JUNOS 10.1 Policy Framework Configuration Guide

About This Guide

JUNOS Documentation and Release Notes
Objectives
Audience
Supported Platforms
Using the Indexes
Using the Examples in This Manual
Documentation Conventions
Documentation Feedback
Requesting Technical Support

Introduction to Policy Framework

Policy Framework Overview
Router Flows Affected by Policies
Policy Architecture
Control Points
Policy Components
Default Policies and Actions
Configuration Tasks
Policy Configuration Recommendations
Comparison of Routing Policies and Firewall Filters

Introduction to Routing Policy

Routing Policy Overview
Importing and Exporting Routes
Protocols That Can Be Imported To and Exported from the Routing Table
Routing Tables Affected by Routing Policies
Default Routing Policies and Actions
Default Import and Export Policies for Protocols
Creating Routing Policies
Configuring a Routing Policy
Routing Policy Match Conditions
Routing Policy Named Match Conditions
Routing Policy Actions
Routing Policy Terms
Applying Routing Policy
Routing Protocol Support for Import and Export Policy
Protocol Support for Import and Export Policies
Applying Routing Policy to Routing Protocols
Applying Export Policies to the Forwarding Table
Evaluating a Routing Policy
How a Routing Policy Is Evaluated
How a Routing Policy Chain Is Evaluated
How a Routing Policy Expression Is Evaluated
How a Routing Policy Subroutine Is Evaluated
Routing Policy Tests

Routing Policy Configuration Statements

Configuring Routing Policy
Minimum Routing Policy Configuration
Minimum Routing Policy Chain Configuration
Minimum Subroutine Configuration

Routing Policy Configuration

Defining Routing Policies

Configuring Match Conditions in Routing Policy Terms

Configuring Actions in Routing Policy Terms

Configuring Flow Control Actions

Configuring Actions That Manipulate Route Characteristics

Configuring the Default Action in Routing Policies

Example: Configuring the Default Action in a Routing Policy

Configuring a Final Action in Routing Policies

Logging Matches to a Routing Policy Term

Configuring Separate Actions for Routes in Route Lists

Applying Routing Policies and Policy Chains to Routing Protocols

Effect of Omitting Ingress Match Conditions from Export Policies

Applying Policy Expressions to Routes Exported from Routing Tables

Policy Expression Examples
How a Policy Expression Is Evaluated
Example: Evaluating Policy Expressions

Applying Routing Policies to the Forwarding Table

Configuring Dynamic Routing Policies

Configuring Routing Policies and Policy Objects in the Dynamic Database
Configuring Routing Policies Based on Dynamic Database Configuration
Applying Dynamic Routing Policies to BGP
Preventing Reestablishment of BGP Peering Sessions After NSR Routing Engine Switchover
Example: Configuring a BGP Export Policy That References a Dynamic Routing Policy

Forwarding Packets to the Discard Interface

Testing Routing Policies

Example: Testing a Routing Policy

Routing Policy Examples

Example: Defining a Routing Policy from BGP to IS-IS

Example: Using Routing Policy to Set a Preference

Example: Importing and Exporting Access and Access-Internal Routes in a Routing Policy

Example: Exporting Routes to IS-IS

Example: Applying Export and Import Policies to BGP Peer Groups

Example: Applying a Prefix to Routes Learned from a Peer

Example: Redistributing BGP Routes with a Specific Community Tag into IS-IS

Example: Redistributing OSPF Routes into BGP

Example: Exporting Direct Routes Into IS-IS

Example: Exporting Internal IS-IS Level 1 Routes to Level 2

Example: Exporting IS-IS Level 2 Routes to Level 1

Example: Assigning Different Forwarding Next-Hop LSPs to Different Destination Prefixes

Example: Grouping Destination Prefixes

Example: Grouping Source Prefixes

Example: Grouping Source and Destination Prefixes in a Forwarding Class

Example: Accepting Routes with Specific Destination Prefixes

Example: Accepting Routes from BGP with a Specific Destination Prefix

Example: Using Routing Policy in an ISP Network

Requesting a Single Default Route on the Customer 1 Router
Requesting Specific Routes on the Customer 2 Router
Configuring a Peer Policy on ISP Router 3
Configuring Private and Exchange Peers on ISP Router 1 and 2
Configuring Locally Defined Static Routes on the Exchange Peer 2 Router
Configuring Outbound and Generated Routes on the Private Peer 2 Router

