[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Configuring Classify-Traffic Conditions

You create classify-traffic conditions in JUNOSe policy rules, in JUNOS ASP and JUNOS filter policy rules, and in PCMM policy rules.

The available configuration statements change depending on the type of policy rule that holds the condition and on the type of protocol that you specify.

To configure a classify-traffic condition, do the following:

  1. Create a classify-traffic condition. See:
  1. Configure source networks. You can configure source networks in one of two formats. See:
  1. Configure destination networks. You can configure destination networks in one of two formats. See:
  1. Configure protocol conditions. The type of protocol condition that you use depends on your configuration.
  1. For JUNOS filter policies, configure a JUNOS filter condition. See:
  1. For the stateful firewall and NAT policies, configure an application protocol condition. See:


NOTE: PCMM classifiers support only the following classifiers:

  • Source and destination IP addresses
  • Network protocol
  • Source or destination port
  • Type-of-service (ToS) byte and ToS mask

The policy engine ignores all other values.


Before You Configure Classify-Traffic Conditions

If you are configuring classifiers for PCMM policies, you can specify whether the classifier will be used in a PCMM IO2 or IO3 network. By default, the software translates classify-traffic conditions into PCMM IO2 classifiers.

For JUNOSe policies, you can specify that the SAE expand the classifier into multiple classifiers before it installs the policy on the router.

Enabling Expansion of JUNOSe Classify-Traffic Conditions

For information about expanded classifiers, see Expanded Classifiers.

Use the following configuration statement to enable or disable the expansion of JUNOSe classifiers.

shared sae configuration policy-management-configuration {
enable-junose-classifier-expansion;
}

To enable or disable the expansion of JUNOSe classifiers:

  1. From configuration mode, access the configuration statement that configures policy management properties on the SAE.
  2. user@host# edit shared sae configuration policy-management-configuration
    
    
    
  3. Specify whether or not the SAE expands the JUNOSe classify-traffic conditions into multiple classifiers before it installs the policy on the router.
  4. [edit shared sae configuration policy-management-configuration]
    
    user@host# set enable-junose-classifier-expansion
    
    
    

Specifying the PCMM Classifier Type

Use the following configuration statement to specify which version of the PCMM classifiers you are using:

shared sae configuration driver pcmm {
disable-pcmm-iO3-policy disable-pcmm-iO3-policy;
}

To specify whether or not the SAE sends classifiers to the router that comply with PCMM IO3:

  1. From configuration mode, access the configuration statement that configures the PCMM driver.
  2. user@host# edit shared sae configuration driver pcmm
    
    
    
  3. Enable or disable the SAE to send classifiers to the router that comply with PCMM IO3. Disable this option if your network deployment has CMTS devices that do not support PCMM IO3.
  4. [edit shared sae configuration driver pcmm]
    
    user@host# set disable-pcmm-iO3-policy disable-pcmm-iO3-policy
    

Specifying Port Access for Traffic Classification

In the SRC software, the way that you specify a range of port numbers greater than or less than a specific value in a traffic classifier is different from the way you define a range in the configuration on JUNOSe routers.

In the SRC CLI, you specify ranges by setting values in the port-operation options in command statements.

To specify a range of port numbers greater or less than a specified value, you can:

To configure port numbers greater than a defined value by specifying which values are allowed:

  1. For the port-operation option, enter eq.
  2. For the from-port option, enter the range of ports allowed.

For example, to specify access to all port numbers greater than 10, specify 11..65535.

To configure port numbers greater than a defined value by specifying which values are not allowed:

  1. For the port-operation option, enter neq.
  2. For the from-port option, enter the range of ports not allowed.

For example, to specify access to all port numbers greater than 10, specify 1..9.

To configure port numbers less than a defined value by specifying which values are allowed:

  1. For the port-operation option, enter eq.
  2. For the from-port option, enter the range of ports.

For example, to specify access to all port numbers less than 10, specify 1..9.

To configure port numbers less than a defined value by specifying which values are not allowed:

  1. For the port-operation option, enter neq.
  2. For the from-port option, enter the range of ports.

For example, to specify access to all port numbers less than 10, specify 11..65535.

Creating a Classify-Traffic Condition

You create classify-traffic conditions within policy rules. Use the following configuration statements to create a classify-traffic condition:

policies group name list name rule name traffic-condition name {
match-direction match-direction;

description description;
}


To add a classify-traffic condition:

  1. From configuration mode, create a classify-traffic condition inside a policy rule that has already been created and configured. For example, to create a traffic-condition called ctc within policy rule nat:
  2. user@host# edit policies group junos list staticnat rule nat traffic-condition ctc
    
    
    
  3. (Optional) For JUNOS ASP policy rules, specify the direction of the packet flow on which you want to match packets.
  4. [edit policies group junos list staticnat rule nat traffic-condition ctc]
    
    user@host# set match-direction match-direction
    
    
    
  5. (Optional) Provide a description of the classify-traffic condition.
  6. [edit policies group junos list staticnat rule nat traffic-condition ctc]
    
    user@host# set description description
    
    
    
  7. (Optional) Verify your classify-traffic condition configuration.
  8. [edit policies group junos list staticnat rule nat traffic-condition ctc]
    
    user@host# show
    
    match-direction output;
    
    description "Static NAT destination classifier";
    

