Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Policy Information Model

 

Policies are made up of conditions and actions that cause the router to handle packets in a certain way.

  • Condition—Defines values or fields that a packet must contain before an action is triggered; for example, packet direction, network protocol, source and destination ports, application protocol, source and destination networks, packet length, forwarding class, source and destination class

  • Action—Specifies the action that the router takes on packets that match the condition; for example, filter (drop), forward, send to next interface, apply rate and burst size limits, assign a forwarding class

Here are two examples of policies with conditions and actions:

  • A stateful firewall:

    • Condition—Matches input packets to a specific destination network

    • Action—Forwards matching packets

  • Controlled access policy that defines the sites that a subscriber can view:

    • Condition—Traffic to and from the restricted site

    • Action—Access to the site is stopped if the site has a restricted rating

The SRC policy information model is designed to consolidate information models from various devices to provide a standard way to configure policies. This way, similar operations on different devices are represented as a single policy action or condition that is translated to device-specific operations. For example, the SRC policy information model provides an action that forwards traffic. This action is translated into actions such as forward, accept, or simple handoff on various routers. For instances in which policy conditions or actions are significantly different, the model provides support for each type of condition or action. For example, because rate-limiting on routers running JunosE Software is significantly different than policing on routers running Junos OS, the SRC software provides a rate-limit action for routers running JunosE Software and policer action for routers running Junos OS.

For routers running JunosE Software, SRC policies are translated at the COPS-PR or COPS-XDR level, and at the router level. For routers running Junos OS, policies are translated at the Junos XML on BEEP level and at the router level.

The SRC policy model also lets you simplify policy configuration for policy conditions that classify traffic. For JunosE and PCMM policies, you can combine different conditions that classify traffic and configure these conditions to use a single action. In addition for JunosE policies, you can create a condition which actually represents a number of classifiers. The SAE expands the classifier to multiple classifiers before installing them on the router. For routers running JunosE Software, you can also configure hierarchical rate limits to provide dynamic bandwidth sharing.

For more information about multiple classifiers and expanded classifiers, see Policy Components.

Policy Objects

The SRC policy model is made up of objects that are organized as shown in Figure 1.

Figure 1: Policy Object Organization
Policy Object Organization

The following is a description of these objects:

  • Policy folders—Used to organize policy groups.

  • Policy groups—Hold policy lists. You associate policy groups with a service or with an interface. The SAE sends the information in a policy group to the router, and the router uses the information to create policies that it attaches to router interfaces.

  • Policy lists—Used to organize policy rules. You can create policy lists for routers running Junos OS, routers running JunosE Software, for AAA devices, or for PCMM devices. Whether you create a Junos OS policy list, a JunosE policy list, or a PCMM policy list determines the types of policy rules that you can add to the policy list.

  • Parent groups—Used to develop hierarchies of rate-limit actions for policies implemented on routers running JunosE Software.

  • Policy rules—Used to organize the conditions and actions that make up the policy rule. Policy rules consist of conditions that you use to match traffic and actions that specify the action to take if traffic matches the condition. In Junos OS terminology, a policy rule is the same as a term.

  • Conditions—Define match conditions or classifiers that a packet or packet flow must contain; for example, packet direction, network protocol, application protocol, source and destination networks, packet length, forwarding class, and source and destination class

  • Actions—Define the action that the router or CMTS device takes on packets that match conditions

Policy Rules

Routers running JunosE Software support IPv4, IPv6, and L2TP access concentrator (LAC) policy rules, PCMM devices support one type of policy rule, and routers running Junos OS support five types of policy rules:

  • Junos Adaptive Services PIC (ASP)

    Supports stateful firewall and Network Address Translation (NAT) services.

  • Junos OS scheduler

    Supports transmission scheduling and rate control parameters on interfaces that support the per-unit scheduler. Schedulers define the priority, bandwidth, delay buffer size, rate control status, and RED drop profiles to be applied to a particular class of traffic.

  • Junos OS shaping

    Supports setting a shaping rate on PICS that support shaping rate and on interfaces that support the per-unit scheduler.