Extended Match Conditions Configuration

Configuring AS Path Regular Expressions to Use as Routing Policy Match Conditions

Configuring AS Path Regular Expressions

Configuring a Null AS Path

How AS Path Regular Expressions Are Evaluated

Examples: Configuring AS Path Regular Expressions

Overview of BGP Communities and Extended Communities as Routing Policy Match Conditions

Defining BGP Communities and Extended Communities for Use in Routing Policy Match Conditions

Defining BGP Communities for Use in Routing Policy Match Conditions

Using UNIX Regular Expressions in Community Names

Defining BGP Extended Communities for Use in Routing Policy Match Conditions

Examples: Defining BGP Extended Communities

Inverting Community Matches

Including BGP Communities and Extended Communities in Routing Policy Match Conditions

How BGP Communities and Extended Communities Are Evaluated in Routing Policy Match Conditions

Using Routing Policies to Prevent Advertisement of BGP Communities to Neighbors

Examples: Configuring BGP Communities as Routing Policy Match Conditions

Configuring Prefix Lists for Use in Routing Policy Match Conditions

Configuring Prefix Lists
How Prefix Lists Are Evaluated in Routing Policy Match Conditions
Configuring Prefix List Filters

Example: Configuring a Prefix List

Configuring Route Lists for Use in Routing Policy Match Conditions

Configuring Route Lists

How Route Lists Are Evaluated in Routing Policy Match Conditions

How Prefix Order Affects Route List Evaluation
Common Configuration Problem with the Longest-Match Lookup

Route List Examples

Example: Rejecting Routes with Specific Destination Prefixes and Mask Lengths
Example: Rejecting Routes with a Mask Length Greater than Eight
Example: Rejecting Routes with Mask Length Between 26 and 29
Example: Rejecting Routes from Specific Hosts
Example: Accepting Routes with a Defined Set of Prefixes
Example: Rejecting Routes with a Defined Set of Prefixes
Example: Rejecting Routes with Prefixes Longer than 24 Bits
Example: Rejecting PIM Multicast Traffic Joins
Example: Rejecting PIM Traffic

Configuring Subroutines in Routing Policy Match Conditions

Configuring Subroutines

Possible Consequences of Termination Actions in Subroutines

Example: Configuring a Subroutine

Configuring Routing Policy Match Conditions Based on Routing Table Entries

Extended Actions Configuration

Prepending AS Numbers to BGP AS Paths

Adding AS Numbers to BGP AS Paths

Using Routing Policies to Damp BGP Route Flapping

Configuring BGP Flap Damping Parameters

Specifying BGP Flap Damping as the Action in Routing Policy Terms

Disabling Damping for Specific Address Prefixes

Example: Disabling Damping for a Specific Address Prefix

Example: Configuring BGP Flap Damping

Overview of Per-Packet Load Balancing

Configuring Per-Packet Load Balancing

Per-Packet Load Balancing Examples

Configuring Load Balancing Based on MPLS Labels

Configuring Load Balancing for Ethernet Pseudowires

Configuring Load Balancing Based on MAC Addresses

Configuring VPLS Load Balancing Based on IP and MPLS Information

Configuring VPLS Load Balancing on MX Series Ethernet Services Routers

Summary of Routing Policy Configuration Statements

apply-path
as-path
as-path-group
community
condition
damping
dynamic-db
export
import
policy-options
policy-statement
prefix-list
prefix-list-filter

Introduction to Firewall Filters

Firewall Filter Overview
Firewall Filter Components
Firewall Filter Types
Supported Standards