Configuring Source Networks

Use the following configuration statements to add source networks to a classify-traffic condition:

policies group name list name rule name traffic-condition name source-network network
{
ip-address ip-address;

ip-mask ip-mask;

ip-operation ip-operation;
}

To add a source network to a classify-traffic condition:

  1. From configuration mode, enter the source network within a classify-traffic condition. For example:
  2. user@host# edit policies group dhcp list in rule forward-dhcp traffic-condition
    client-dhcp source-network network
    
    
    
  3. (Optional) Configure the IP address of the source network or host.
  4. [edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp
    source-network network]
    
    user@host# set ip-address ip-address
    
    
    
  5. (Optional) Configure the IP mask of the source network or host.
  6. [edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp
    source-network network]
    
    user@host# set ip-mask ip-mask
    
    
    
  7. (Optional) Specify whether the software matches packets with an IP address that is equal or not equal to the specified address and mask.
  8. [edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp
    source-network network]
    
    user@host# set ip-operation ip-operation
    
    
    
  9. (Optional) Verify your source network configuration.
  10. [edit policies group dhcp list in rule forward-dhcp traffic-condition
    client-dhcp source-network network]
    
    user@host# show
    
    ip-address interface_ipAddress;
    
    ip-mask interface_ipMask;
    
    ip-operation is_not;
    

Configuring Source Grouped Networks

You can configure source networks in grouped format. For JUNOS ASP policy rules, you must enter source networks in grouped format.

Use the following configuration statement to add source networks in a grouped format to a classify-traffic condition:

policies group name list name rule name traffic-condition name source-network
group-network {
network-specifier network-specifier;
}

To add a grouped source network to a classify-traffic condition:

  1. From configuration mode, enter the source network within a classify-traffic condition. For example:
  2. user@host# edit policies folder junose group dhcp list in rule forward-dhcp
    traffic-condition client-dhcp source-network group-network
    
    
    
  3. (Optional) Configure the IP address of the source network or host.

For JUNOS ASP policies rules, you must enter networks in the format <ip address>/<prefix length>. The <ip address>/<mask> format is rejected by the router.

[edit policies folder junose group dhcp list in rule forward-dhcp traffic-condition
client-dhcp source-network group-network]
user@host# set network-specifier network-specifier

  1. (Optional) Verify your source network configuration.
  2. [edit policies folder junose group dhcp list in rule forward-dhcp
    traffic-condition client-dhcp source-network group-network]
    
    user@host# show
    
    network-specifier gateway_ipAddress;
    

Configuring Destination Networks

Use the following configuration statements to add destination networks to a classify-traffic condition:

policies group name list name rule name traffic-condition name destination-network
network {
ip-address ip-address;

ip-mask ip-mask;

ip-operation ip-operation;
}

To add a destination network to a classify-traffic condition:

  1. From configuration mode, enter the destination network within a classify-traffic condition. For example:
  2. user@host# edit policies group dhcp list in rule forward-dhcp traffic-condition
    client-dhcp destination-network network
    
    
    
  3. (Optional) Configure the IP address of the destination network or host.
  4. [edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp
    destination-network network]
    
    user@host# set ip-address ip-address
    
    
    
  5. (Optional) Configure the IP mask of the destination network or host.
  6. [edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp
    destination-network network]
    
    user@host# set ip-mask ip-mask
    
    
    
  7. (Optional) Specify whether the software matches packets with an IP address that is equal or not equal to the specified address and mask.
  8. [edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp
    destination-network network]
    
    user@host# set ip-operation ip-operation
    
    
    
  9. (Optional) Verify your destination network configuration.
  10. [edit policies group dhcp list in rule forward-dhcp traffic-condition
    client-dhcp destination-network network]
    
    user@host# show
    
    ip-address interface_ipAddress;
    
    ip-mask interfac_ipMask;
    
    ip-operation is;
    

Configuring Destination Grouped Networks

You can configure destination networks in grouped format. For JUNOS ASP policies rules, you must enter destination networks in grouped format.

Use the following configuration statements to add destination networks in a grouped format to a classify-traffic condition:

policies group name list name rule name traffic-condition name destination-network
group-network {
network-specifier network-specifier;
}

To add a grouped destination network to a classify-traffic condition:

  1. From configuration mode, enter the destination network within a classify-traffic condition. For example:
  2. user@host# edit policies group dhcp list in rule forward-dhcp traffic-condition
    client-dhcp destination-network group-network
    
    
    
  3. (Optional) Configure the IP address of the destination network or host.

For JUNOS ASP policies rules, you must enter networks in the format "<ip address>/<prefix length>".

[edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp
destination-network group-network]
user@host# set network-specifier network-specifier

  1. (Optional) Verify your destination network configuration.
  2. [edit policies group dhcp list in rule forward-dhcp traffic-condition
    client-dhcp destination-network group-network]
    
    user@host# show
    
    network-specifier any;
    

Configuring Protocol Conditions

The procedure in this sections shows how to configure general protocol conditions.

