Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Classify-Traffic Conditions

 

Topics that discuss classify-traffic conditions include:

Configuring Classify-Traffic Conditions (SRC CLI)

You create classify-traffic conditions in JunosE policy rules, in Junos OS ASP and Junos OS filter policy rules, and in PCMM policy rules.

The available configuration statements change depending on the type of policy rule that holds the condition and on the type of protocol that you specify.

To configure a classify-traffic condition, do the following:

  1. Create a classify-traffic condition.

  2. Configure source networks. You can configure source networks in one of two formats.

  3. Configure destination networks. You can configure destination networks in one of two formats.

  4. Configure protocol conditions. The type of protocol condition that you use depends on your configuration.

  5. For Junos OS filter policies, configure a Junos OS filter condition. See:

  6. For JunosE parent—group reference policies, configure a JunosE filter condition. See:

    Configuring JunosE Parent-Group References (SRC CLI)

  7. For JunosE secondary input policies, configure a traffic match condition for the packet flow. See:

  8. For the stateful firewall and NAT policies, configure an application protocol condition. See:

Note

PCMM classifiers support only the following classifiers:

  • Source and destination IP addresses

  • Network protocol

  • Source or destination port

  • Type-of-service (ToS) byte and ToS mask

The policy engine ignores all other values.

Before You Configure Classify-Traffic Conditions

If you are configuring classifiers for policies:

  • For PCMM policies, you can specify that the classifier will be used in a PCMM IO2 or IO3 network. By default, the software translates classify-traffic conditions into PCMM IO2 classifiers.

  • For JunosE policies, you can specify that the SAE expand the classifier into multiple classifiers before it installs the policy on the router.

Enabling Expansion of JunosE Classify-Traffic Conditions (SRC CLI)

For information about expanded classifiers, see Policy Information Model.

Use the following configuration statement to enable or disable the expansion of JunosE classifiers.

To enable or disable the expansion of JunosE classifiers:

  1. From configuration mode, access the configuration statement that configures policy management properties on the SAE.

  2. Specify whether or not the SAE expands the JunosE classify-traffic conditions into multiple classifiers before it installs the policy on the router.

Specifying the PCMM Classifier Type (SRC CLI)

Use the following configuration statement to specify which version of the PCMM classifiers you are using:

To specify whether or not the SAE sends classifiers to the router that comply with PCMM IO3:

  1. From configuration mode, access the configuration statement that configures the PCMM driver.

  2. Enable or disable the SAE to send classifiers to the router that comply with PCMM IO3. Disable this option if your network deployment has CMTS devices that do not support PCMM IO3.

Specifying Port Access for Traffic Classification (SRC CLI)

In the SRC software, the way that you specify a range of port numbers greater than or less than a specific value in a traffic classifier is different from the way you define a range in the configuration on routers running JunosE Software.

In the SRC CLI, you specify ranges by setting values in the port-operation options in command statements.

To specify a range of port numbers greater or less than a specified value, you can:

  • Define the full set of port numbers in the range to be allowed.

  • Define the full set of port numbers in the range not allowed.

To configure port numbers greater than a defined value by specifying which values are allowed:

  1. For the port-operation option, enter eq.

  2. For the from-port option, enter the range of ports allowed.

    For example, to specify access to all port numbers greater than 10, specify 11..65535.

To configure port numbers greater than a defined value by specifying which values are not allowed:

  1. For the port-operation option, enter neq.

  2. For the from-port option, enter the range of ports not allowed.

    For example, to specify access to all port numbers greater than 10, specify 1..9.

To configure port numbers less than a defined value by specifying which values are allowed:

  1. For the port-operation option, enter eq.

  2. For the from-port option, enter the range of ports.

    For example, to specify access to all port numbers less than 10, specify 1..9.

To configure port numbers less than a defined value by specifying which values are not allowed:

  1. For the port-operation option, enter neq.

  2. For the from-port option, enter the range of ports.

    For example, to specify access to all port numbers less than 10, specify 11..65535.

