- play_arrow Understanding and Configuring Junos Routing Policies
- play_arrow Overview
- Policy Framework Overview
- Comparison of Routing Policies and Firewall Filters
- Prefix Prioritization Overview
- FIB Prefix Prioritization
- Accounting of the Policer Overhead Attribute at the Interface Level
- Configuring the Accounting of Policer Overhead in Interface Statistics
- Understanding Routing Policies
- Protocol Support for Import and Export Policies
- Example: Applying Routing Policies at Different Levels of the BGP Hierarchy
- Default Routing Policies
- Example: Configuring a Conditional Default Route Policy
- play_arrow Evaluating Routing Policies Using Match Conditions, Actions, Terms, and Expressions
- How a Routing Policy Is Evaluated
- Categories of Routing Policy Match Conditions
- Routing Policy Match Conditions
- Route Filter Match Conditions
- Actions in Routing Policy Terms
- Summary of Routing Policy Actions
- Example: Configuring a Routing Policy to Advertise the Best External Route to Internal Peers
- Example: Configuring BGP to Advertise Inactive Routes
- Example: Using Routing Policy to Set a Preference Value for BGP Routes
- Example: Enabling BGP Route Advertisements
- Example: Rejecting Known Invalid Routes
- Example: Using Routing Policy in an ISP Network
- Understanding Policy Expressions
- Understanding Backup Selection Policy for OSPF Protocol
- Configuring Backup Selection Policy for the OSPF Protocol
- Configuring Backup Selection Policy for IS-IS Protocol
- Example: Configuring Backup Selection Policy for the OSPF or OSPF3 Protocol
- play_arrow Evaluating Complex Cases Using Policy Chains and Subroutines
- play_arrow Configuring Route Filters and Prefix Lists as Match Conditions
- Understanding Route Filters for Use in Routing Policy Match Conditions
- Understanding Route Filter and Source Address Filter Lists for Use in Routing Policy Match Conditions
- Understanding Load Balancing Using Source or Destination IP Only
- Configuring Load Balancing Using Source or Destination IP Only
- Walkup for Route Filters Overview
- Configuring Walkup for Route Filters to Improve Operational Efficiency
- Example: Configuring Route Filter Lists
- Example: Configuring Walkup for Route Filters Globally to Improve Operational Efficiency
- Example: Configuring Walkup for Route Filters Locally to Improve Operational Efficiency
- Example: Configuring a Route Filter Policy to Specify Priority for Prefixes Learned Through OSPF
- Example: Configuring the MED Using Route Filters
- Example: Configuring Layer 3 VPN Protocol Family Qualifiers for Route Filters
- Understanding Prefix Lists for Use in Routing Policy Match Conditions
- Example: Configuring Routing Policy Prefix Lists
- Example: Configuring the Priority for Route Prefixes in the RPD Infrastructure
- Configuring Priority for Route Prefixes in RPD Infrastructure
- play_arrow Configuring AS Paths as Match Conditions
- Understanding AS Path Regular Expressions for Use as Routing Policy Match Conditions
- Example: Using AS Path Regular Expressions
- Understanding Prepending AS Numbers to BGP AS Paths
- Example: Configuring a Routing Policy for AS Path Prepending
- Understanding Adding AS Numbers to BGP AS Paths
- Example: Advertising Multiple Paths in BGP
- Improve the Performance of AS Path Lookup in BGP Policy
- play_arrow Configuring Communities as Match Conditions
- Understanding BGP Communities, Extended Communities, and Large Communities as Routing Policy Match Conditions
- Understanding How to Define BGP Communities and Extended Communities
- How BGP Communities and Extended Communities Are Evaluated in Routing Policy Match Conditions
- Example: Configuring Communities in a Routing Policy
- Example: Configuring Extended Communities in a Routing Policy