Firewall Filter Configuration

Configuring Firewall Filters

Configuring Standard Firewall Filters

How Firewall Filters Are Evaluated

Overview of Match Conditions in Firewall Filter Terms

Configuring IPv4 Match Conditions

Configuring IPv6 Match Conditions

Configuring Protocol-Independent Match Conditions

Configuring Layer 2 Circuit Cross-Connect Match Conditions

Configuring MPLS Match Conditions

Configuring VPLS Match Conditions

Configuring Layer 2 Bridging Match Conditions for MX Series Ethernet Services Routers

Overview of Protocol Match Conditions

Example: Matching on Destination Port and Protocol Fields

Overview of Class-Based Match Conditions

How to Specify Firewall Filter Match Conditions

Numeric and Text Values in Match Conditions
Prefixes in Match Conditions
Bit-Field Values in Match Conditions

Configuring Actions in Firewall Filter Terms

Example: Counting and Sampling Accepted Packets
Example: Setting the DSCP Bit to Zero

Configuring Nested Firewall Filters

Example: Configuring Nested Filters

Applying Firewall Filters to Interfaces

Configuring Interface-Specific Counters

Example: Configuring Interface-Specific Counters

Defining Interface Groups

Example: Defining Interface Groups

Overview of Firewall Filter Lists

Firewall Filter Examples

Example: Blocking Telnet and SSH Access

Example: Blocking TFTP Access

Example: Accepting DHCP Packets with Specific Addresses

Example: Defining a Policer for a Destination Class

Example: Counting IP Option Packets

Example: Counting and Discarding IP Options Packets

Example: Accepting OSPF Packets from Certain Addresses

Example: Matching Packets Based on Two Unrelated Criteria

Example: Counting Both Accepted and Rejected Packets

Example: Blocking TCP Connections to a Certain Port Except from BGP Peers

Example: Accepting Packets with Specific IPv6 TCP Flags

Example: Setting a Rate Limit for Incoming Layer 2 Control Packets

Configuring Service Filters

Configuring Simple Filters

Example: Configuring a Simple Filter

Configuring Firewall Filters for Logical Systems

Guidelines for Firewall Configuration in Logical Systems

Scenario 1: Firewall Objects Reference Other Firewall Objects
Scenario 2: Nonfirewall Objects Reference Firewall Objects
Scenario 3: Firewall Objects Reference Nonfirewall Objects

Unsupported Configuration Statements, Actions, and Action Modifiers

Configuring Accounting for Firewall Filters

Configuring Filter-Based Forwarding

Examples: Configuring Filter-Based Forwarding

Configuring Forwarding Table Filters

Overview of Forwarding Table Filters
Configuring a Forwarding Table Filter

Configuring System Logging of Firewall Filter Operations

Example: Configuring Firewall Filter System Logging

Policer Overview

Policer Configuration

Configuring Policers

Minimum Policer Configuration

Configuring Policers

Configuring Rate Limiting

Configuring Policer Actions

Example: Configuring a Policer Action

Configuring Multifield Classifiers for Policing

Configuring Filter-Specific Policers

Configuring Policer Actions for Specific Address Prefixes

Examples: Configuring Policer Actions for Specific Address Prefixes

Examples: Classifying Traffic

Configuring Interface Sets

Applying Interface Policers

Example: Applying an Interface Policer

Configuring Aggregate Policers

Example: Configuring an Aggregate Policer

Configuring a Hierarchical Policer

Physical Interface Policer Overview

Configuring Physical Interface Policers

Configuring Physical Interface Policers
Configuring Firewall Filters That Reference Physical Interface Policers
Applying Firewall Filters That Reference Physical Interface Policers

Configuring Bandwidth Policers

Example: Configuring a Bandwidth Policer

Configuring Load-Balance Groups

Configuring Tricolor Marking

Configuring Tricolor Marking Policers

Example: Configuring a Tricolor Marking Policer

Configuring Interface Policers Using Tricolor Marking Policing

Example: Rate-Limiting Bandwidth Using Tricolor Marking Policing

Examples: Configuring Policing

Summary of Firewall Filter and Policer Configuration Statements

accounting-profile

interface-specific

load-balance-group

logical-bandwidth-policer

logical-interface-policer

physical-interface-filter

physical-interface-policer

three-color-policer

three-color-policer (Applying)
three-color-policer (Configuring)

