Configuring Policy Rules (C-Web Interface)
You can configure policy rules form the C-Web interface. Topics include:
Policy Management Overview
Policy management enables network service providers to configure services that customize the treatment of individual packet flows received on a subscriber’s interface. The main tool for implementing policy management is a policy list. A policy list is a set of rules, each of which specifies a policy action. A rule is a policy action optionally combined with a classification.
Packets are sorted at ingress or egress into packet flows based on attributes defined in classifier control lists (CLACLs). You can apply policy lists to packets arriving and leaving an interface. You can use policy management on ATM, Frame Relay, generic routing encapsulation (GRE), IP, IPv6, Layer 2 Tunneling Protocol (L2TP), Multiprotocol Label Switching (MPLS), and virtual local area network (VLAN) traffic.
Policy management provides:
Policy routing—Predefines a classified packet flow to a destination port or IP address. The router does not perform a routing table lookup on the packet. This provides superior performance for real-time applications.
Bandwidth management—Rate-limits a classified packet flow at ingress to enforce ingress data rates below the physical line rate of a port. A rate-limit profile with a policy rate-limit profile rule provides this capability. You can construct policies to provide rate limiting for individual packet flows or for the aggregate of multiple packet flows. E-series router rate limits are calculated based on the layer 2 packet size.
To configure rate limiting, you first create a rate-limit profile, which is a set of bandwidth attributes and associated actions. You next create a policy list with a rule that has rate limit as the action and associate a rate-limit profile with this rule.
You can configure rate-limit profiles to provide:
A variety of services, including tiered bandwidth service where traffic conforming to configured bandwidth levels is treated differently than traffic that exceeds the configured values and hard-limit service where a fixed bandwidth limit is applied to a traffic flow
A TCP-friendly rate-limiting service that works in conjunction with TCP’s native flow-control functionality
(Routers running JunosE Software) Dynamic bandwidth sharing between lower priority traffic and unused preferred bandwidth through rate limit hierarchies
Security—Provides a level of network security by using policy rules that selectively forward or filter packet flows. You can use a filter rule to stop a denial-of-service attack. You can use secure policies to mirror packets and send them to an analyzer.
RADIUS policy support—Enables you to create and attach a policy to an interface through RADIUS.
Packet tagging—Enables the traffic-class rule in policies to tag a packet flow so that the Quality of Service (QoS) application can provide traffic-class queuing. Policies can perform both in-band and out-of-band packet tagging.
Packet forwarding—Allows forwarding of packets in a packet flow.
Packet filtering—Drops packets in a packet flow.
Packet mirroring—Uses secure policies to mirror packets and send them to an analyzer.
Packet logging—Logs packets in a packet flow.
Use the SRC CLI and C-Web interface to configure policies. You configure policy components, or modules, which can be combined to implement a policy. By combining the various policy components, you can deploy a wide variety of services.
Adding a Policy Rule (C-Web Interface)
You create policy rules within policy lists.
To add a policy rule:
In the side pane, select a policy list that has already been created and configured.
From the Create new list, select Rule. Type a name for the new rule, and click OK.
Enter information as described in the Help text in the main pane, and click Apply.
Configuring Classify-Traffic Conditions (C-Web Interface)
You create classify-traffic conditions in JunosE policy rules, in Junos OS ASP and Junos OS filter policy rules, and in PCMM policy rules.
The available configuration statements change depending on the type of policy rule that holds the condition and on the type of protocol that you specify.
To configure a classify-traffic condition, do the following:
Create a classify-traffic condition. See:
Configure source networks. You can configure source networks in one of two formats. See:
Configure destination networks. You can configure destination networks in one of two formats. See:
Configure protocol conditions. The type of protocol condition that you use depends on your configuration.
To configure protocol conditions that do not include ports, see:
To configure protocol conditions that include ports, see:
To configure protocol conditions in which the protocol that you specify is a parameter, see:
To configure protocol conditions in which the protocol is TCP, see:
To configure protocol conditions in which the protocol is ICMP, see:
To configure protocol conditions in which the protocol is IGMP, see:
To configure protocol conditions in which the protocol is IPSec, see:
To configure a ToS byte condition, see:
For Junos OS filter policies, configure a Junos OS filter condition. See:
For the stateful firewall and NAT policies, configure an application protocol condition. See:
PCMM classifiers support only the following classifiers:
Source and destination IP addresses
Source or destination port
Type-of-service (ToS) byte and ToS mask
The policy engine ignores all other values.
Configuring Template Activation (C-Web Interface)
Use this action to activate templates for RADIUS-enabled devices. You can configure template activation actions for AAA policy rules.
To configure template activation:
Configure a policy group, and specify the following configuration values:
In the Rule pane, in the Create new list, select Template Activation.
The Template Activation pane for the policy rule appears.
Enter information as described in the Help text in the Main pane, and click Apply.