Use the following configuration statements to add general protocol conditions to a classify-traffic condition:

policies group name list name rule name traffic-condition name protocol-condition {
protocol protocol;

protocol-operation protocol-operation;

ip-flags ip-flags;

ip-flags-mask ip-flags-mask;

fragment-offset fragment-offset;

packet-length packet-length;
}

To add general protocol conditions to a classify-traffic condition:

  1. From configuration mode, enter the general protocol condition configuration. For example:
  2. user@host# edit policies group dhcp list in rule forward-dhcp traffic-condition
    client-dhcp protocol-condition
    
    
    
  3. Configure the protocol matched by this classify-traffic condition.
  4. [edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp
    protocol-condition]
    
    user@host# set protocol protocol
    
    
    
  5. Configure the policy to match packets with the protocol that is either equal or not equal to the specified protocol.
  6. [edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp
    protocol-condition]
    
    user@host# set protocol-operation protocol-operation
    
    
    
  7. (Optional) Configure the value of the IP flags field in the IP header.
  8. [edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp
    protocol-condition]
    
    user@host# set ip-flags ip-flags
    
    
    
  9. (Optional) Configure the mask that is associated with the IP flag.
  10. [edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp
    protocol-condition]
    
    user@host# set ip-flags-mask ip-flags-mask
    
    
    
  11. (Optional) Configure the value of the fragment offset field.
  12. [edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp
    protocol-condition]
    
    user@host# set fragment-offset fragment-offset
    
    
    
  13. (Optional) Configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.
  14. [edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp
    protocol-condition]
    
    user@host# set packet-length packet-length
    
    
    
  15. (Optional) Verify your protocol condition configuration.
  16. [edit policies group dhcp list in rule forward-dhcp traffic-condition
    client-dhcp protocol-condition]
    
    user@host# show
    
    protocol 0;
    
    protocol-operation 1;
    
    ip-flags 0;
    
    ip-flags-mask 0;
    
    fragment-offset any;
    

Configuring Protocol Conditions with Ports

Use the following configuration statements to add general protocol conditions with ports to a classify-traffic condition:

policies group name list name rule name traffic-condition name protocol-port-condition {
protocol protocol;

protocol-operation protocol-operation;

ip-flags ip-flags;

ip-flags-mask ip-flags-mask;

fragment-offset fragment-offset;

packet-length packet-length;
}

policies group name list name rule name traffic-condition name protocol-port-condition
destination-port port {
port-operation port-operation;

from-port from-port;
}

policies group name list name rule name traffic-condition name protocol-port-condition
source-port port {
port-operation port-operation;

from-port from-port;
}

To add general protocol conditions with ports to a classify-traffic condition:

  1. From configuration mode, enter the protocol port condition configuration. For example:
  2. user@host# edit policies group junos list bodVpn rule pr traffic-condition ctc
    protocol-port-condition
    
    
    
  3. Configure the protocol matched by this classify-traffic condition.
  4. [edit policies group junos list bodVpn rule pr traffic-condition ctc
    protocol-port-condition]
    
    user@host# set protocol protocol
    
    
    
  5. Configure the policy to match packets with the protocol that is either equal or not equal to the specified protocol.
  6. [edit policies group junos list bodVpn rule pr traffic-condition ctc
    protocol-port-condition]
    
    user@host# set protocol-operation protocol-operation
    
    
    
  7. (Optional) Configure the value of the IP flags field in the IP header.
  8. [edit policies group junos list bodVpn rule pr traffic-condition ctc
    protocol-port-condition]
    
    user@host# set ip-flags ip-flags
    
    
    
  9. (Optional) Configure the mask that is associated with the IP flag.
  10. [edit policies group junos list bodVpn rule pr traffic-condition ctc
    protocol-port-condition]
    
    user@host# set ip-flags-mask ip-flags-mask
    
    
    
  11. (Optional) Configure the value of the fragment offset field.
  12. [edit policies group junos list bodVpn rule pr traffic-condition ctc
    protocol-port-condition]
    
    user@host# set fragment-offset fragment-offset
    
    
    
  13. (Optional) Configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.
  14. [edit policies group junos list bodVpn rule pr traffic-condition ctc
    protocol-port-condition
    
    user@host# set packet-length packet-length
    
    
    
  15. (Optional) Enter the destination port configuration for the protocol port configuration.
  16. [edit policies group junos list bodVpn rule pr traffic-condition ctc
    protocol-port-condition]
    
    user@host# edit destination-port
    
    
    
  17. (Optional) Configure the policy to match packets with a port that is either equal or not equal to the specified port.
  18. [edit policies group junos list bodVpn rule pr traffic-condition ctc
    protocol-port-condition destination-port port]
    
    user@host# set port-operation port-operation
    
    
    
  19. (Optional) Configure the destination port.
  20. [edit policies group junos list bodVpn rule pr traffic-condition ctc
    protocol-port-condition destination-port port]
    
    user@host# set from-port from-port
    
    
    
  21. (Optional) Enter the source port configuration for the protocol port configuration.
  22. user@host# up
    
    
    
    [edit policies group junos list bodVpn rule pr traffic-condition ctc
    protocol-port-condition]
    
    user@host# edit source-port
    
    
    
  23. (Optional) Configure the policy to match packets with a port that is either equal or not equal to the specified port.
  24. [edit policies group junos list bodVpn rule pr traffic-condition ctc
    protocol-port-condition source-port port]
    
    user@host# set port-operation port-operation
    
    
    