- Example: Configuring BGP Large Communities
- Example: Configuring a Routing Policy Based on the Number of BGP Communities
- Example: Configuring a Routing Policy That Removes BGP Communities
- play_arrow Increasing Network Stability with BGP Route Flapping Actions
- play_arrow Tracking Traffic Usage with Source Class Usage and Destination Class Usage Actions
- Understanding Source Class Usage and Destination Class Usage Options
- Source Class Usage Overview
- Guidelines for Configuring SCU
- System Requirements for SCU
- Terms and Acronyms for SCU
- Roadmap for Configuring SCU
- Roadmap for Configuring SCU with Layer 3 VPNs
- Configuring Route Filters and Source Classes in a Routing Policy
- Applying the Policy to the Forwarding Table
- Enabling Accounting on Inbound and Outbound Interfaces
- Configuring Input SCU on the vt Interface of the Egress PE Router
- Mapping the SCU-Enabled vt Interface to the VRF Instance
- Configuring SCU on the Output Interface
- Associating an Accounting Profile with SCU Classes
- Verifying Your SCU Accounting Profile
- SCU Configuration
- SCU with Layer 3 VPNs Configuration
- Example: Grouping Source and Destination Prefixes into a Forwarding Class
- play_arrow Avoiding Traffic Routing Threats with Conditional Routing Policies
- Conditional Advertisement and Import Policy (Routing Table) with certain match conditions
- Conditional Advertisement Enabling Conditional Installation of Prefixes Use Cases
- Example: Configuring a Routing Policy for Conditional Advertisement Enabling Conditional Installation of Prefixes in a Routing Table
- play_arrow Protecting Against DoS Attacks by Forwarding Traffic to the Discard Interface
- play_arrow Improving Commit Times with Dynamic Routing Policies
- play_arrow Testing Before Applying Routing Policies
-
- play_arrow Configuring Traffic Policers
- play_arrow Understanding Traffic Policers
- Policer Implementation Overview
- ARP Policer Overview
- Example: Configuring ARP Policer
- Understanding the Benefits of Policers and Token Bucket Algorithms
- Determining Proper Burst Size for Traffic Policers
- Controlling Network Access Using Traffic Policing Overview
- Traffic Policer Types
- Order of Policer and Firewall Filter Operations
- Understanding the Frame Length for Policing Packets
- Supported Standards for Policing
- Hierarchical Policer Configuration Overview
- Understanding Enhanced Hierarchical Policers
- Packets-Per-Second (pps)-Based Policer Overview
- Guidelines for Applying Traffic Policers
- Policer Support for Aggregated Ethernet Interfaces Overview
- Example: Configuring a Physical Interface Policer for Aggregate Traffic at a Physical Interface
- Firewall and Policing Differences Between PTX Series Packet Transport Routers and T Series Matrix Routers
- Hierarchical Policers on ACX Series Routers Overview
- Guidelines for Configuring Hierarchical Policers on ACX Series Routers
- Hierarchical Policer Modes on ACX Series Routers
- Processing of Hierarchical Policers on ACX Series Routers
- Actions Performed for Hierarchical Policers on ACX Series Routers
- Configuring Aggregate Parent and Child Policers on ACX Series Routers
- play_arrow Configuring Policer Rate Limits and Actions
- play_arrow Configuring Layer 2 Policers
- Hierarchical Policers
- Configuring a Policer Overhead
- Two-Color and Three-Color Policers at Layer 2
- Layer 2 Traffic Policing at the Pseudowire Overview
- Configuring a Two-Color Layer 2 Policer for the Pseudowire
- Configuring a Three-Color Layer 2 Policer for the Pseudowire
- Applying the Policers to Dynamic Profile Interfaces
- Attaching Dynamic Profiles to Routing Instances
- Using Variables for Layer 2 Traffic Policing at the Pseudowire Overview
- Configuring a Policer for the Complex Configuration
- Creating a Dynamic Profile for the Complex Configuration