Creating a Classify-Traffic Condition (SRC CLI)

You create classify-traffic conditions within policy rules. Use the following configuration statements to create a classify-traffic condition:

To add a classify-traffic condition:

  1. From configuration mode, create a classify-traffic condition inside a policy rule that has already been created and configured. For example, to create a traffic-condition called ctc within policy rule nat:

  2. (Optional) Specify the direction of the packet flow on which you want to match packets.

  3. (Optional) For Junos OS policies, specify the precedence for this term in a given policy in relation to other terms. Lower precedence terms are searched first. Precedence only matters within the same class of policies (dynamic or static). Terms with the same precedence are evaluated in any, non-deterministic order.

    Where term-precedence is a value between 1 and 254.

  4. (Optional) For Junos OS policies, specify the list of applications to match this policy.

  5. (Optional) For Junos OS policies, specify the list of applications to match this policy.

  6. (Optional) Provide a description of the classify-traffic condition.

  7. (Optional) Verify your classify-traffic condition configuration.

Configuring Source Networks (SRC CLI)

Use the following configuration statements to add source networks to a classify-traffic condition:

To add a source network to a classify-traffic condition:

  1. From configuration mode, enter the source network within a classify-traffic condition. For example:

  2. (Optional) Configure the IP address of the source network or host.

  3. (Optional) Configure the IP mask of the source network or host.

  4. (Optional) Specify whether the software matches packets with an IP address that is equal or not equal to the specified address and mask.

  5. (Optional) Verify your source network configuration.

Configuring Source Grouped Networks (SRC CLI)

You can configure source networks in grouped format. For Junos OS ASP and JunosE IPv6 policy rules, you must enter source networks in grouped format.

Use the following configuration statement to add source networks in a grouped format to a classify-traffic condition:

To add a grouped source network to a classify-traffic condition:

  1. From configuration mode, enter the source network within a classify-traffic condition. For example:

  2. (Optional) Configure the IP address of the source network or host.

    For Junos OS ASP policy rules, you must enter networks in the format <ip address>/<prefix length>. The <ip address>/<mask> format is rejected by the router.

    For JunosE IPv6 policy rules, you must enter networks in the format <ipv6 address>/<prefix length>.

  3. (Optional) Verify your source network configuration.

Configuring Destination Networks (SRC CLI)

Use the following configuration statements to add destination networks to a classify-traffic condition:

To add a destination network to a classify-traffic condition:

  1. From configuration mode, enter the destination network within a classify-traffic condition. For example:

  2. (Optional) Configure the IP address of the destination network or host.

  3. (Optional) Configure the IP mask of the destination network or host.

  4. (Optional) Specify whether the software matches packets with an IP address that is equal or not equal to the specified address and mask.

  5. (Optional) Verify your destination network configuration.

Configuring Destination Grouped Networks (SRC CLI)

You can configure destination networks in grouped format. For Junos OS ASP and JunosE IPv6 policy rules, you must enter destination networks in grouped format.

Use the following configuration statements to add destination networks in a grouped format to a classify-traffic condition:

To add a grouped destination network to a classify-traffic condition:

  1. From configuration mode, enter the destination network within a classify-traffic condition. For example:

  2. (Optional) Configure the IP address of the destination network or host.

    For Junos OS ASP policy rules, you must enter networks in the format <ip address>/<prefix length>.

    For JunosE IPv6 policy rules, you must enter networks in the format <ipv6 address>/<prefix length>.

  3. (Optional) Verify your destination network configuration.

Configuring Protocol Conditions (SRC CLI)

The procedure in this sections shows how to configure general protocol conditions.

Use the following configuration statements to add general protocol conditions to a classify-traffic condition:

To add general protocol conditions to a classify-traffic condition:

  1. From configuration mode, enter the general protocol condition configuration. For example:

  2. Configure the protocol matched by this classify-traffic condition.

  3. Configure the policy to match packets with the protocol that is either equal or not equal to the specified protocol.

  4. (Optional) Configure the value of the IP flags field in the IP header.

  5. (Optional) Configure the mask that is associated with the IP flag.

  6. (Optional) Configure the value of the fragment offset field.

  7. (Optional) Configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.

  8. (Optional) Verify your protocol condition configuration.

