[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Table of Contents

About This Guide
JUNOS Documentation and Release Notes
Objectives
Audience
Supported Platforms
Using the Indexes
Using the Examples in This Manual
Documentation Conventions
Documentation Feedback
Requesting Technical Support
Policy Framework
Introduction to Policy Framework
Policy Framework Overview
Router Flows Affected by Policies
Policy Architecture
Control Points
Policy Components
Default Policies and Actions
Configuration Tasks
Policy Configuration Recommendations
Comparison of Routing Policies and Firewall Filters
Routing Policies
Introduction to Routing Policy
Routing Policy Overview
Importing and Exporting Routes
Protocols That Can Be Imported to and Exported from the Routing table
Routing Tables Affected by Routing Policies
Default Routing Policies and Actions
Default Import and Export Policies for Protocols
Creating Routing Policies
Configuring a Routing Policy
Routing Policy Match Conditions
Routing Policy Named Match Conditions
Routing Policy Actions
Routing Policy Terms
Routing Policy Application
Routing Protocol Support for Import and Export Policy
Protocol Support for Import and Export Policies
Routing Policy Application to Routing Protocols
Applying Export Policies to the Forwarding Table
Evaluating a Routing Policy
How a Routing Policy Is Evaluated
How a Routing Policy Chain Is Evaluated
How a Routing Policy Expression Is Evaluated
How a Routing Policy Subroutine Is Evaluated
Routing Policy Tests
Routing Policy Configuration Statements
Configuring Routing Policy
Minimum Routing Policy Configuration
Minimum Routing Policy Chain Configuration
Minimum Subroutine Configuration
Routing Policy Configuration
Defining Routing Policies
Configuring Match Conditions in Routing Policy Terms
Configuring Actions in Routing Policy Terms
Configuring Flow Control Actions
Configuring Actions That Manipulate Route Characteristics
Configuring the Default Action in Routing Policies
Example: Configuring the Default Action in a Routing Policy
Configuring a Final Action in Routing Policies
Logging Matches to a Routing Policy Term
Configuring Separate Actions for Routes in Route Lists
Applying Routing Policies and Policy Chains to Routing Protocols
Effect of Omitting Ingress Match Conditions from Export Policies
Applying Policy Expressions to Routes Exported from Routing Tables
Policy Expression Examples
How a Policy Expression Is Evaluated
Example: Evaluating Policy Expressions
Applying Routing Policies to the Forwarding Table
Configuring Dynamic Routing Policies
Configuring Routing Policies and Policy Objects in the Dynamic Database
Configuring Routing Policies Based on Dynamic Database Configuration
Applying Dynamic Routing Policies to BGP
Preventing Reestablishment of BGP Peering Sessions After NSR Routing Engine Switchover
Example: Configuring a BGP Export Policy That References a Dynamic Routing Policy
Forwarding Packets to the Discard Interface
Testing Routing Policies
Example: Testing a Routing Policy
Routing Policy Examples
Example: Defining a Routing Policy from BGP to IS-IS
Example: Using Routing Policy to Set a Preference
Example: Importing and Exporting Access and Access-Internal Routes in a Routing Policy
Example: Exporting Routes to IS-IS
Example: Applying Export and Import Policies to BGP Peer Groups
Example: Applying a Prefix to Routes Learned from a Peer
Example: Redistributing BGP Routes with a Specific Community Tag into IS-IS
Example: Redistributing OSPF Routes into BGP
Example: Exporting Direct Routes Into IS-IS
Example: Exporting Internal IS-IS Level 1 Routes to Level 2
Example: Exporting IS-IS Level 2 Routes to Level 1
Example: Assigning Different Forwarding Next-Hop LSPs to Different Destination Prefixes
Example: Grouping Destination Prefixes
Example: Grouping Source Prefixes
Example: Grouping Source and Destination Prefixes in a Forwarding Class
Example: Accepting Routes with Specific Destination Prefixes
Example: Accepting Routes from BGP with a Specific Destination Prefix
Example: Using Routing Policy in an ISP Network
Requesting a Single Default Route on the Customer 1 Router
Requesting Specific Routes on the Customer 2 Router
Configuring a Peer Policy on ISP Router 3
Configuring Private and Exchange Peers on ISP Router 1 and 2
Configuring Locally Defined Static Routes on the Exchange Peer 2 Router
Configuring Outbound and Generated Routes on the Private Peer 2 Router