  25. (Optional) Configure the source port.
  26. [edit policies group junos list bodVpn rule pr traffic-condition ctc
    protocol-port-condition source-port port]
    
    user@host# set from-port from-port
    
    
    
    [edit policies group junos list bodVpn rule pr traffic-condition ctc
    protocol-port-condition source-port port]
    
    user@host# up
    
    
    
  27. (Optional) Verify your protocol condition configuration.
  28. [edit policies group junos list bodVpn rule pr traffic-condition ctc
    protocol-port-condition]
    
    user@host# show
    
    protocol 17;
    
    protocol-operation 1;
    
    ip-flags ipFlags;
    
    ip-flags-mask ipFlagsMask;
    
    fragment-offset ipFragOffset;
    
    packet-length packetLength;
    
    destination-port {
    
      port {
    
        port-operation eq;
    
        from-port service_port;
    
      }
    
    }
    
    source-port {
    
      port {
    
        port-operation eq;
    
        from-port service_port;
    
      }
    
    }
    
    
    

Configuring Protocol Conditions with Parameters

Use the following configuration statements to configure classify-traffic conditions that contain a parameter value for the protocol:

policies group name list name rule name traffic-condition name
parameter-protocol-condition {
protocol protocol;

protocol-operation protocol-operation;

tcp-flags tcp-flags;

tcp-flags-mask tcp-flags-mask;

spi spi;

ip-flags ip-flags;

ip-flags-mask ip-flags-mask;

fragment-offset fragment-offset;

packet-length packet-length;
}

policies group name list name rule name traffic-condition name
parameter-protocol-condition proto-attr {
icmp-type icmp-type;

icmp-code icmp-code;

igmp-type igmp-type;
}

policies group name list name rule name traffic-condition name
parameter-protocol-condition proto-attr destination-port port {
port-operation port-operation;

from-port from-port;
}

policies group name list name rule name traffic-condition name
parameter-protocol-condition proto-attr source-port port {
port-operation port-operation;

from-port from-port;
}

To configure a protocol condition that contains a parameter value for the protocol:

  1. From configuration mode, enter the parameter protocol condition configuration. For example:
  2. user@host# edit policies group junose list dhcp rule forward-dhcp
    traffic-condition ctc parameter-protocol-condition
    
    
    
  3. Assign a parameter as the protocol matched by this classify-traffic condition.

Before you assign a parameter, you must create a parameter of type protocol and commit the parameter configuration.

[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
parameter-protocol-condition]
user@host# set protocol protocol

  1. (Optional) Configure the policy to match packets with the protocol that is either equal or not equal to the specified protocol.
  2. [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition]
    
    user@host# set protocol-operation protocol-operation
    
    
    
  3. (Optional) Configure the value of the TCP flags field in the IP header.
  4. [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition]
    
    user@host# set tcp-flags tcp-flags
    
    
    
  5. (Optional) Configure the mask associated with TCP flags.
  6. [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition]
    
    user@host# set tcp-flags-mask tcp-flags-mask
    
    
    
  7. (Optional) Specify the authentication header (AH) or the encapsulating security payload (ESP) security parameter index (SPI).
  8. [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition]
    
    user@host# set spi spi
    
    
    
  9. (Optional) Configure the value of the IP flags field in the IP header.
  10. [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition]
    
    user@host# set ip-flags ip-flags
    
    
    
  11. (Optional) Configure the mask that is associated with the IP flag.
  12. [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition]
    
    user@host# set ip-flags-mask ip-flags-mask
    
    
    
  13. (Optional) Configure the value of the fragment offset field.
  14. [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition]
    
    user@host# set fragment-offset fragment-offset
    
    
    
  15. (Optional) Configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.
  16. [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition]
    
    user@host# set packet-length packet-length
    
    
    
  17. (Optional) Enter the protocol attribute configuration.
  18. [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition]
    
    user@host# edit proto-attr
    
    
    
  19. (Optional) Configure the ICMP packet type.
  20. [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition proto-attr]
    
    user@host# set icmp-type icmp-type
    
    
    
  21. (Optional) Configure the ICMP code.
  22. [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition proto-attr]
    
    user@host# set icmp-code icmp-code
    
    
    
  23. (Optional) Configure the IGMP packet type on which to match.
  24. [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition proto-attr]
    
    user@host# set igmp-type igmp-type
    
    
    
  25. (Optional) Enter the destination port configuration.
  26. [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition proto-attr]
    
    user@host# edit destination-port port
    
    
    
  27. (Optional) Configure the policy to match packets with a port that is either equal or not equal to the specified port.
  28. [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition proto-attr destination-port port]
    
    user@host# set port-operation port-operation
    
    
    
  29. (Optional) Configure the TCP or UDP destination port.
  30. [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition proto-attr destination-port port]
    
    user@host# set from-port from-port
    
    
    
  31. (Optional) Enter the source port configuration.
  32. [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition proto-attr destination-port port]
    
    user@host# up
    
    [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    param-proto-condition proto-attr]
    
    user@host# edit source-port port
    
    
    
  33. (Optional) Configure the policy to match packets with a port that is either equal or not equal to the specified port.
  34. [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition proto-attr source-port port]
    
    user@host# set port-operation port-operation
    
    
    
