Configuring Classify-Traffic Conditions
You can create classify-traffic conditions in JUNOSe policy rules, in JUNOS ASP and JUNOS filter policy rules, and in PCMM policy rules. To create a classify-traffic condition:
- In the Policy Editor navigation pane, right-click a policy rule object, and select New > Condition > ClassifyTrafficCondition.
The ClassifyTrafficCondition Name dialog box appears.
The new ClassifyTrafficCondition content pane appears.
![]()
See Classify-Traffic Condition Fields.
For information about configuring port ranges for traffic classifiers, see Specifying Port Access for Traffic Classification.
If you are configuring classifiers for PCMM policies, you can specify whether the classifier will be used in a PCMM I02 or I03 network. By default, the software translates classify-traffic conditions into PCMM I02 classifiers.
For JUNOSe policies, you can specify that the SAE expands the classifier into multiple classifiers before it installs the policy on the router.
Enabling Expansion of JUNOSe Classify Traffic Conditions
For information about expanded classifiers, see Expanded Classifiers.
To use SDX Configuration Editor to enable the expansion of JUNOSe classify-traffic conditions:
- In the navigation pane, select a configuration file for the SAE that you want to configure.
- Select the Miscellaneous tab, and expand the Policy Management Configuration section.
![]()
- Edit or accept the default value.
See Enable JUNOSe Classifier Expansion Field.
- Select File > Save.
- Right-click the configuration file, and select SDX System Configuration > Export to LDAP Directory.
Enable JUNOSe Classifier Expansion Field
In SDX Configuration Editor, you can edit the following field in the Policy Management Configuration section of the Miscellaneous pane in an SAE configuration file.
Enable JUNOSe Classifier Expansion
- Specifies whether or not the SAE expands the JUNOSe classify-traffic conditions into multiple classifiers before it installs the policy on the router.
- Value—Yes or No
- Guidelines—Because classifier expansion uses processing resources when the policy is created, you should set this property to true only if you are going to use the feature.
- Default—No
Specifying the PCMM Classifier Type
To specify which version of the PCMM classifiers that you are using, configure the Router.pcmm.disableI03policy property in the SAE property file.
See Modifying the SAE Property File in SRC-PE Subscribers and Subscriptions Guide, Chapter 5, Configuring Subscriber-Related Properties on the SAE on a Solaris Platform.
For more information about PCMM classifiers, see PCMM Classifiers.
Router.pcmm.disableI03policy
- true—The SAE sends classifiers that comply with PCMM I02 to the router.
- false—The SAE sends classifiers that comply with PCMM I03 to the router.
- Guidelines—Set this property to false if your network deployment has CMTS devices that do not support PCMM I03.
- Default—true
Specifying Port Access for Traffic Classification
In the SRC software, the manner in which you specify a range of port numbers greater than or less than a specific value in a traffic classifier is different than the way you define a range in the configuration on JUNOSe routers.
In Policy Editor in the ClassifyTrafficCondition content pane, you specify ranges by setting values in the Port Operation field.
For information about accessing the configuration in the ClassifyTrafficCondition content pane, see Configuring Classify-Traffic Conditions.
For information about the Port Operation and Port fields, see Source and Destination Network Fields.
To specify a range of port numbers greater or less than a specified value, you can:
- Define the full set of port numbers in the range to be allowed
- Define the full set of port numbers in the range not allowed
To configure port numbers greater than a defined value by specifying which values are allowed:
For example, to specify access to all port numbers greater than 10, specify 11..65535.
To configure port number greater than a define value by specifying which values are not allowed:
For example, to specify access to all port numbers greater than 10, specify 1..9.
To configure port numbers less than a defined value by specifying which values are allowed:
For example, to specify access to all port numbers less than 10, specify 1..9.
To configure port numbers less than a defined value by specifying which values are not allowed:
For example, to specify access to all port numbers less than 10, specify 11..65535.
Classify-Traffic Condition Fields
In Policy Editor, you can modify the fields described in this section in the ClassifyTrafficCondition content pane.
The fields displayed in the ClassifyTrafficCondition pane change depending on the type of policy rule that holds the condition and on the type of protocol that you select in the Protocol field, as well as whether you select the Grouped IP Address and Raw check boxes. The classify-traffic condition fields are all described in the following sections:
- Direction Field
- Network Protocol Fields
- Source and Destination Network Fields
- Packet Length Field
- IP Protocol Fields
- ToS Byte
- TCP, ICMP, IGMP, and IPSec Protocol Fields
- JUNOS Filter Condition Fields
- Application Protocol Fields
Direction Field
Appears only in JUNOS ASP policy rules.
![]()
Match Direction
- Matches packets based on the direction of the packet flow. For stateful firewall actions, this value is used in place of the setting in the Applicability field of the policy list.
- Value
Network Protocol Fields
This section of the pane specifies how protocols are matched.
![]()
Protocol Operation
- Matches packets with the protocol that is either equal or not equal to the specified protocol.
- Value
- is—Matches packets that are equal to the specified protocol
- is_not—Matches any packets except those that are equal to the specified protocol
Protocol
- Predefined global parameter—Select a protocol from the drop-down list
- Protocol number in the range 0-257
- For PCMM classifiers, there are two special protocol values:
Source and Destination Network Fields
This section of the pane specifies source and destination networks. The Port Operation field appears only if you selected to match the TCP or UDP protocols. The Port field appears after you specify a port operation.
![]()
Grouped IP Address
- If checked, the network operation, IP address, and IP wildcard attributes are grouped into one field called Network.
