Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All
     

    Related Documentation

     

    Policy Information Model

    Policies are made up of conditions and actions that cause the router to handle packets in a certain way.

    • Condition—Defines values or fields that a packet must contain before an action is triggered; for example, packet direction, network protocol, source and destination ports, application protocol, source and destination networks, packet length, forwarding class, source and destination class
    • Action—Specifies the action that the router takes on packets that match the condition; for example, filter (drop), forward, send to next interface, apply rate and burst size limits, assign a forwarding class

    Here are two examples of policies with conditions and actions:

    • A stateful firewall:
      • Condition—Matches input packets to a specific destination network
      • Action—Forwards matching packets
    • Controlled access policy that defines the sites that a subscriber can view:
      • Condition—Traffic to and from the restricted site
      • Action—Access to the site is stopped if the site has a restricted rating

    The SRC policy information model is designed to consolidate information models from various devices to provide a standard way to configure policies. This way, similar operations on different devices are represented as a single policy action or condition that is translated to device-specific operations. For example, the SRC policy information model provides an action that forwards traffic. This action is translated into actions such as forward, accept, or simple handoff on various routers. For instances in which policy conditions or actions are significantly different, the model provides support for each type of condition or action. For example, because rate-limiting on routers running JunosE Software is significantly different than policing on routers running Junos OS, the SRC software provides a rate-limit action for routers running JunosE Software and policer action for routers running Junos OS.

    For routers running JunosE Software, SRC policies are translated at the COPS-PR or COPS-XDR level, and at the router level. For routers running Junos OS, policies are translated at the Junos XML on BEEP level and at the router level.

    The SRC policy model also lets you simplify policy configuration for policy conditions that classify traffic. For JunosE and PCMM policies, you can combine different conditions that classify traffic and configure these conditions to use a single action. In addition for JunosE policies, you can create a condition which actually represents a number of classifiers. The SAE expands the classifier to multiple classifiers before installing them on the router. For routers running JunosE Software, you can also configure hierarchical rate limits to provide dynamic bandwidth sharing.

    For more information about multiple classifiers and expanded classifiers, see Policy Components.

    Policy Objects

    The SRC policy model is made up of objects that are organized as shown in Figure 1.

    Figure 1: Policy Object Organization

    Policy Object Organization

    The following is a description of these objects:

    • Policy folders—Used to organize policy groups.
    • Policy groups—Hold policy lists. You associate policy groups with a service or with an interface. The SAE sends the information in a policy group to the router, and the router uses the information to create policies that it attaches to router interfaces.
    • Policy lists—Used to organize policy rules. You can create policy lists for routers running Junos OS, routers running JunosE Software, for AAA devices, or for PCMM devices. Whether you create a Junos OS policy list, a JunosE policy list, or a PCMM policy list determines the types of policy rules that you can add to the policy list.
    • Parent groups—Used to develop hierarchies of rate-limit actions for policies implemented on routers running JunosE Software.
    • Policy rules—Used to organize the conditions and actions that make up the policy rule. Policy rules consist of conditions that you use to match traffic and actions that specify the action to take if traffic matches the condition. In Junos OS terminology, a policy rule is the same as a term.
    • Conditions—Define match conditions or classifiers that a packet or packet flow must contain; for example, packet direction, network protocol, application protocol, source and destination networks, packet length, forwarding class, and source and destination class
    • Actions—Define the action that the router or CMTS device takes on packets that match conditions

    Policy Rules

    Routers running JunosE Software support IPv4, IPv6, and L2TP access concentrator (LAC) policy rules, PCMM devices support one type of policy rule, and routers running Junos OS support five types of policy rules:

    • Junos Adaptive Services PIC (ASP)

      Supports stateful firewall and Network Address Translation (NAT) services.

    • Junos OS scheduler

      Supports transmission scheduling and rate control parameters on interfaces that support the per-unit scheduler. Schedulers define the priority, bandwidth, delay buffer size, rate control status, and RED drop profiles to be applied to a particular class of traffic.

    • Junos OS shaping

      Supports setting a shaping rate on PICS that support shaping rate and on interfaces that support the per-unit scheduler.

    • Junos OS filter

      Supports Junos OS firewall filters.

    • Junos OS policer

      Supports policing, or rate limiting, by enabling you to limit the amount of traffic that passes into or out of an interface. It is an essential component of firewall filters that is designed to thwart denial-of-service attacks.

      Policing applies two types of rate limits on the traffic:

      • Bandwidth—Number of bps permitted, on average.
      • Maximum burst size—Maximum size permitted for bursts of data that exceed the bandwidth limit.

