Relay Configuration Overwriting giaddr Information Overriding Option 82 Information Using Layer 2 Unicast Transmission for DHCP Packets Trusting Option 82 Information Disabling DHCP Relay Using Option 60 Information to Forward Client Traffic to Specific DHCP Servers Using Matching Option 60 Strings to Process DHCP Client Traffic Using Nonmatching Option 60 Strings to Process DHCP Client Traffic Displaying a Count of Discarded DHCP Packets with Option 60 Information Enabling and Disabling Insertion of Option 82 Information Configuring Agent-Circuit-Id Information Configuring an Option 82 Prefix Configuring Server Groups Configuring Active Server Groups Grouping Interfaces with Common DHCP Relay Configuration Configuring Group-Specific DHCP Relay Options Enabling the DHCP Relay Agent on Specified Interfaces Using External AAA Authentication Services Verifying and Managing DHCP Relay Agent Clients Tracing Extended DHCP Relay Agent Operations Configuring the Extended DHCP Relay Agent Log Filename Configuring the Number and Size of Extended DHCP Relay Agent Log Files Configuring Access to the Extended DHCP Relay Agent Log File Configuring a Regular Expression for Extended DHCP Relay Agent Lines to Be Logged Configuring the Extended DHCP Relay Agent Tracing Flags Example: Minimum DHCP Relay Agent Configuration Example: DHCP Relay Agent Configuration with Multiple Clients and Servers Example: Using Option 60 Strings to Forward DHCP Client Traffic Example: Using Option 60 Strings to Drop DHCP Client Traffic Preventing DHCP Spoofing (MX-series Routers Only) Disabling Traffic Sampling Examples: Configuring Traffic Sampling Sampling a Single SONET/SDH Interface Sampling All Traffic from a Single IP Address Sampling All FTP Traffic Configuring Traffic Sampling Output Traffic Sampling Output Files Tracing Traffic Sampling Operations Configuring Flow Aggregation (cflowd) Debugging cflowd Flow Aggregation Configuring Active Flow Monitoring Using Version 9 Example: Configuring Active Flow Monitoring Using Version 9 Configuring Port Mirroring Configuring Packet Capture Summary of Traffic Sampling and Forwarding Options Configuration Statements accounting active-server-group aggregation always-write-giaddr always-write-option-82 authentication autonomous-system-type bootp cflowd cflowd (Discard Accounting) cflowd (Flow Monitoring) cflowd (Sampling) circuit-id circuit-type client-response-ttl default-local-server-group default-relay-server-group delimiter description description (Interface) description (Service) dhcp-relay dhcp-relay (DHCP Relay Agent) dhcp-relay (DHCP Snooping) disable disable (Packet Capture) disable (Sampling) disable-relay domain domain-name drop export-format family family (Filtering) family (Sampling) family inet family inet (Load Balancing) family inet (Monitoring) family mpls family multiservice file file (Helpers Trace Options) file (Packet Capture) file (Sampling) file (Trace Options) filename filename (Packet Capture) filename (Sampling) files files (Packet Capture) files (Sampling) filter flood flow-active-timeout flow-export-destination flow-inactive-timeout forwarding-options group group (DHCP Relay Agent) group (DHCP Snooping) hash-key helpers indexed-next-hop input input (Forwarding Table) input (Port Mirroring) input (Sampling) interface interface (Accounting or Sampling) interface (BOOTP) interface (DHCP Relay Agent) interface (DHCP Snooping) interface (DNS and TFTP Packet Forwarding or Relay Agent) interface (Monitoring) interface (Next-Hop Group) interface (Port Mirroring) layer2-unicast-replies load-balance local-dump local-server-group logical-system-name mac-address maximum-capture-size maximum-hop-count max-packets-per-second minimum-wait-time monitoring next-hop next-hop-group no-filter-check no-listen no-local-dump no-stamp no-world-readable option-60 option-82 output output (Accounting) output (Forwarding Table) output (Monitoring) output (Port Mirroring) output (Sampling) overrides packet-capture password per-flow per-prefix port port-mirroring prefix rate relay-option-60 relay-option-82 relay-server-group route-accounting routing-instance routing-instance-name run-length sampling server server (DHCP or BOOTP Service) server (DNS and TFTP Service) server-group size size (Packet Capture) size (Sampling) stamp tftp traceoptions traceoptions (DNS and TFTP Packet Forwarding) traceoptions (Extended DHCP Relay Agent) traceoptions (Port Mirroring and Traffic Sampling) trust-option-82 username-include user-prefix vendor-option version version9 world-readable Indexes Index Index of Statements and Commands