- Attaching Dynamic Profiles to Routing Instances for the Complex Configuration
- Verifying Layer 2 Traffic Policers on VPLS Connections
- Understanding Policers on OVSDB-Managed Interfaces
- Example: Applying a Policer to OVSDB-Managed Interfaces
- play_arrow Configuring Two-Color and Three-Color Traffic Policers at Layer 3
- Two-Color Policer Configuration Overview
- Basic Single-Rate Two-Color Policers
- Bandwidth Policers
- Prefix-Specific Counting and Policing Actions
- Policer Overhead to Account for Rate Shaping in the Traffic Manager
- Three-Color Policer Configuration Overview
- Applying Policers
- Three-Color Policer Configuration Guidelines
- Basic Single-Rate Three-Color Policers
- Basic Two-Rate Three-Color Policers
- Example: Configuring a Two-Rate Three-Color Policer
- play_arrow Configuring Logical and Physical Interface Traffic Policers at Layer 3
- play_arrow Configuring Policers on Switches
- Overview of Policers
- Traffic Policer Types
- Understanding the Use of Policers in Firewall Filters
- Understanding Tricolor Marking Architecture
- Configuring Policers to Control Traffic Rates (CLI Procedure)
- Configuring Tricolor Marking Policers
- Understanding Policers with Link Aggregation Groups
- Understanding Color-Blind Mode for Single-Rate Tricolor Marking
- Understanding Color-Aware Mode for Single-Rate Tricolor Marking
- Understanding Color-Blind Mode for Two-Rate Tricolor Marking
- Understanding Color-Aware Mode for Two-Rate Tricolor Marking
- Example: Using Two-Color Policers and Prefix Lists
- Example: Using Policers to Manage Oversubscription
- Assigning Forwarding Classes and Loss Priority
- Configuring Color-Blind Egress Policers for Medium-Low PLP
- Configuring Two-Color and Three-Color Policers to Control Traffic Rates
- Verifying That Two-Color Policers Are Operational
- Verifying That Three-Color Policers Are Operational
- Troubleshooting Policer Configuration
- Troubleshooting Policer Configuration
-
- play_arrow Configuration Statements and Operational Commands
- play_arrow Troubleshooting
- play_arrow Knowledge Base
-
Service Filter Match Conditions for IPv4 or IPv6 Traffic
Service filters support only a subset of the stateless firewall filter match conditions for IPv4 and IPv6 traffic. Table 1 describes the service filter match conditions.
Match Condition | Description | Protocol Families |
|---|---|---|
| Match the IP source or destination address field. |
|
| Do not match the IP source or destination address field. |
|
| (M Series routers, except M120 and M320) Match on the IPsec authentication header (AH) security parameter index (SPI) value. |
|
| (M Series routers, except M120 and M320) Do not match on the IPsec AH SPI value. |
|
| Match the IP destination address field. You cannot specify both the |
|
| Do not match the IP destination address field. You cannot specify both the |
|
| Match the UDP or TCP destination port field. You cannot specify both the If you configure this match condition
for IPv4 traffic, we recommend that you also configure the
If you configure this match condition
for IPv6 traffic, we recommend that you also configure the
In place of the numeric value, you can specify
one of the following text synonyms (the port numbers are also
listed): |
|
| Do not match the UDP or TCP destination port field. For details, see
the |
|
| Match the list of destination prefixes. The prefix list is defined at
the |
|
| Match the IPsec encapsulating security payload (ESP) SPI value.
Specify a single value or a range of values. You can specify a
value in hexadecimal, binary, or decimal
form. To specify the value in hexadecimal form, include
|
|
| Do not match the IPsec ESP SPI value or range of values. For details,
see the |
|
| Match if the packet is the first fragment of a fragmented packet.
