User manual JUNIPER NETWORKS POLICY MANAGEMENT CONFIGURATION GUIDE V11.1.X

[. . . ] JUNOSeTM Software for E SeriesTM Broadband Services Routers Policy Management Configuration Guide Release 11. 1. x Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www. juniper. net Published: 2010-04-06 Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. [. . . ] There is a one-to-one correspondence between an internal parent group in the merged policy and an internal parent group in a component policy. NOTE: The naive parent group merging algorithm is not compatible with this parent group merge algorithm. If you have service definitions that used the naive parent group algorithm, you need to modify those service definitions to work with this algorithm. 120 Parent Group Merge Algorithm Chapter 6: Merging Policies If there is no existing internal parent group with the same name in the merged policy, the system creates a corresponding internal parent group with the same name. If an internal parent group with the same name already exists, the system uses a name built by appending an internally generated sequence number to the name of the internal parent group in the component policy. If the length of the name exceeds the maximum length allowed, the policy merge fails. If a classifier group in a component policy refers to an internal parent group, the same classifier group in the merged policy corresponds to the internal parent group in the merged policy. If a classifier group in a component policy refers to an external parent group, the same classifier group in the merged policy refers to the same external parent group. If there is a conflict where two or more component policies contain the same classifier group referring to an internal parent group in a corresponding component policy or to an external parent group, then last one is used. In the following example, component policies P1 and P2 create the merged policy mpl_88000001. host1#show policy-list P1 Policy Table ------ ----IP Policy P1 Administrative state: enable Reference count: 1 Classifier control list: *, precedence 100, parent-group Z forward Classifier control list: A, precedence 100, parent-group X forward Classifier control list: B, precedence 100, parent-group X forward Classifier control list: C, precedence 100, external parent-group EPG1 parameter foo forward Classifier control list: D, precedence 100, external parent-group EPG1 parameter foo forward Parent group: X, parent-group Z rate-limit-profile R1 Parent group: Z rate-limit-profile R2 host1#show policy-list P2 Policy Table ------ ----IP Policy P2 Administrative state: enable Reference count: 1 Classifier control list: B, precedence 100, parent-group X forward Classifier control list: C, precedence 100, parent-group Y forward Parent Group Merge Algorithm 121 JUNOSe 11. 1. x Policy Management Configuration Guide Classifier control list: D, precedence 100, external parent-group EPG2 parameter abcd forward Parent group: X, parent-group Y rate-limit-profile R3 Parent group: Y rate-limit-profile R4 host1#show policy-list mpl_88000001 Policy Table ------ ----IP Policy mpl_88000001 Administrative state: enable Reference count: 1 Classifier control list: *, precedence 100, parent-group Z forward Classifier control list: A, precedence 100, parent-group X forward Classifier control list: B, precedence 100, parent-group X_1 forward Classifier control list: C, precedence 100, parent-group Y forward Classifier control list: D, precedence 100, external parent-group EPG2 parameter abcd forward Parent group: X, parent-group Z rate-limit-profile R1 Parent group: Z rate-limit-profile R2 Parent group: X_1, parent-group P2_Y rate-limit-profile R3 Parent group: Y rate-limit-profile R4 Referenced by interfaces: ATM5/0. 1 input policy, statistics enabled, virtual-router default Referenced by profiles: None Component policies: P1 P2 Overlapping Classification for IP Input Policy IP auxiliary input policy can be used with IP input policy to provide overlapping classification. Two policies, each with a set of independent rules and actions, run in sequence so that each policy can independently produce a set of actions in sequence. A packet that matches both the input policies and auxiliary input policies is subject to both sets of policy actions. E Series routers allow four input and two output policies per IP interface: One secure input policy Three nonsecure input policies One secure output policy One nonsecure output policy 122 Overlapping Classification for IP Input Policy Chapter 6: Merging Policies Each classifier-group has a set of associated actions that is taken if it is the highest priority match. The system performs only one set of actions per policy attachment. By using an input and secondary-input policy, you can have overlapping classification with multiple policy actions on ingress. Overlapping classification on egress is not supported. An additional policy attachment point enables overlapping classification within the input classification stage, between the input and secondary-input stages. There are five attachment points for IP policies that are executed in series: input secondary-input secure-input output secure-output An explicit filter action, a forward action with a null next-interface, or a rate-limit action can cause an immediate packet discard at any stage. Other actions, such are marking and coloring can be done at each stage, with the last of each of these actions taking precedence over the others. For example, unique policies can be attached at each stage, all of which mark the IP TOS field differently. The packet then exits the router with the TOS value that was set in the output policy stage. However, if TOS is also used as a classification (input) term for each of these policies, three different TOS values are presented to the classifier: Original TOS received TOS modified by the input policy TOS value modified by the secondary-input policy Figure 7 on page 124 shows the input policy stage after the addition of the auxiliary substage. 