Traffic Sampling, Forwarding, and Monitoring Overview

Introduction to Traffic Sampling Configuration

Traffic Sampling Configuration

Minimum Traffic Sampling Configuration

Configuring Traffic Sampling

Disabling Traffic Sampling

Configuring the Output File for Traffic Sampling

Traffic Sampling Output Format

Tracing Traffic Sampling Operations

Configuring Flow Aggregation (cflowd)

Debugging cflowd Flow Aggregation

Configuring Active Flow Monitoring Using Version 9

Example: Configuring Active Flow Monitoring Using Version 9

Traffic Sampling Examples

Example: Sampling a Single SONET/SDH Interface

Example: Sampling All Traffic from a Single IP Address

Example: Sampling All FTP Traffic

Traffic Forwarding and Monitoring Configuration

Configuring Traffic Forwarding and Monitoring

Applying Filters to Forwarding Tables

Configuring IPv6 Accounting

Configuring Discard Accounting

Configuring Flow Monitoring

Configuring Next-Hop Groups

Per-Flow and Per-Prefix Load Balancing Overview

Configuring Per-Prefix Load Balancing

Configuring Per-Flow Load Balancing Based on Hash Values

Configuring Routers, Switches, and Interfaces as DHCP and BOOTP Relay Agents

Configuring DNS and TFTP Packet Forwarding

Tracing BOOTP, DNS, and TFTP Forwarding Operations

Configuring the Log Filename
Configuring the Number and Size of Log Files
Configuring Access to the Log File
Configuring a Regular Expression for Lines to Be Logged

Example: Configuring DNS Packet Forwarding

Preventing DHCP Spoofing on MX Series Ethernet Services Routers

Configuring Port Mirroring

Configuration Guidelines

Configuring Port Mirroring

Configuring the Port-Mirroring Address Family and Interface

Configuring Multiple Port-Mirroring Instances

Configuring Port-Mirroring Instances
Associating a Port-Mirroring Instance on M320 Routers
Associating a Port-Mirroring Instance on M120 Routers
Configuring MX Series Ethernet Services Routers and M120 Routers to Mirror Traffic Only Once

Configuring Packet Capture

Summary of Traffic Sampling, Forwarding, and Monitoring Configuration Statements

accounting

aggregation

autonomous-system-type

bootp

cflowd

cflowd (Discard Accounting)
cflowd (Flow Monitoring)

client-response-ttl

description

dhcp-relay (DHCP Spoofing Prevention)

family (Filtering)
family (Monitoring)
family (Port Mirroring)
family (Sampling)

family inet

family mpls

family multiservice

file

file (Extended DHCP Relay Agent and Helpers Trace Options)
file (Packet Capture)
file (Sampling)
file (Trace Options)

filename

filename (Packet Capture)
filename (Sampling)

files

files (Packet Capture)
files (Sampling and Traceoptions)

filter

filter (IPv4, IPv6, and MPLS)
filter (VPLS)

flood

flow-active-timeout

flow-export-destination

flow-inactive-timeout

flow-server

forwarding-options

group (DHCP Spoofing Prevention)

input (Forwarding Table)
input (Port Mirroring)
input (Sampling)

instance

interface

interface (Accounting or Sampling)
interface (BOOTP)
interface (DHCP Spoofing Prevention)
interface (DNS and TFTP Packet Forwarding or Relay Agent)
interface (Monitoring)
interface (Next-Hop Group)
interface (Port Mirroring)

load-balance

local-dump

max-packets-per-second

maximum-capture-size

maximum-hop-count

maximum-packet-length

minimum-wait-time

no-world-readable

output

output (Accounting)
output (Forwarding Table)
output (Monitoring)
output (Port Mirroring)
output (Sampling)

server (DHCP and BOOTP Relay Agent)
server (DNS and TFTP Service)

size

size (Packet Capture)
size (Sampling and Traceoptions)

stamp

tftp

traceoptions

traceoptions (DNS and TFTP Packet Forwarding)
traceoptions (Port Mirroring and Traffic Sampling)

Index
Index of Statements and Commands