    Supported Conditions and Actions

    The types of conditions and actions that are available for a policy rule depend on the type of rule. Figure 2 shows the types of conditions and actions that are available for Junos OS policy rules. Figure 3 shows the types of conditions and actions that are available for JunosE policy rules. Figure 4 shows the types of conditions and actions that are available for PCMM policy rules.

    Figure 2: Junos OS policy Rules with Supported Conditions and Actions

    Junos OS policy Rules with Supported
Conditions and Actions

    Figure 3: JunosE Policy Rules with Supported Conditions and Actions

    JunosE Policy Rules with Supported Conditions
and Actions

    Figure 4: PCMM Policy Rules with Supported Conditions and Actions

    PCMM Policy Rules with Supported Conditions
and Actions

    Policy Conditions

    Policy conditions are values or fields that a packet must contain. If a policy rule does not contain a match condition, all packets are considered to match. There are two types of conditions:

    • Classify-traffic condition—Matches can include source and destination addresses or networks; ports, packet types, IP options, TCP flags, network protocol, application protocol
    • QoS condition—Matches the forwarding class of the packet

    See also Delivering QoS Services in a Cable Environment.

    Multiple Classifiers

    JunosE and PCMM policy rules can contain multiple classify-traffic conditions. Having multiple classifiers in a policy rule gives you more flexibility for defining services and allows you to use fewer policy rules for some applications.

    If multiple policy rules have the same action, but different classify conditions, you can combine the policy rules into one policy rule. You can also set up one policy rule that has multiple classifiers, each for a different subnet or range of addresses.

    If you want to collect accounting data on internal versus external traffic, you can configure one policy rule with a set of classifiers for internal traffic and one policy rule with a set of classifiers for external traffic.

    Rate-Limiting with Multiple Classifiers

    Multiple classifiers give you more flexibility for rate-limiting policies. Without multiple classifiers, you can rate-limit only individual traffic flows. With multiple classifiers, you can rate-limit the aggregate of traffic flows from all sources.

    The following example uses multiple classifiers to rate-limit traffic to 1 Mbps for traffic going to two different subnets.

    Policy List je-in
    Policy Rule rate-limiter
    ClassifyTrafficCondition CTC1
            SourceNetwork:
              any
            DestinationNetwork:
              ipAddress=172.60.40.0/0.0.0.255
    ClassifyTrafficCondition CTC2
            SourceNetwork:
              any
            DestinationNetwork:
              ipAddress=172.60.20.0/0.0.0.255
    Rate limit action that limits to 1 Mbps
    Policy List je-out
    Policy Rule forward
    ClassifyTrafficCondition
            DestinationNetwork:
              any
            SourceNetwork:
              any
    Forward action

    Expanded Classifiers

    For JunosE policies, you can create classify-traffic conditions that the SAE expands into multiple classifiers before it installs the policy on the router. You can enter a comma-separated list of values in:

    • Source network IP address, mask, and IP operation
    • Destination network IP address, mask, and IP operation
    • Port fields (for port-related protocols)

    The software creates a classifier for each possible combination of address and port. The software does not expand classifiers for values that are entered as a range.

    You would use this feature in policies that are used in IP multimedia subsystem (IMS) environments. You can also use it to simplify the configuration of JunosE policies.

    For example, the following classify-traffic condition has comma-separated lists for IP address, IP mask, and from port:

    [edit policies folder f group g list l rule r traffic-condition tc]
    user@host# show 
    source-network { 
      network { 
        ip-address "[192.1.1.0,192.2.1.1]";
        ip-mask "[255.255.255.0,255.255.255.255]";
        ip-operation "[1,1]";
      }
    }
    
    tcp-condition { 
      protocol tcp;
      protocol-operation 1;
      source-port { 
        port { 
          from-port "[80,8080]";
          port-operation eq;
        }
      }
    }

    The sample classify-traffic condition is expanded into four classifiers that have the following combination of source addresses and source ports. Note that JunosE policies use wildcard, not subnet, masks.

    192.1.1.0/0.0.0.255 eq 80192.1.1.0/0.0.0.255 eq 8080192.2.1.1/0.0.0.0 eq 80 192.2.1.1/0.0.0.0 eq 8080

    Policy Actions

    Junos OS policy rules and PCMM policy rules can have multiple actions. JunosE policy rules can have only one action. The types of actions available for a policy rule depend on the type of rule. See Supported Conditions and Actions. The following table is a description of all actions.

    Table 1: Policy Actions

    Action

    Type of Rule

    Description

    Color

    JunosE

    Specifies the color attribute that is applied to the packet when it passes through the router.

    Color mark

    JunosE

    Specifies the color-mark value that is applied to the packet when it passes through a rate-limit action.