3. Apply classification for both substages. Perform policy actions (if any) for the primary attachment. Perform policy actions (if any) for the auxiliary attachment. Overlapping Classification for IP Input Policy 123 JUNOSe 11. 1. x Policy Management Configuration Guide Figure 7: Input Policy with Primary Stage and Auxiliary Substage The order of policy action execution for each attachment is: 1. [. . . ] This command displays a maximum of two secure policy attachments and statistics, if configured. To display the default (normal) format for a specific interface, which is used as the default analyzer interface: host1#show ip interface atm 5/0. 1 ATM5/0. 1 line protocol Atm1483 is up, ip is analyzer (default) Network Protocols: IP Internet address is 10. 10. 3. 4/255. 255. 255. 0 Broadcast address is 255. 255. 255. 255 Operational MTU = 0 Administrative MTU = 0 Operational speed = 100000000 Administrative speed = 0 Discontinuity Time = 0 Router advertisement = disabled Proxy Arp = disabled Administrative debounce-time = disabled Operational debounce-time = disabled Access routing = disabled Multipath mode = hashed In Received Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Multicast Packets 0, Bytes 0 In Policed Packets 0, Bytes 0 In Error Packets 0 In Invalid Source Address Packets 0 In Discarded Packets 0 Out Forwarded Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Multicast Routed Packets 0, Bytes 0 Out Scheduler Dropped Packets 0, Bytes 0 Out Policed Packets 0, Bytes 0 Out Discarded Packets 0 Action To display the format for a specific interface, showing secure policy attachments: host1#show ip interface atm 4/1. 1 ATM5/0. 1 line protocol Atm1483 is up Network Protocols: IP Internet address is 10. 10. 7. 14/255. 255. 255. 0 Broadcast address is 255. 255. 255. 255 Operational MTU = 0 Administrative MTU = 0 Operational speed = 100000000 Administrative speed = 0 Discontinuity Time = 0 Router advertisement = disabled Proxy Arp = disabled Administrative debounce-time = disabled Operational debounce-time = disabled Access routing = disabled Multipath mode = hashed In Received Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 264 Monitoring CLI-Based Packet Mirroring Chapter 14: Monitoring Packet Mirroring Multicast Packets 0, Bytes 0 In Policed Packets 0, Bytes 0 In Error Packets 0 In Invalid Source Address Packets 0 In Discarded Packets 0 Out Forwarded Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Multicast Routed Packets 0, Bytes 0 Out Scheduler Dropped Packets 0, Bytes 0 Out Policed Packets 0, Bytes 0 Out Discarded Packets 0 IP policy secure-input ipSecureIn classifier-group secClassA entry 1 0 packets, 0 bytes mirror analyzer-ip-address 10. 10. 3. 14, analyzer-virtual-router default classifier-group secClassB entry 2 0 packets, 0 bytes mirror analyzer-ip-address 10. 10. 3. 14, analyzer-virtual-router vr200 IP policy secure-output ipSecureOut classifier-group secClassC entry 1 0 packets, 0 bytes mirror analyzer-ip-address 10. 10. 7. 104, analyzer-virtual-router vr300 Meaning Table 61 on page 265 lists the secure packet mirroring-related fields. Table 61: show ip interface Output Fields Field Name IP Policy Field Description Type (secure-input, secure-output) and name of the secure policy Name of a CLACL attached to the interface and number of entry Number of packets classified by the CLACL Number of bytes classified by the CLACL IP address of analyzer device Name of analyzer interface virtual router classifier-group packets bytes mirror analyzer-ip-address analyzer-virtual-router Related Topics show ip interface Monitoring the Packet Mirroring Configuration of IP Interfaces Purpose Display CLI-based packet mirroring configuration information for a specific interface or for all interfaces on which mirroring is enabled. Monitoring the Packet Mirroring Configuration of IP Interfaces 265 JUNOSe 11. 1. x Policy Management Configuration Guide NOTE: This command is deprecated and might be removed completely in a future release. The function provided by this command has been replaced by the show secure policy-list command. Action To display information about a specific interface or for all interfaces: host1#show ip mirror interface atm 5/0. 1 Interface Analyzer Port Analyzer next-hop ------------------- ------------------- --------------------ATM5/0. 1 FastEthernet3/0 192. 168. 1. 1 Meaning Table 62 on page 266 lists the show ip mirror interface command output fields. Table 62: show ip mirror interface Output Fields Field Name Interface Analyzer Port Field Description Interface being mirrored Interface to which the mirrored traffic is sent, and that then sends the traffic to the analyzer device IP address of the next hop to the analyzer device; displayed when the analyzer interface is a shared medium Analyzer next-hop Related Topics show ip mirror interface Monitoring Failure Messages for Secure Policies Purpose Display failure messages and information for secure policies. This command and the output are visible only to authorized users--the mirror-enable command must be enabled before using this command. [. . . ]