Extended Match Conditions Configuration
Configuring AS Path Regular Expressions to Use as Routing Policy Match Conditions
Configuring AS Path Regular Expressions
Configuring a Null AS Path
How AS Path Regular Expressions Are Evaluated
Examples: Configuring AS Path Regular Expressions
Overview of BGP Communities and Extended Communities as Routing Policy Match Conditions
Defining BGP Communities and Extended Communities for Use in Routing Policy Match Conditions
Defining BGP Communities for Use in Routing Policy Match Conditions
Using UNIX Regular Expressions in Community Names
Defining BGP Extended Communities for Use in Routing Policy Match Conditions
Examples: Defining BGP Extended Communities
Inverting Community Matches
Including BGP Communities and Extended Communities in Routing Policy Match Conditions
How BGP Communities and Extended Communities Are Evaluated in Routing Policy Match Conditions
Using Routing Policies to Prevent Advertisement of BGP Communities to Neighbors
Examples: Configuring BGP Communities as Routing Policy Match Conditions
Configuring Prefix Lists for Use in Routing Policy Match Conditions
Configuring Prefix Lists
How Prefix Lists Are Evaluated in Routing Policy Match Conditions
Configuring Prefix List Filters
Example: Configuring a Prefix List
Configuring Route Lists for Use in Routing Policy Match Conditions
Configuring Route Lists
How Route Lists Are Evaluated in Routing Policy Match Conditions
How Prefix Order Affects Route List Evaluation
Common Configuration Problem with the Longest-Match Lookup
Route List Examples
Example: Rejecting Routes with Specific Destination Prefixes and Mask Lengths
Example: Rejecting Routes with a Mask Length Greater than Eight
Example: Rejecting Routes with Mask Length Between 26 and 29
Example: Rejecting Routes from Specific Hosts
Example: Accepting Routes with a Defined Set of Prefixes
Example: Rejecting Routes with a Defined Set of Prefixes
Example: Rejecting Routes with Prefixes Longer than 24 Bits
Example: Rejecting PIM Multicast Traffic Joins
Example: Rejecting PIM Traffic
Configuring Subroutines in Routing Policy Match Conditions
Configuring Subroutines
Possible Consequences of Termination Actions in Subroutines
Example: Configuring a Subroutine
Configuring Routing Policy Match Conditions Based on Routing Table Entries
Extended Actions Configuration
Prepending AS Numbers to BGP AS Paths
Adding AS Numbers to BGP AS Paths
Using Routing Policies to Damp BGP Route Flapping
Configuring BGP Flap Damping Parameters
Specifying BGP Flap Damping as the Action in Routing Policy Terms
Disabling Damping for Specific Address Prefixes
Example: Disabling Damping for a Specific Address Prefix
Example: Configuring BGP Flap Damping
Overview of Per-Packet Load Balancing
Configuring Per-Packet Load Balancing
Per-Packet Load Balancing Examples
Configuring Load Balancing Based on MPLS Labels
Configuring Load Balancing for Ethernet Pseudowires
Configuring Load Balancing Based on MAC Addresses
Configuring VPLS Load Balancing Based on IP and MPLS Information
Summary of Routing Policy Configuration Statements
apply-path
as-path
as-path-group
community
condition
damping
dynamic-db
export
import
policy-options
policy-statement
prefix-list
prefix-list-filter
Firewall Filters
Introduction to Firewall Filters
Firewall Filter Overview
Firewall Filter Components
Supported Standards
Firewall Filter Configuration
Configuring Firewall Filters
Minimum Firewall Filter Configuration
Configuring Firewall Filters
Configuring the Address Family
Configuring the Filter Name
Configuring Firewall Filter Terms
How Firewall Filters Are Evaluated
Configuring Match Conditions in Firewall Filter Terms
Configuring Numeric Range Match Conditions
Configuring IP Address Match Conditions
Configuring Bit-Field Match Conditions
Configuring Class-Based Match Conditions
Configuring Protocol Match Conditions
Example: Ignoring Packet Protocol
Configuring Match Conditions for Small Packets
Configuring Actions in Firewall Filter Terms
Example: Counting and Sampling Accepted Packets
Example: Setting the DSCP Bit to Zero
Configuring Nested Firewall Filters
Example: Configuring Nested Filters
Applying Firewall Filters to Interfaces
Configuring Interface-Specific Counters
Example: Configuring Interface-Specific Counters
Defining Interface Groups
Example: Defining Interface Groups
Firewall Filter Examples
