Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All
     

    Related Documentation

     

    Configuring Policy Templates

    The policy templates are used to define the policy rules that are inserted or removed from network devices. Templates are combined with parameters from the service activation context to generate Junos XML management protocol and Telnet commands that add and remove service policies.

    The policy templates section has this basic structure:

      <policy-templates> 
        <target interface-class="<!-– interface class name -–>">
          <activation> 
            <junoscript> 
                <!-– JUNOScript API statements -–>
              <for-each-rule>
                  <!-– Can have multiple for-each-rule -–>
              <if test="expression">
                  <!-– Can have conditional expressions -–>
              </if>
              </for-each-rule>
              <for-each-rule test="expression">
                  <!-– Can have multiple for-each-rule -–>
                  <!-– For each single rule, can include test conditions -–>
              </for-each-rule>
            </junoscript> 
            <telnet host="<!-– hostname -–>"> 
              <prompt>login:</prompt>
              <command>joe</command>
              <prompt>password:</prompt>
              <command>abc123</command>
                    <!-– Can have many prompt/command pairs -–>
                <for-each-rule test="expression">
                    <!-– For each single rule, can include conditions 
                           and have prompt/command pairs -–>
                </for-each-rule>
           </telnet> 
          </activation> 
          <deactivation> 
              <!-– Structure same as for activation -–>
          </deactivation> 
        </target>
      </policy-templates> 
    

    Table 1 describes the policy template elements in the configuration file.

    Table 1: Policy Template Elements for Configuration File

    Element

    Description

    <target interface-class=
    "interface-class-name">

    Defines a single policy template, which is selected by matching the interface-class attribute with the value found in the dpiInterfaceClasses parameter. If the interface-class attribute is not provided or its value is "", the target applies to all interfaces.

    For example: <target interface-class="MXEnterprise">

    <activation>

    Defines what the script service should do when activating or modifying a session. This element is triggered when the dpiAdminState parameter changes from "disabled" to "enabled".

    <deactivation>

    Defines what the script service should do when deactivating a session. This element is triggered when the dpiAdminState parameter changes from "enabled" to "disabled".

    <junoscript>

    Contains a sequence of Junos XML management protocol commands to manage policies on routers running Junos OS.

    This element can contain <if> and <for-each-rule> elements, delimited variables, literal text, and XML elements, which are not interpreted.

    <telnet host="hostname">

    Contains a sequence of prompt and command pairs to match on the Telnet device, similar to an expect script. The host attribute is a variable that can include a regular expression to extract a part of the value from the variable. See the <variable> element.

    For example: <telnet host="deviceIP">

    This element can contain <if>, <for-each-rule>, <prompt>, and <command> elements. The <prompt> and <command> elements must alternate, and the sequence must start with the <prompt> element. This element can also contain delimited variables and literal text.

    <variable-delimiters start="delimiter" end="delimiter">

    Specifies the delimiters for variables in the configuration file. The default delimiters enclose the variable within three square brackets ([[[ variable ]]]).

    If you want to specify a different delimiter, you must specify the <variable-delimiters> element immediately after the opening tag for the <junoscript> or <telnet> element. The delimiters apply to the contents of the <junoscript> or <telnet> element. Any other occurrences of the <variable-delimiters> element within that element are ignored.

    For example: <variable-delimiters start="(*" end="*)">

    <if test=
    "variableName~pattern">

    Defines conditional expressions used to generate configuration commands.

    The test attribute is a variable expression without delimiters. The test is true if the variable has a value and if the optional regular expression matches the variable.

    For example, the forwarding-class statement would be added to the body only if the map expression contained the fcl key to satisfy the test condition:

    <if test="fcl">
    forwarding-class [[[ fcl ]]];
    </if>

    <for-each-rule>

    Creates the specified body in the policy template for instantiating each map expression found in the dpiRules parameter. For example, if you have two map expressions in the dpiRules parameter, the policy template would generate the body of the <for-each-rule> element once for each map expression.

    The <for-each-rule> element has a ruleNumber variable to sequentially track the processing of each map expression.

    You can use the test attribute to provide a condition for the rule; using this attribute would be the same as adding an <if> element.

    Note: When using special XML characters as part of the policy templates, they must be coded in XML. For example, the left angle bracket (<) must be coded as &lt;.

    The following example uses some elements to show a policy template that activates application-aware access list (AACL) services and service sets on an MX Series router by loading the configuration in text format using Junos XML management protocol.

     <policy-templates> 
        <target interface-class="MXEnterprise">
          <activation> 
            <junoscript> 
              <rpc>
                <load-configuration action="replace" format="text">
                  <configuration-text>
    services {
        aacl { 
            rule AACL_[[[ interfaceName_ ]]] { 
                match-direction input-output;
              <for-each-rule>
                term [[[ ruleNumber ]]] { 
                    from { 
                        application junos:[[[ app ]]]; 
                    } 
                    then { 
                <if test="fcl">
                        forwarding-class [[[ fcl ]]]; 
                </if> 
                <if test="action~accept">
                        count application; 
                </if> 
                        [[[ action ]]]; 
                    }
                } 
              </for-each-rule>
            } 
        } 
        service-set SSET_[[[ interfaceName_ ]]] { 
            aacl-rules AACL_[[[ interfaceName_ ]]]; 
            interface-service { 
               service-interface ms-1/[[[ interfaceName~[^.]+-\d+/(\d+/\d+\.\d+) ]]]; 
            } 
        } 
    } 
    interfaces { 
        [[[ interfaceName~[^.]+)\.\d+ ]]] {
            unit [[[ interfaceName~[^.]+)\.(\d+) ]]] { 
                family inet { 
                    service { 
                        input { 
                             service-set SSET_[[[ interfaceName_ ]]]
                        }
                       output { 
                             service-set SSET_[[[ interfaceName_ ]]]
                        }
                    }
                } 
            }
        }
    }
                  </configuration-text>
                </load-configuration> 
              </rpc> 
            </junoscript> 
          </activation> 
        </target>
      </policy-templates> 
    

    If the example uses the following dpiRules substitution:

    dpiRules=[{app="rtsp", action="accept", fcl="expedited-forwarding"}, 
                    {app="bittorrent", action="discard"}] 

    The two map expressions in the dpiRules parameter might generate the following target configuration (with two terms) from the policy template example:

    services {aacl {rule AACL_xe_8_3_0_1001 {match-direction input-output;term 1 {from {applications junos:rtsp;}then {forwarding-class expedited-forwarding;count application;accept;}}term 2 {from {applications junos:bittorrent;}then {discard;}}}}service-set SSET_xe_8_3_0_1001 {aacl-rules AACL_[[[ interfaceName_ ]]];interface-service {service-interface ms-1/3/0.1001;}}}interfaces {xe-8/3/0 {unit 1001 {family inet {service {input {service-set SSET_xe_8_3_0_1001;}output {service-set SSET_xe_8_3_0_1001;}}}}}}
     

    Related Documentation

     

    Modified: 2016-12-29