Configuring Protocol Conditions with Ports (SRC CLI)

Use the following configuration statements to add general protocol conditions with ports to a classify-traffic condition:

To add general protocol conditions with ports to a classify-traffic condition:

  1. From configuration mode, enter the protocol port condition configuration. For example:

  2. Configure the protocol matched by this classify-traffic condition.

  3. Configure the policy to match packets with the protocol that is either equal or not equal to the specified protocol.

  4. (Optional) Configure the value of the IP flags field in the IP header.

  5. (Optional) Configure the mask that is associated with the IP flag.

  6. (Optional) Configure the value of the fragment offset field.

  7. (Optional) Configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.

  8. (Optional) Enter the destination port configuration for the protocol port configuration.

  9. (Optional) Configure the policy to match packets with a port that is either equal or not equal to the specified port.

  10. (Optional) Configure the destination port.

  11. (Optional) Enter the source port configuration for the protocol port configuration.

  12. (Optional) Configure the policy to match packets with a port that is either equal or not equal to the specified port.

  13. (Optional) Configure the source port.

  14. (Optional) Verify your protocol condition configuration.

Configuring Protocol Conditions with Parameters (SRC CLI)

Use the following configuration statements to configure classify-traffic conditions that contain a parameter value for the protocol:

To configure a protocol condition that contains a parameter value for the protocol:

  1. From configuration mode, enter the parameter protocol condition configuration. For example:

  2. Assign a parameter as the protocol matched by this classify-traffic condition.

    Before you assign a parameter, you must create a parameter of type protocol and commit the parameter configuration.

  3. (Optional) Configure the policy to match packets with the protocol that is either equal or not equal to the specified protocol.

  4. (Optional) Configure the value of the TCP flags field in the IP header.

  5. (Optional) Configure the mask associated with TCP flags.

  6. (Optional) Specify the authentication header (AH) or the encapsulating security payload (ESP) security parameter index (SPI).

  7. (Optional) Configure the value of the IP flags field in the IP header.

  8. (Optional) Configure the mask that is associated with the IP flag.

  9. (Optional) Configure the value of the fragment offset field.

  10. (Optional) Configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.

  11. (Optional) Enter the protocol attribute configuration.

  12. (Optional) Configure the ICMP packet type.

  13. (Optional) Configure the ICMP code.

  14. (Optional) Configure the IGMP packet type on which to match.

  15. (Optional) Enter the destination port configuration.

  16. (Optional) Configure the policy to match packets with a port that is either equal or not equal to the specified port.

  17. (Optional) Configure the TCP or UDP destination port.

  18. (Optional) Enter the source port configuration.

  19. (Optional) Configure the policy to match packets with a port that is either equal or not equal to the specified port.

  20. (Optional) Configure the TCP or UDP source port.

  21. (Optional) Verify the parameter protocol configuration.

Configuring TCP Conditions (SRC CLI)

Use the following configuration statements to add TCP conditions to a classify-traffic condition:

Because the protocol is already set to TCP, do not change the protocol or protocol-operation options.

To add TCP conditions to a classify-traffic condition:

  1. From configuration mode, enter the TCP configuration. For example:

  2. (Optional) Configure the value of the TCP flags field in the IP header.

  3. (Optional) Configure the mask associated with TCP flags.

  4. (Optional) Configure the value of the IP flags field in the IP header.

  5. (Optional) Configure the mask that is associated with the IP flag.

  6. (Optional) Configure the value of the fragment offset field.

  7. (Optional) For Junos OS filter policies, configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.

  8. (Optional) Enter the destination port configuration for the TCP configuration.

  9. (Optional) Configure the policy to match packets with a port that is either equal or not equal to the specified port.

  10. (Optional) Configure the destination port.

  11. (Optional) Enter the source port configuration for the TCP configuration.

  12. (Optional) Configure the policy to match packets with a port that is either equal or not equal to the specified port.

  13. (Optional) Configure the source port.

  14. (Optional) Verify the TCP condition configuration.

Configuring ICMP Conditions (SRC CLI)

Use the following configuration statements to add ICMP conditions to a classify-traffic condition:

Because the protocol is already set to ICMP, do not change the protocol or protocol-operation options.