  35. (Optional) Configure the TCP or UDP source port.
  36. [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition proto-attr source-port port]
    
    user@host# set from-port from-port
    
    
    
    [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition proto-attr source-port port]
    
    user@host# up
    
    
    
    [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition proto-attr source-port]
    
    user@host# up
    
    
    
    [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition proto-attr]
    
    user@host# up
    
    
    
    [edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc
    parameter-protocol-condition]
    
    user@host# up
    
    
    
  37. (Optional) Verify the parameter protocol configuration.
  38. [edit policies group junose list dhcp rule forward-dhcp traffic-condition
    ctc parameter-protocol-condition]
    
    user@host# show
    
    protocol protocol;
    
    protocol-operation is;
    
    tcp-flags 0;
    
    tcp-flags-mask 0;
    
    ip-flags 0;
    
    ip-flags-mask 0;
    
    proto-attr {
    
      icmp-type 255;
    
      icmp-code 255;
    
      destination-port {
    
        port {
    
          port-operation eq;
    
          from-port outsidePort;
    
        }
    
      }
    
    }
    

Configuring TCP Conditions

Use the following configuration statements to add TCP conditions to a classify-traffic condition:

policies group name list name rule name traffic-condition name tcp-condition {
tcp-flags tcp-flags;
tcp-flags-mask tcp-flags-mask;
protocol protocol;
protocol-operation protocol-operation;
ip-flags ip-flags;
ip-flags-mask ip-flags-mask;
fragment-offset fragment-offset;
packet-length packet-length;
}

Because the protocol is already set to TCP, do not change the protocol or protocol-operation options.

policies group name list name rule name traffic-condition name tcp-condition
destination-port port {
port-operation port-operation;

from-port from-port;
}

policies group name list name rule name traffic-condition name tcp-condition
source-port port {
port-operation port-operation;

from-port from-port;
}

To add TCP conditions to a classify-traffic condition:

  1. From configuration mode, enter the TCP configuration. For example:
  2. user@host# edit policies group junos list tcpCondition rule pr traffic-condition
    ctc tcp-condition
    
    
    
  3. (Optional) Configure the value of the TCP flags field in the IP header.
  4. [edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition]
    
    user@host# set tcp-flags tcp-flags
    
    
    
  5. (Optional) Configure the mask associated with TCP flags.
  6. [edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition]
    
    user@host# set tcp-flags-mask tcp-flags-mask
    
    
    
  7. (Optional) Configure the value of the IP flags field in the IP header.
  8. [edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition]
    
    user@host# set ip-flags ip-flags
    
    
    
  9. (Optional) Configure the mask that is associated with the IP flag.
  10. [edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition]
    
    user@host# set ip-flags-mask ip-flags-mask
    
    
    
  11. (Optional) Configure the value of the fragment offset field.
  12. [edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition]
    
    user@host# set fragment-offset fragment-offset
    
    
    
  13. (Optional) For JUNOS filter policies, configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.
  14. [edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition]
    
    user@host# set packet-length packet-length
    
    
    
  15. (Optional) Enter the destination port configuration for the TCP configuration.
  16. [edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition]
    
    user@host# edit destination-port port
    
    
    
  17. (Optional) Configure the policy to match packets with a port that is either equal or not equal to the specified port.
  18. [edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition
    destination-port port]
    
    user@host# set port-operation port-operation
    
    
    
  19. (Optional) Configure the destination port.
  20. [edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition
    destination-port port]
    
    user@host# set from-port from-port
    
    
    
  21. (Optional) Enter the source port configuration for the TCP configuration.
  22. [edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition
    destination-port port]
    
    user@host# up
    
    
    
    [edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition]
    
    user@host# edit source-port port
    
    
    
  23. (Optional) Configure the policy to match packets with a port that is either equal or not equal to the specified port.
  24. [edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition
    source-port port]
    
    user@host# set port-operation port-operation
    
    
    
  25. (Optional) Configure the source port.
  26. [edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition
    source-port port]
    
    user@host# set from-port from-port
    
    
    
    [edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition
    source-port port]
    
    user@host# up
    
    
    
    [edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition
    source-port]
    
    user@host# up
    
    
    
  27. (Optional) Verify the TCP condition configuration.
  28. [edit policies group junos list tcpCondition rule pr traffic-condition ctc
    tcp-condition]
    
    user@host# show
    
    tcp-flags 0;
    
    tcp-flags-mask 0;
    
    protocol tcp;
    
    protocol-operation is;
    
    ip-flags 0;
    
    ip-flags-mask 0;
    
    destination-port {
    
      port {
    
        port-operation eq;
    
        from-port service_port;
    
      }
    
    }
    
    source-port {
    
      port {
    
        port-operation eq;
    
        from-port service_port;
    
      }
    
    }
    

Configuring ICMP Conditions

Use the following configuration statements to add ICMP conditions to a classify-traffic condition:

policies group name list name rule name traffic-condition name icmp-condition {
protocol protocol;

protocol-operation protocol-operation;

ip-flags ip-flags;

ip-flags-mask ip-flags-mask;

fragment-offset fragment-offset;

packet-length packet-length;

icmp-type icmp-type;

icmp-code icmp-code;
}

Because the protocol is already set to ICMP, do not change the protocol or protocol-operation options.