  • Junos OS filter

    Supports Junos OS firewall filters.

  • Junos OS policer

    Supports policing, or rate limiting, by enabling you to limit the amount of traffic that passes into or out of an interface. It is an essential component of firewall filters that is designed to thwart denial-of-service attacks.

    Policing applies two types of rate limits on the traffic:

    • Bandwidth—Number of bps permitted, on average.

    • Maximum burst size—Maximum size permitted for bursts of data that exceed the bandwidth limit.

Supported Conditions and Actions

The types of conditions and actions that are available for a policy rule depend on the type of rule. Figure 2 shows the types of conditions and actions that are available for Junos OS policy rules. Figure 3 shows the types of conditions and actions that are available for JunosE policy rules. Figure 4 shows the types of conditions and actions that are available for PCMM policy rules.

Figure 2: Junos OS policy Rules with Supported Conditions and Actions
Junos OS policy Rules with Supported
Conditions and Actions
Figure 3: JunosE Policy Rules with Supported Conditions and Actions
JunosE Policy Rules with Supported Conditions
and Actions
Figure 4: PCMM Policy Rules with Supported Conditions and Actions
PCMM Policy Rules with Supported Conditions
and Actions

Policy Conditions

Policy conditions are values or fields that a packet must contain. If a policy rule does not contain a match condition, all packets are considered to match. There are two types of conditions:

  • Classify-traffic condition—Matches can include source and destination addresses or networks; ports, packet types, IP options, TCP flags, network protocol, application protocol

  • QoS condition—Matches the forwarding class of the packet

See also PCMM Classifiers .

Multiple Classifiers

JunosE and PCMM policy rules can contain multiple classify-traffic conditions. Having multiple classifiers in a policy rule gives you more flexibility for defining services and allows you to use fewer policy rules for some applications.

If multiple policy rules have the same action, but different classify conditions, you can combine the policy rules into one policy rule. You can also set up one policy rule that has multiple classifiers, each for a different subnet or range of addresses.

If you want to collect accounting data on internal versus external traffic, you can configure one policy rule with a set of classifiers for internal traffic and one policy rule with a set of classifiers for external traffic.

Rate-Limiting with Multiple Classifiers

Multiple classifiers give you more flexibility for rate-limiting policies. Without multiple classifiers, you can rate-limit only individual traffic flows. With multiple classifiers, you can rate-limit the aggregate of traffic flows from all sources.

The following example uses multiple classifiers to rate-limit traffic to 1 Mbps for traffic going to two different subnets.

Expanded Classifiers

For JunosE policies, you can create classify-traffic conditions that the SAE expands into multiple classifiers before it installs the policy on the router. You can enter a comma-separated list of values in:

  • Source network IP address, mask, and IP operation

  • Destination network IP address, mask, and IP operation

  • Port fields (for port-related protocols)

The software creates a classifier for each possible combination of address and port. The software does not expand classifiers for values that are entered as a range.

You would use this feature in policies that are used in IP multimedia subsystem (IMS) environments. You can also use it to simplify the configuration of JunosE policies.

For example, the following classify-traffic condition has comma-separated lists for IP address, IP mask, and from port:

The sample classify-traffic condition is expanded into four classifiers that have the following combination of source addresses and source ports. Note that JunosE policies use wildcard, not subnet, masks.

Policy Actions

Junos OS policy rules and PCMM policy rules can have multiple actions. JunosE policy rules can have only one action. The types of actions available for a policy rule depend on the type of rule. See Supported Conditions and Actions. The following table is a description of all actions.

Table 1: Policy Actions

Action

Type of Rule

Description

Color

JunosE

Specifies the color attribute that is applied to the packet when it passes through the router.

Color mark

JunosE

Specifies the color-mark value that is applied to the packet when it passes through a rate-limit action.

DOCSIS

PCMM

Explicitly specifies the Data over Cable Service Interface Specifications (DOCSIS) parameters of the DOCSIS service flow. It supports all DOCSIS service flow scheduling types.

Exception application

JunosE

Specifies an exception to the policy rule for traffic that has a specific application, such as a Web server.