To add ICMP conditions to a classify-traffic condition:

  1. From configuration mode, enter the ICMP configuration. For example:

  2. (Optional) Configure the value of the IP flags field in the IP header.

  3. (Optional) Configure the mask that is associated with the IP flag.

  4. (Optional) Configure the value of the fragment offset field.

  5. (Optional) Configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.

  6. (Optional) Configure the ICMP packet type on which to match. The packet type must be supported by the router or CMTS device.

  7. (Optional) Configure the ICMP code on which to match. The ICMP code must be supported by the router or CMTS device.

  8. (Optional) Verify the ICMP condition configuration.

Configuring IGMP Conditions (SRC CLI)

Use the following configuration statements to add IGMP conditions to a classify-traffic condition:

Because the protocol is already set to IGMP, do not change the protocol or protocol-operation options.

To add IGMP conditions to a classify-traffic condition:

  1. From configuration mode, enter the IGMP configuration. For example:

  2. (Optional) Configure the value of the IP flags field in the IP header.

  3. (Optional) Configure the mask that is associated with the IP flag.

  4. (Optional) Configure the value of the fragment offset field.

  5. (Optional) Configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.

  6. (Optional) Configure the IGMP packet type on which to match.

  7. (Optional) Verify the IGMP condition configuration.

Configuring IPSec Conditions (SRC CLI)

You can configure IPSec conditions for Junos OS policy rules. Use the following configuration statements to add IPSec conditions to a classify-traffic condition:

To add IPSec conditions to a classify-traffic condition:

  1. From configuration mode, enter the IPSec configuration. For example:

  2. (Optional) Specify the authentication header (AH) or the encapsulating security payload (ESP) security parameter index (SPI).

  3. (Optional) Configure the value of the IP flags field in the IP header.

  4. (Optional) Configure the mask that is associated with the IP flag.

  5. (Optional) Configure the value of the fragment offset field.

  6. (Optional) Configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.

  7. Configure the protocol matched by this classify-traffic condition.

  8. (Optional) Verify the IPSec condition configuration.

Configuring ToS Byte Conditions (SRC CLI)

Use this condition to define a particular traffic flow to the service’s network for the DA IP field in the IP packet.

The CoS feature on routers running Junos OS supports DiffServ as well as six-bit IP header ToS byte settings. The DiffServ protocol uses the ToS byte in the IP header. The most significant six bits of this byte form the Differentiated Services code point (DSCP). The CoS feature uses DSCPs to determine the forwarding class associated with each packet. It also uses the ToS byte and ToS byte mask to determine IP precedence.

Use the following configuration statements to add ToS conditions to a classify-traffic condition:

To add ToS conditions to a classify-traffic condition:

  1. From configuration mode, enter the ToS configuration. For example:

  2. (Optional) Configure the value of the ToS byte in the IP packet header.

  3. (Optional) Configure the mask associated with the ToS byte.

  4. (Optional) Verify the ToS condition configuration.

Configuring Junos OS Filter Conditions (SRC CLI)

Use the following configuration statements to configure Junos OS filter conditions.

To add Junos OS filter conditions to a classify-traffic condition:

  1. From configuration mode, enter the application protocol configuration. For example:

  2. (Optional) Configure the name of a forwarding class to match.

  3. (Optional) Configure the condition to match packets based on the interface group on which the packet was received.

  4. (Optional) Configure the condition to match packets based on source class. A source class is a set of source prefixes grouped together and given a class name. You usually match source and destination classes for output firewall filters.

    You cannot match on both source class and destination class at the same time. You must choose one or the other.

  5. (Optional) Configure the condition to match packets based on destination class. A destination class is a set of destination prefixes grouped together and given a class name. You usually match source and destination classes for output firewall filters.

    You cannot match on both source class and destination class at the same time. You must choose one or the other.

  6. (Optional) Configure the condition to match packets based on IP options.

  7. (Optional) Verify the Junos OS filter condition configuration.

Configuring JunosE Parent-Group References (SRC CLI)

For JunosE policies, you can apply filter conditions to the input (ingress) and output (egress) side of the router interface. Typically, you use filter conditions with hierarchical rate-limit actions.