To add ICMP conditions to a classify-traffic condition:

  1. From configuration mode, enter the ICMP configuration. For example:
  2. user@host# edit policies group bod list input rule pr traffic-condition ctc
    icmp-condition
    
    
    
  3. (Optional) Configure the value of the IP flags field in the IP header.
  4. [eedit policies group bod list input rule pr traffic-condition ctc icmp-condition]
    
    user@host# set ip-flags ip-flags
    
    
    
  5. (Optional) Configure the mask that is associated with the IP flag.
  6. [edit policies group bod list input rule pr traffic-condition ctc icmp-condition]
    
    user@host# set ip-flags-mask ip-flags-mask
    
    
    
  7. (Optional) Configure the value of the fragment offset field.
  8. [edit policies group bod list input rule pr traffic-condition ctc icmp-condition]
    
    user@host# set fragment-offset fragment-offset
    
    
    
  9. (Optional) Configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.
  10. [edit policies group bod list input rule pr traffic-condition ctc icmp-condition]
    
    user@host# set packet-length packet-length
    
    
    
  11. (Optional) Configure the ICMP packet type on which to match. The packet type must be supported by the router or CMTS device.
  12. [edit policies group bod list input rule pr traffic-condition ctc icmp-condition]
    
    user@host# set icmp-type icmp-type
    
    
    
  13. (Optional) Configure the ICMP code on which to match. The ICMP code must be supported by the router or CMTS device.
  14. [edit policies group bod list input rule pr traffic-condition ctc icmp-condition]
    
    user@host# set icmp-code icmp-code
    
    
    
  15. (Optional) Verify the ICMP condition configuration.
  16. [edit policies group bod list input rule pr traffic-condition ctc
    icmp-condition]
    
    user@host# show
    
    protocol icmp;
    
    protocol-operation 1;
    
    ip-flags ipFlags;
    
    ip-flags-mask ipFlagsMask;
    
    fragment-offset ipFragOffset;
    
    icmp-type icmpType;
    
    icmp-code icmpCode;
    

Configuring IGMP Conditions

Use the following configuration statements to add IGMP conditions to a classify-traffic condition:

policies group name list name rule name traffic-condition name igmp-condition {
protocol protocol;

protocol-operation protocol-operation;

ip-flags ip-flags;

ip-flags-mask ip-flags-mask;

fragment-offset fragment-offset;

packet-length packet-length;

igmp-type igmp-type;
}

Because the protocol is already set to IGMP, do not change the protocol or protocol-operation options.

To add IGMP conditions to a classify-traffic condition:

  1. From configuration mode, enter the IGMP configuration. For example:
  2. user@host# edit policies group junose list pl rule pr traffic-condition ctc
    igmp-condition
    
    
    
  3. (Optional) Configure the value of the IP flags field in the IP header.
  4. [edit policies group junose list pl rule pr traffic-condition ctc igmp-condition]
    
    user@host# set ip-flags ip-flags
    
    
    
  5. (Optional) Configure the mask that is associated with the IP flag.
  6. [edit policies group junose list pl rule pr traffic-condition ctc igmp-condition]
    
    user@host# set ip-flags-mask ip-flags-mask
    
    
    
  7. (Optional) Configure the value of the fragment offset field.
  8. [edit policies group junose list pl rule pr traffic-condition ctc igmp-condition]
    
    user@host# set fragment-offset fragment-offset
    
    
    
  9. (Optional) Configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.
  10. [edit policies group junose list pl rule pr traffic-condition ctc igmp-condition]
    
    user@host# set packet-length packet-length
    
    
    
  11. (Optional) Configure the IGMP packet type on which to match.
  12. [edit policies group junose list pl rule pr traffic-condition ctc igmp-condition]
    
    user@host# set igmp-type icmp-type
    
    
    
  13. (Optional) Verify the IGMP condition configuration.
  14. [edit policies group junose list pl rule pr traffic-condition ctc
    igmp-condition]
    
    user@host# show
    
    protocol igmp;
    
    protocol-operation 1;
    
    ip-flags 0;
    
    ip-flags-mask 0;
    
    fragment-offset 0;
    
    igmp-type igmpType;
    

Configuring IPSec Conditions

You can configure IPSec conditions for JUNOS policy rules. Use the following configuration statements to add IPSec conditions to a classify-traffic condition:

policies group name list name rule name traffic-condition name ipsec-condition {
spi spi;

ip-flags ip-flags;

ip-flags-mask ip-flags-mask;

fragment-offset fragment-offset;

packet-length packet-length;

protocol protocol;

protocol-operation protocol-operation;
}

To add IPSec conditions to a classify-traffic condition:

  1. From configuration mode, enter the IPSec configuration. For example:
  2. user@host# edit policies group vpn list input rule pr traffic-condition ctc
    ipsec-condition
    
    
    
  3. (Optional) Specify the authentication header (AH) or the encapsulating security payload (ESP) security parameter index (SPI).
  4. [edit policies group vpn list input rule pr traffic-condition ctc ipsec-condition]
    
    user@host# set spi spi
    
    
    
  5. (Optional) Configure the value of the IP flags field in the IP header.
  6. [edit policies group vpn list input rule pr traffic-condition ctc ipsec-condition]
    
    user@host# set ip-flags ip-flags
    
    
    