Filter

Junos OS filter

JunosE

Discards all packets that match the classify-traffic condition.

FlowSpec

PCMM

Specifies a traffic profile by using a Resource Reservation Protocol (RSVP)-style FlowSpec.

Forward

Junos OS filter

JunosE

Forwards packets that match the classify-traffic condition; forwards packets to a particular interface and/or a next-hop address.

Forwarding class

Junos OS filter

Assigns a forwarding class to packets that match the classify-traffic condition.

GateSpec

PCMM

Specifies the session class ID in the gate. The session class ID provides a way to group gates into different classes with different authorization characteristics.

Loss priority

Junos OS filter

Assigns a packet loss priority to packets that match the classify-traffic condition.

Mark

PCMM

JunosE

Sets the ToS field in the IP header for IPv4 packets, or sets the traffic-class field in the header for IPv6 packets to a specified value.

NAT

Junos OS ASP

Specifies the type of network address translation (source dynamic, destination static), IP address ranges, and a port range to restrict port translation when NAT is configured in dynamic-source mode.

Next hop

Junos OS filter

JunosE

Specifies the IP address of the next hop; used to create a static route on the router; used for captive portal behavior; Junos OS filters support multiple next hops for load balancing.

Next interface

Junos OS filter

JunosE

Defines an output interface and/or a next-hop address for a policy list; used to create a static route on the router; used for captive portal behavior.

Next rule

Junos OS filter

Causes the router to skip to and evaluate the next rule in the policy list.

Policer

Junos OS policer

Junos OS filter

Specifies rate and burst size limits and the action taken if a packet exceeds those limits.

QoS attachment

JunosE

Specifies the QoS profile that is applied to the packet when it passes through the router.

Rate limit

JunosE

Specifies bandwidth attributes (committed, peak, and excess rates and burst sizes) and the action taken relative to the bandwidth (filter, forward, or mark).

Reject

Junos OS filter

Discards the packet and sends an ICMP destination unreachable message to the client; can set the type of ICMP message to send.

Routing instance

Junos OS filter

Also called filter-based forwarding; directs traffic to a routing instance that is configured on the router.

Scheduler

Junos OS scheduler

Specifies transmission-scheduling and rate-control parameters. Schedulers define the priority, bandwidth, delay buffer size, rate-control status, and RED drop profiles to be applied to a particular class of traffic.

Service class name

PCMM

Specifies that traffic is controlled by a service class that is configured on the CMTS device.

Stateful firewall

Junos OS ASP

Specifies whether to filter, forward, or reject a packet. If a packet is rejected, a rejection message is returned.

Traffic class

JunosE

Specifies the traffic-class profile that is applied to the packet when it passes through the router.

Traffic shape

Junos OS shaping

Specifies the maximum rate of traffic transmitted on an interface.

Traffic mirror

Junos OS filter

Mirrors traffic from a destination to a source or from a source to a destination.

User packet class

JunosE

Specifies the user packet class that is applied to the packet when it passes through the router.

Combining Actions

Junos OS policy rules and PCMM policy rules support multiple actions. For example, in PCMM policies, you can combine a mark action with a DOCSIS parameter action, a service schedule action, or a FlowSpec action. In Junos OS policy rules you can combine the forwarding class action, routing instance action, and loss priority action. The result is that packets that match the condition are assigned to a forwarding class, directed to a routing instance on the router, and assigned a packet loss priority.

Only one of the following actions can exist in a policy rule: next-hop action, next-interface action, forward action, filter action, and reject action.

For example, if you add the next-rule action to a policy rule, do not add a next-hop action, next-interface action, forward action, filter action, or reject action to the same policy rule.

Although you can have only one action in a JunosE policy rule, you can set up a policy list to take two corresponding actions on a packet. To do so, you create a JunosE policy list that has more than one policy rule with the same precedence. For example, you might want a policy rule that marks a packet and a policy rule that forwards the packet to the next interface. Or you could have a policy rule that applies a traffic-class action and a policy rule that forwards the packet to the next hop.

Related Documentation