Use the following configuration statements to configure match conditions for a JunosE filter:

To add JunosE filter conditions to a classify-traffic condition:

  1. From configuration mode, create a classify-traffic condition. For example, to create a traffic-condition called tcpg within policy rule pr:

  2. (Optional) Configure the condition to match one match condition.

  3. (Optional) Configure the condition to match one or more parent groups in a hierarchical rate-limit action.

  4. (Optional) Configure the condition to match an external parent group. For example, to add a reference called epg1-ref:

    • Specify the name of the external parent group you want to reference. For example, to reference the external parent group epg1:

    • Specify the name of the hierarchical policy parameter you want to reference. For example, to reference the hierarchical policy parameter hpp1:

    • Specify the attributes of the hierarchical policy parameter you are referencing.

      For information about configuring the attributes of the hierarchical policy parameter, see Configuring Hierarchical Policy Parameters for External Parent Groups (SRC CLI).

  5. (Optional) Configure the condition to match packets based on the source route class.

  6. (Optional) Configure the condition to match packets based on the destination route class.

  7. (Optional) Configure the condition to match packets based on the traffic class.

  8. (Optional) Configure the condition to match packets based on the packet color.

  9. (Optional) Configure the condition to match packets based on the user packet class action number.

  10. (Optional) Configure the condition to match packets based on packets destined for a local interface.

  11. (Optional) Verify the secondary input policy configuration.

Configuring JunosE Secondary Input Policy Conditions (SRC CLI)

For JunosE policies, you can apply secondary input policies to the input (ingress) side of the router interface. Secondary input policies evaluate conditions after a route lookup.

Use the following configuration statements to configure match conditions for JunosE secondary input policies:

To add conditions for JunosE secondary input policies to a classify-traffic condition:

  1. From configuration mode, create a classify-traffic condition inside a policy rule that has already been created and configured for a policy list whose type is junose-ipv4 or junose-ipv6 and applicability is secondary-input. For example, to create a traffic-condition called rtcl within policy rule clacl:

  2. (Optional) Configure the condition to match packets based on the source route class.

  3. (Optional) Configure the condition to match packets based on the destination route class.

  4. (Optional) Configure the condition to match packets based on the traffic class.

  5. (Optional) Configure the condition to match packets based on the packet color.

  6. (Optional) Configure the condition to match packets based on the user packet class action number.

  7. (Optional) Configure the condition to match packets based on packets destined for a local interface.

  8. (Optional) Verify the secondary input policy configuration.

Configuring Application Protocol Conditions (SRC CLI)

You can define application protocols for the stateful firewall and NAT services to use in match condition rules. An application protocol defines application parameters by using information from network layer 3 and above. Examples of such applications are FTP and H.323.

Use the following configuration statements to add application protocol conditions to a classify-traffic condition:

To add application protocol conditions to a classify-traffic condition:

  1. From configuration mode, enter the application protocol configuration. In this procedure, apc is the name of the application protocol condition. For example:

  2. (Optional) Configure the network protocol to match.

  3. (Optional) Configure the application protocol to match.

  4. (Optional) Configure the length of time the application is inactive before it times out.

  5. (Optional) For the DCE RPC application protocol, configure the universal unique identifier (UUID).

  6. (Optional) For the remote procedure call (RPC) application protocol, configure an RPC program number.

  7. (Optional) Configure the SNMP command for packet matching.

  8. (Optional) For the traceroute application protocol, configure the traceroute time-to-live (TTL) threshold value. This value sets the acceptable level of network penetration for trace routing.

  9. (Optional) Enter configuration mode for the protocol attribute.

  10. (Optional) For the ICMP protocol, configure the ICMP packet type.

  11. (Optional) For the ICMP protocol, configure the ICMP code.

  12. (Optional) Enter the destination port configuration.

  13. (Optional) Configure the TCP or UDP destination port.

  14. (Optional) Enter the source port configuration.

  15. (Optional) Configure the TCP or UDP source port.

  16. (Optional) Verify the application protocol condition configuration.