  7. (Optional) Configure the mask that is associated with the IP flag.
  8. [edit policies group vpn list input rule pr traffic-condition ctc ipsec-condition]
    
    user@host# set ip-flags-mask ip-flags-mask
    
    
    
  9. (Optional) Configure the value of the fragment offset field.
  10. [edit policies group vpn list input rule pr traffic-condition ctc ipsec-condition]
    
    user@host# set fragment-offset fragment-offset
    
    
    
  11. (Optional) Configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.
  12. [eedit policies group vpn list input rule pr traffic-condition ctc ipsec-condition]
    
    user@host# set packet-length packet-length
    
    
    
  13. Configure the protocol matched by this classify-traffic condition.
  14. [edit policies group vpn list input rule pr traffic-condition ctc ipsec-condition
    
    user@host# set protocol protocol
    
    
    
  15. (Optional) Verify the IPSec condition configuration.
  16. [edit policies group vpn list input rule pr traffic-condition ctc
    ipsec-condition
    
    user@host# show
    
    spi 2;
    
    ip-flags 0;
    
    ip-flags-mask 0;
    
    fragment-offset 0;
    
    packet-length packetLength;
    
    protocol ah;
    
    protocol-operation 1;
    

Configuring ToS Byte Conditions

Use this condition to define a particular traffic flow to the service's network for the DA IP field in the IP packet.

The CoS feature on JUNOS routing platforms supports DiffServ as well as six-bit IP header ToS byte settings. The DiffServ protocol uses the ToS byte in the IP header. The most significant six bits of this byte form the Differentiated Services code point (DSCP). The CoS feature uses DSCPs to determine the forwarding class associated with each packet. It also uses the ToS byte and ToS byte mask to determine IP precedence.

Use the following configuration statements to add ToS conditions to a classify-traffic condition:

policies group name list name rule name traffic-condition name tos {
tos-byte tos-byte;
tos-byte-mask tos-byte-mask;
}

To add ToS conditions to a classify-traffic condition:

  1. From configuration mode, enter the ToS configuration. For example:
  2. user@host# edit policies group junos list bodVpn rule pr traffic-condition ctc tos
    
    
    
  3. (Optional) Configure the value of the ToS byte in the IP packet header.
  4. [edit policies group junos list bodVpn rule pr traffic-condition ctc tos]
    
    user@host# set tos-byte tos-byte
    
    
    
  5. (Optional) Configure the mask associated with the ToS byte.
  6. [edit policies group junos list bodVpn rule pr traffic-condition ctc tos]
    
    user@host# set tos-byte-mask tos-byte-mask
    
    
    
  7. (Optional) Verify the ToS condition configuration.
  8. [edit policies group junos list bodVpn rule pr traffic-condition ctc tos]
    
    user@host# show
    
    tos-byte tosByte;
    
    tos-byte-mask tosMask;
    

Configuring JUNOS Filter Conditions

Use the following configuration statements to configure JUNOS filter conditions.

policies group name list name rule name traffic-condition name traffic-match-condition {
forwarding-class forwarding-class;
interface-group interface-group;
source-class source-class;
destination-class destination-class;
allow-ip-options allow-ip-options;
}

To add JUNOS filter conditions to a classify-traffic condition:

  1. From configuration mode, enter the application protocol configuration. For example:
  2. user@host# edit policies group junos list bodVpn rule pr traffic-condition ctc
    traffic-match-condition
    
    
    
  3. (Optional) Configure the name of a forwarding class to match.
  4. [edit policies group junos list bodVpn rule pr traffic-condition ctc
    traffic-match-condition]
    
    user@host# set forwarding-class forwarding-class
    
    
    
  5. (Optional) Configure the condition to match packets based on the interface group on which the packet was received.
  6. [edit policies group junos list bodVpn rule pr traffic-condition ctc
    traffic-match-condition
    
    user@host# set interface-group interface-group
    
    
    
  7. (Optional) Configure the condition to match packets based on source class. A source class is a set of source prefixes grouped together and given a class name. You usually match source and destination classes for output firewall filters.

You cannot match on both source class and destination class at the same time. You must choose one or the other.

[edit policies group junos list bodVpn rule pr traffic-condition ctc
traffic-match-condition]
user@host# set source-class source-class

  1. (Optional) Configure the condition to match packets based on destination class. A destination class is a set of destination prefixes grouped together and given a class name. You usually match source and destination classes for output firewall filters.

You cannot match on both source class and destination class at the same time. You must choose one or the other.

[edit policies group junos list bodVpn rule pr traffic-condition ctc
traffic-match-condition]
user@host# set destination-class destination-class

  1. (Optional) Configure the condition to match packets based on IP options.
  2. [edit policies group junos list bodVpn rule pr traffic-condition ctc
    traffic-match-condition]
    
    user@host# set allow-ip-options allow-ip-options
    
    
    
  3. (Optional) Verify the JUNOS filter condition configuration.
  4. [edit policies group junos list bodVpn rule pr traffic-condition ctc
    traffic-match-condition]
    
    user@host# show
    
    forwarding-class fc_expedited;
    
    interface-group 42;
    
    source-class gold-class;
    
    destination-class gold-class;
    
    allow-ip-options strict-source-route;
    

Configuring Application Protocol Conditions

You can define application protocols for the stateful firewall and NAT services to use in match condition rules. An application protocol defines application parameters by using information from network layer 3 and above. Examples of such applications are FTP and H.323.