Example: Blocking Telnet and SSH Access
Example: Blocking TFTP Access
Example: Accepting DHCP Packets with Specific Addresses
Example: Defining a Policer for a Destination Class
Example: Counting IP Option Packets
Example: Accepting OSPF Packets from Certain Addresses
Example: Matching Packets Based on Two Unrelated Criteria
Example: Counting Both Accepted and Rejected Packets
Example: Blocking TCP Connections to a Certain Port Except from BGP Peers
Example: Accepting Packets with Specific IPv6 TCP Flags
Example: Setting a Rate Limit for Incoming Layer 2 Control Packets
Configuring Service Filters
Configuring Simple Filters
Example: Configuring a Simple Filter
Configuring Firewall Filters for Logical Systems
Guidelines for Firewall Configuration in Logical Systems
Scenario 1: Firewall Objects Reference Other Firewall Objects
Scenario 2: Nonfirewall Objects Reference Firewall Objects
Scenario 3: Firewall Objects Reference Nonfirewall Objects
Unsupported Configuration Statements, Actions, and Action Modifiers
Configuring Accounting for Firewall Filters
Configuring Filter-Based Forwarding
Examples: Configuring Filter-Based Forwarding
Configuring Forwarding Table Filters
Overview of Forwarding Table Filters
Configuring a Forwarding Table Filter
Configuring System Logging of Firewall Filter Operations
Example: Configuring Firewall Filter System Logging
Policer Overview
Policer Configuration
Configuring Policers
Minimum Policer Configuration
Configuring Policers
Configuring Rate Limiting
Configuring Policer Actions
Example: Configuring a Policer Action
Configuring Multifield Classifiers for Policing
Configuring Filter-Specific Policers
Configuring Policer Actions for Specific Address Prefixes
Examples: Configuring Policer Actions for Specific Address Prefixes
Examples: Classifying Traffic
Configuring Interface Sets
Applying Interface Policers
Example: Applying an Interface Policer
Configuring Aggregate Policers
Example: Configuring an Aggregate Policer
Configuring Bandwidth Policers
Example: Configuring a Bandwidth Policer
Configuring Load-Balance Groups
Configuring Tricolor Marking
Configuring Tricolor Marking Policers
Example: Configuring a Tricolor Marking Policer
Configuring Interface Policers Using Tricolor Marking Policing
Example: Rate-Limiting Bandwidth Using Tricolor Marking Policing
Examples: Configuring Policing
Summary of Firewall Filter and Policer Configuration Statements
accounting-profile
action
family
filter
filter-specific
firewall
if-exceeding
interface-set
interface-specific
load-balance-group
logical-bandwidth-policer
logical-interface-policer
policer
prefix-action
service-filter
simple-filter
term
three-color-policer
three-color-policer (Applying)
three-color-policer (Configuring)
virtual-channel
Traffic Sampling, Forwarding and Monitoring
Traffic Sampling, Forwarding, and Monitoring Overview
Traffic Sampling Configuration
Configuring Traffic Sampling
Minimum Traffic Sampling Configuration
Configuring Traffic Sampling
Disabling Traffic Sampling
Configuring the Output File for Traffic Sampling
Traffic Sampling Output Format
Tracing Traffic Sampling Operations
Configuring Flow Aggregation (cflowd)
Debugging cflowd Flow Aggregation
Configuring Active Flow Monitoring Using Version 9
Example: Configuring Active Flow Monitoring Using Version 9
Traffic Sampling Examples
Example: Sampling a Single SONET/SDH Interface
Example: Sampling All Traffic from a Single IP Address
Example: Sampling All FTP Traffic
Traffic Forwarding and Monitoring Configuration
Configuring Traffic Forwarding and Monitoring
Applying Filters to Forwarding Tables
Configuring IPv6 Accounting
Configuring Discard Accounting
Configuring Flow Monitoring
Configuring Next-Hop Groups
Per-Flow and Per-Prefix Load Balancing Overview
Configuring Per-Prefix Load Balancing
Configuring Per-Flow Load Balancing Based on Hash Values
Configuring Routers and Interfaces as DHCP and BOOTP Relay Agents
Configuring DNS and TFTP Packet Forwarding
Tracing BOOTP, DNS, and TFTP Forwarding Operations
Configuring the Log Filename
Configuring the Number and Size of Log Files
Configuring Access to the Log File
Configuring a Regular Expression for Lines to Be Logged
Example: Configuring DNS Packet Forwarding
Preventing DHCP Spoofing on MX-series Routers
Configuring Port Mirroring
Configuring Packet Capture
Extended DHCP Relay Agent Configuration
Extended DHCP Agent Overview
Interaction Between the DHCP Relay Agent, Clients, and Servers