    DOCSIS

    PCMM

    Explicitly specifies the Data over Cable Service Interface Specifications (DOCSIS) parameters of the DOCSIS service flow. It supports all DOCSIS service flow scheduling types.

    Exception application

    JunosE

    Specifies an exception to the policy rule for traffic that has a specific application, such as a Web server.

    Filter

    Junos OS filter

    JunosE

    Discards all packets that match the classify-traffic condition.

    FlowSpec

    PCMM

    Specifies a traffic profile by using a Resource Reservation Protocol (RSVP)-style FlowSpec.

    Forward

    Junos OS filter

    JunosE

    Forwards packets that match the classify-traffic condition; forwards packets to a particular interface and/or a next-hop address.

    Forwarding class

    Junos OS filter

    Assigns a forwarding class to packets that match the classify-traffic condition.

    GateSpec

    PCMM

    Specifies the session class ID in the gate. The session class ID provides a way to group gates into different classes with different authorization characteristics.

    Loss priority

    Junos OS filter

    Assigns a packet loss priority to packets that match the classify-traffic condition.

    Mark

    PCMM

    JunosE

    Sets the ToS field in the IP header for IPv4 packets, or sets the traffic-class field in the header for IPv6 packets to a specified value.

    NAT

    Junos OS ASP

    Specifies the type of network address translation (source dynamic, destination static), IP address ranges, and a port range to restrict port translation when NAT is configured in dynamic-source mode.

    Next hop

    Junos OS filter

    JunosE

    Specifies the IP address of the next hop; used to create a static route on the router; used for captive portal behavior; Junos OS filters support multiple next hops for load balancing.

    Next interface

    Junos OS filter

    JunosE

    Defines an output interface and/or a next-hop address for a policy list; used to create a static route on the router; used for captive portal behavior.

    Next rule

    Junos OS filter

    Causes the router to skip to and evaluate the next rule in the policy list.

    Policer

    Junos OS policer

    Junos OS filter

    Specifies rate and burst size limits and the action taken if a packet exceeds those limits.

    QoS attachment

    JunosE

    Specifies the QoS profile that is applied to the packet when it passes through the router.

    Rate limit

    JunosE

    Specifies bandwidth attributes (committed, peak, and excess rates and burst sizes) and the action taken relative to the bandwidth (filter, forward, or mark).

    Reject

    Junos OS filter

    Discards the packet and sends an ICMP destination unreachable message to the client; can set the type of ICMP message to send.

    Routing instance

    Junos OS filter

    Also called filter-based forwarding; directs traffic to a routing instance that is configured on the router.

    Scheduler

    Junos OS scheduler

    Specifies transmission-scheduling and rate-control parameters. Schedulers define the priority, bandwidth, delay buffer size, rate-control status, and RED drop profiles to be applied to a particular class of traffic.

    Service class name

    PCMM

    Specifies that traffic is controlled by a service class that is configured on the CMTS device.

    Stateful firewall

    Junos OS ASP

    Specifies whether to filter, forward, or reject a packet. If a packet is rejected, a rejection message is returned.

    Traffic class

    JunosE

    Specifies the traffic-class profile that is applied to the packet when it passes through the router.

    Traffic shape

    Junos OS shaping

    Specifies the maximum rate of traffic transmitted on an interface.

    Traffic mirror

    Junos OS filter

    Mirrors traffic from a destination to a source or from a source to a destination.

    User packet class

    JunosE

    Specifies the user packet class that is applied to the packet when it passes through the router.

    Combining Actions

    Junos OS policy rules and PCMM policy rules support multiple actions. For example, in PCMM policies, you can combine a mark action with a DOCSIS parameter action, a service schedule action, or a FlowSpec action. In Junos OS policy rules you can combine the forwarding class action, routing instance action, and loss priority action. The result is that packets that match the condition are assigned to a forwarding class, directed to a routing instance on the router, and assigned a packet loss priority.

    Only one of the following actions can exist in a policy rule: next-hop action, next-interface action, forward action, filter action, and reject action.

    For example, if you add the next-rule action to a policy rule, do not add a next-hop action, next-interface action, forward action, filter action, or reject action to the same policy rule.

    Although you can have only one action in a JunosE policy rule, you can set up a policy list to take two corresponding actions on a packet. To do so, you create a JunosE policy list that has more than one policy rule with the same precedence. For example, you might want a policy rule that marks a packet and a policy rule that forwards the packet to the next interface. Or you could have a policy rule that applies a traffic-class action and a policy rule that forwards the packet to the next hop.

     

    Related Documentation

     

    Published: 2014-06-06