Do not match if the packet is a trailing fragment of a fragmented
packet. The first fragment of a fragmented packet has a fragment
offset value of This match condition is an alias for the bit-field match condition
To match both first and trailing fragments, you can use two terms
that specify different match conditions:
|
|
| Match one or more of the following specified packet forwarding classes:
For information about forwarding classes and router-internal output queues, see Understanding How Forwarding Classes Assign Classes to Output Queues. |
|
| Do not match one or more of the following specified packet forwarding classes:
|
|
| (Ingress only) Match the three-bit IP fragmentation flags field in the IP header. In place of the numeric field value, you can specify one of the
following keywords (the field values are also listed):
|
|
| Match the 13-bit fragment offset field in the IP header. The value is
the offset, in 8-byte units, in the overall datagram message to the
data fragment. Specify a numeric value, a range of values, or a set
of values. An offset value of The To match both first and trailing fragments, you can use two terms
that specify different match conditions
( |
|
| Do not match the 13-bit fragment offset field. |
|
| Match the interface group (set of one or more logical interfaces) on
which the packet was received. For
For information about configuring interface groups, see Filtering Packets Received on a Set of Interface Groups Overview. |
|
| Do not match the interface group on which the packet was received.
for details, see the |
|
| Match the 8-bit IP option field, if present, to the specified value or list of values. In place of a numeric value, you can specify one of the following
text synonyms (the option values are also listed):
To match any value for the IP option, use the text synonym
For example, the match condition
For most interfaces, a filter term that specifies an
The 10-Gigabit Ethernet Modular Port Concentrator (MPC), 60-Gigabit
Ethernet MPC, 60-Gigabit Queuing Ethernet MPC, 60-Gigabit Ethernet
Enhanced Queuing MPC on MX Series routers and EX Series switches are
capable of parsing the IP option field of the IPv4 packet header.
This capability is supported on EX Series switches also. For
interfaces configured on those MPCs, all packets that are
matched using the |
|
| Do not match the IP option field to the specified value or list of
values. For details about specifying the
|
|
| Match if the packet is a trailing fragment of a fragmented packet. Do not match the first fragment of a fragmented packet. This match condition is an alias for the bit-field match condition
Note: To match both first and trailing fragments, you can use two terms
that specify different match conditions
( |
|
| Match one or more of the following specified packet loss priority (PLP) levels:
The PLP is used by schedulers in conjunction with the random early discard (RED) algorithm to control packet discard during periods of congestion. For information about PLP, see Managing Congestion by Setting Packet Loss Priority for Different Traffic Flows and Overview of Assigning Service Levels to Packets Based on Multiple Packet Header Fields. |
|
| Do not match one or more of the following specified packet loss priority (PLP) levels:
|
|
| Match the UDP or TCP source or destination port field. If you configure this match condition, you cannot
configure the If you configure this match condition
for IPv4 traffic, we recommend that you also configure the
If you configure this match condition
for IPv6 traffic, we recommend that you also configure the
In place of the numeric value, you can specify
one of the text synonyms listed under
|
|
| Do not match the UDP or TCP source or destination port field. For
details, see the |
|
| Match the prefixes of the source or destination address fields to the
prefixes in the specified list. The prefix list is defined at the
|
|
| Match the IP protocol type field. In place of the numeric value, you can specify
one of the following text synonyms (the field values are also
listed): |
|
| Do not match the IP protocol type field. For details, see the
|
|
| Match the IP source address. You cannot specify both the |
|
| Do not match the IP source address. You cannot specify both the |
|
| Match the UDP or TCP source port field. You cannot specify the If you configure this match condition
for IPv4 traffic, we recommend that you also configure the
If you configure this match condition
for IPv6 traffic, we recommend that you also configure the
In place of the numeric value, you can specify
one of the text synonyms listed with the |
|
| Do not match the UDP or TCP source port field. For details, see the
|
|
| Match source prefixes in the specified list. Specify the name of a
prefix list defined at the |
|
| Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet. You can string together multiple flags using the bit-field logical operators. For combined bit-field match conditions, see the
If you configure this match
condition for IPv4 traffic, we recommend that you also configure the
If you configure this match
condition for IPv6 traffic, we recommend that you also configure the
|
|
If you specify an IPv6 address in a match condition (the address, destination-address, or source-address match conditions),
use the syntax for text representations described in RFC 4291, IP Version 6 Addressing Architecture. For more information about
IPv6 addresses, see “IPv6 Overview” in the Junos OS Routing Protocols Library for Routing Devices.