Use the following configuration statements to add application protocol conditions to a classify-traffic condition:

policies group name list name rule name traffic-condition name
application-protocol-condition name {
protocol protocol;
application-protocol application-protocol;
idle-timeout idle-timeout;
dce-rpc-uuid dce-rpc-uuid;
rpc-program-number rpc-program-number;
snmp-command snmp-command;
ttl-threshold ttl-threshold;
}

policies group name list name rule name traffic-condition name
application-protocol-condition name proto-attr {
icmp-type icmp-type;
icmp-code icmp-code;
}

policies group name list name rule name traffic-condition name
application-protocol-condition name proto-attr destination-port port {
from-port from-port;
}

policies group name list name rule name traffic-condition name
application-protocol-condition name proto-attr source-port port {
from-port from-port;
}

To add application protocol conditions to a classify-traffic condition:

  1. From configuration mode, enter the application protocol configuration. In this procedure, apc is the name of the application protocol condition. For example:
  2. user@host# edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc
    
    
    
  3. (Optional) Configure the network protocol to match.
  4. [edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc]
    
    user@host# set protocol protocol
    
    
    
  5. (Optional) Configure the application protocol to match.
  6. [edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc]
    
    user@host# set application-protocol application-protocol
    
    
    
  7. (Optional) Configure the length of time the application is inactive before it times out.
  8. [edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc]
    
    user@host# set idle-timeout idle-timeout
    
    
    
  9. (Optional) For the DCE RPC application protocol, configure the universal unique identifier (UUID).
  10. [edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc]
    
    user@host# set dce-rpc-uuid dce-rpc-uuid
    
    
    
  11. (Optional) For the remote procedure call (RPC) application protocol, configure an RPC program number.
  12. [edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc]
    
    user@host# set rpc-program-number rpc-program-number
    
    
    
  13. (Optional) Configure the SNMP command for packet matching.
  14. [edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc]
    
    user@host# set snmp-command snmp-command
    
    
    
  15. (Optional) For the traceroute application protocol, configure the traceroute time-to-live (TTL) threshold value. This value sets the acceptable level of network penetration for trace routing.
  16. [edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc]
    
    user@host# set ttl-threshold ttl-threshold
    
    
    
  17. (Optional) Enter configuration mode for the protocol attribute.
  18. [edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc]
    
    user@host# edit proto-attr
    
    
    
  19. (Optional) For the ICMP protocol, configure the ICMP packet type.
  20. [edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc proto-attr]
    
    user@host# set icmp-type icmp-type
    
    
    
  21. (Optional) For the ICMP protocol, configure the ICMP code.
  22. [edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc proto-attr]
    
    user@host# set icmp-code icmp-code
    
    
    
  23. (Optional) Enter the destination port configuration.
  24. [edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc proto-attr]
    
    user@host# edit destination-port port
    
    
    
  25. (Optional) Configure the TCP or UDP destination port.
  26. [edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc proto-attr destination-port port]
    
    user@host# set from-port from-port
    
    
    
  27. (Optional) Enter the source port configuration.
  28. [edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc proto-attr destination-port port]
    
    user@host# up
    
    
    
    [edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc proto-attr]
    
    user@host# edit source-port port
    
    
    
  29. (Optional) Configure the TCP or UDP source port.
  30. [edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc proto-attr source-port port]
    
    user@host# set from-port from-port
    
    
    
    [edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc proto-attr source-port port]
    
    user@host# up
    
    
    
    [edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc proto-attr source-port]
    
    user@host# up
    
    
    
    [edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc proto-attr]
    
    user@host# up
    
    
    
    [edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc proto-attr]
    
    user@host# up
    
    
    
  31. (Optional) Verify the application protocol condition configuration.
  32. [edit policies group junos list staticnat rule nat traffic-condition ctc
    application-protocol-condition apc]
    
    user@host# show
    
    protocol ip;
    
    application-protocol dce_rpc;
    
    idle-timeout 900;
    
    dce-rpc-uuid dce_rpc;
    
    snmp-command get;
    
    ttl-threshold 25;
    
    proto-attr {
    
      icmp-type icmpType;
    
      icmp-code icmpCode;
    
      destination-port {
    
        port {
    
          from-port 11..655;
    
        }
    
      }
    
      source-port {
    
        port {
    
          from-port service_port;
    
        }
    
      }
    
    }
    

Using Map Expressions in Application Protocol Conditions

The application protocol condition is a case in which you might use a map expression to define multiple attributes in one option—the application-protocol option. Maps are a list of attributeName=value pairs separated by commas and enclosed in curly brackets. For example, the map {applicationProtocol="ftp", sourcePort=123, inactivityTimeout=60} supplies the application protocol, source port, and inactivity timeout in one option. "

Another map {applicationType="tcp", inactivityTimeout=60, destinationPort=80} supplies the protocol, inactivity timeout, and destination port.

You can also create a local parameter, add a map expression as the default value of the parameter, and then enter the local parameter in the application-protocol option.


[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]