Access and Access-Internal Routes
DHCP State Persistence
Graceful Routing Engine Switchover
Configuring the Extended DHCP Agent
Overriding the Default Configuration for the Extended DHCP Relay Agent
Overwriting giaddr Information
Overriding Option 82 Information
Using Layer 2 Unicast Transmission for DHCP Packets
Trusting Option 82 Information
Disabling DHCP Relay
Using Option 60 Information to Forward Client Traffic to Specific DHCP Servers
Using Matching Option 60 Strings to Process DHCP Client Traffic
Using Nonmatching Option 60 Strings to Process DHCP Client Traffic
Displaying a Count of Discarded DHCP Packets with Option 60 Information
Enabling and Disabling Insertion of Option 82 Information
Configuring Agent-Circuit-Id Information
Configuring an Option 82 Prefix
Configuring Server Groups
Configuring Active Server Groups
Grouping Interfaces with Common DHCP Relay Configuration
Configuring Group-Specific DHCP Relay Options
Enabling the DHCP Relay Agent on Specified Interfaces
Using External AAA Authentication Services with the Extended DHCP Relay Agent
Verifying and Managing Clients of the Extended DHCP Relay Agent
Tracing Extended DHCP Relay Agent Operations
Configuring the Extended DHCP Relay Agent Log Filename
Configuring the Number and Size of Extended DHCP Relay Agent Log Files
Configuring Access to the Extended DHCP Relay Agent Log File
Configuring a Regular Expression for Extended DHCP Relay Agent Lines to Be Logged
Configuring the Extended DHCP Relay Agent Tracing Flags
Example: Minimum DHCP Relay Agent Configuration
Example: DHCP Relay Agent Configuration with Multiple Clients and Servers
Example: Using Option 60 Strings to Forward DHCP Client Traffic
Example: Using Option 60 Strings to Drop DHCP Client Traffic
Summary of Traffic Sampling, Forwarding, and Monitoring Configuration Statements
accounting
active-server-group
aggregation
always-write-giaddr
always-write-option-82
authentication
autonomous-system-type
bootp
cflowd
cflowd (Discard Accounting)
cflowd (Flow Monitoring)
cflowd (Sampling)
circuit-id
circuit-type
client-response-ttl
default-local-server-group
default-relay-server-group
delimiter
description
dhcp-relay
dhcp-relay (Extended DHCP Relay Agent)
dhcp-relay (DHCP Spoofing Prevention)
disable
disable-relay
domain
domain-name
drop
export-format
family
family (Filtering)
family (Monitoring)
family (Port Mirroring)
family (Sampling)
family inet
family mpls
family multiservice
file
file (Extended DHCP Relay Agent and Helpers Trace Options)
file (Packet Capture)
file (Sampling)
file (Trace Options)
filename
filename (Packet Capture)
filename (Sampling)
files
files (Packet Capture)
files (Sampling and Traceoptions)
filter
filter (IPv4, IPv6, and MPLS)
filter (VPLS)
flood
flow-active-timeout
flow-export-destination
flow-inactive-timeout
forwarding-options
group
group (DHCP Relay Agent)
group (DHCP Spoofing Prevention)
hash-key
helpers
indexed-next-hop
input
input (Forwarding Table)
input (Port Mirroring)
input (Sampling)
instance
interface
interface (Accounting or Sampling)
interface (BOOTP)
interface (DHCP Spoofing Prevention)
interface (DNS and TFTP Packet Forwarding or Relay Agent)
interface (Extended DHCP Relay Agent)
interface (Monitoring)
interface (Next-Hop Group)
interface (Port Mirroring)
layer2-unicast-replies
load-balance
local-dump
local-server-group
logical-system-name
mac-address
max-packets-per-second
maximum-capture-size
maximum-hop-count
minimum-wait-time
mirror-once
monitoring
next-hop
next-hop-group
no-filter-check
no-listen
no-local-dump
no-stamp
no-world-readable
option-60
option-82
output
output (Accounting)
output (Forwarding Table)
output (Monitoring)
output (Port Mirroring)
output (Sampling)
overrides
packet-capture
password
per-flow
per-prefix
port
port-mirroring
prefix
rate
relay-option-60
relay-option-82
relay-server-group
route-accounting
routing-instance-name
run-length
sampling
server
server (DHCP and BOOTP Relay Agent)
server (DNS and TFTP Service)
server-group
size
size (Packet Capture)
size (Sampling and Traceoptions)
stamp
tftp
traceoptions
traceoptions (DNS and TFTP Packet Forwarding)
traceoptions (Extended DHCP Relay Agent)
traceoptions (Port Mirroring and Traffic Sampling)
trust-option-82
user-prefix
username-include
vendor-option
version
version9
world-readable
Indexes
Index
Index of Statements and Commands
[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]