- For JUNOS ASP policies rules, you must check this box and enter IP addresses in prefix format; that is, IP address/prefix length.
- Value—Checked or unchecked
- Default—Unchecked
Network Operation
- Matches packets with an IP address that is either equal or not equal to the specified address and mask.
- Value
- is—Matches the specified IP address and mask
- not—Matches any IP address and mask except the specified address and mask
- Parameter of type networkOperation
IP Address
- gateway_ipAddress—IP address of the gateway as specified by the service object
- interface_ipAddress—IP address of the router interface
- service_ipAddress—IP address of the service as specified by the service object
- user_ipAddress—IP address of the subscriber
- virtual_ipAddress—Virtual portal address of the SSP that is used in redundant redirect server installations
- Expression—For NAT actions, you can enter a range of addresses; for example, 10.10.13.1..10.10.13.100
- Parameter of type address
IP Wildcard/IP Mask
- interface_ipMask—IP mask of the interface
- service_ipMask—IP mask of the service as specified by the service object
- user_ipMask—IP mask of the subscriber
Network
- Network operation and IP subnets. This field appears only if the Grouped IP Address check box is checked.
- For JUNOS ASP policies rules, you must enter IP addresses in the format <address>/<prefix length>. The <address>/<mask> format is rejected by the router.
- Value—Specify the subnet in one of the following formats:
- not is optional; include it to indicate that the condition matches every address that is not in the specified subnet
- <address> and <mask> use dotted decimal notation
- <prefix length> is a number in the range 0-32, and specifies how many of the first bits in the address specify the network
where pubIp is a local address parameter and 32 is the prefix length
Port Operation
- eq—Matches packets that contain the specified port number
- neq—Matches any packet except those that contain the specified port number
- Guidelines—You can specify a range of port numbers as eq or neq to effectively specify a range greater than a specific value, or less than a specific value. For example to specify a port range greater than 49, you can specify eq for the port range 49..65536 or neq for the range 1..48.
- Default—No value
Port
Use a range of ports to specify port numbers that are greater than or less than a specified port number. For example:
- To set a range of ports that is greater than 10, use 11..65535.
- To set a range of ports that is less than 200, use 0..199.
Note that PCMM 102 classifiers do not support port ranges. PCMM I03 classifiers do support port ranges.
- Guidelines—PCMM I02 does not support port ranges. If you are using PCMM 102 and you enter a range of port numbers, the software cannot translate the port, and it throws an exception.
- Default—No value
Packet Length Field
Matches packets according to packet length. This field appears only in JUNOS policy rules.
![]()
Packet Length (bytes)
- Matches on length of the packet. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.
- Value
IP Protocol Fields
In this section of the screen, you can configure values to match fields in the IP header.
![]()
![]()
Raw
- Changes the view of the IP Flags section of the screen. You can configure IP flags and masks by number or by selecting values in a dialog box.
- Value—Checked or unchecked
- Default—Checked
IP Flags
IP Flags Mask
IP Fragmentation Offset
- For JUNOS routing platforms, integer in the range 0-8191
- Numeric expression
- Parameter of type fragOffset
IP Flags Value
- If you deselect the Raw check box, Policy Editor displays the IP Flags Value field. Click
next to the field to configure an IP flag. The Configure IP Flags dialog box appears.
![]()
- In the Selected column, select the IP flags that you want as part of the result string.
- In the Not column, select the Not operator(s) that you want applied to the corresponding flag in the result string.
You cannot check boxes in the Not column unless the check box in the corresponding Selected column is checked.
ToS Byte
Use this condition to define a particular traffic flow to the service's network for the DA IP field in the IP packet.
The CoS feature on JUNOS routing platforms supports DiffServ as well as six-bit IP header ToS byte settings. The DiffServ protocol uses the ToS byte in the IP header. The most significant six bits of this byte form the Differentiated Services code point (DSCP). The CoS feature uses DSCPs to determine the forwarding class associated with each packet. It also uses the ToS byte and ToS byte mask to determine IP precedence.
![]()
TOS Byte
- Integer in the range 0-255; uses whole 8 bits of the ToS byte
- Numeric expression
- Parameter of type tosByte
TOS Byte Mask
TCP, ICMP, IGMP, and IPSec Protocol Fields
If you specified the TCP, ICMP, IGMP, or the AH or ESP IPSec protocols, you can also specify the corresponding condition as shown in Figure 30.
![]()
Raw
- Changes the view of the TCP section of the pane. You can configure TCP flags and masks by number or by selecting values in a dialog box.
- Value—Checked or unchecked
- Default—Checked
TCP Flags
TCP Flags Mask
TCP Flags Value
- If you deselect the Raw check box, Policy Editor displays the IP Flags Value field. Click
next to the field to configure a TCP flag.
The Configure TCP Flags dialog box appears.
![]()
- In the Selected column, select the TCP flags that you want as part of the result string.
- In the Not column, select the Not operator(s) that you want applied to the corresponding flag in the result string.
You cannot check boxes in the Not column unless the check box in the corresponding Selected column is checked.
ICMP Type
- Integer in the range 0-255 that represents an ICMP packet type supported on the router or CMTS device
- Numeric expression
- Parameter of type icmpType
ICMP Code
- Integer in the range 0-255 that represents an ICMP code supported on the router or CMTS device
- Numeric expression
- Parameter of type icmpCode
IGMP Type
SPI
- For IPSec classifiers, specifies the authentication header (AH) or the encapsulating security payload (ESP) security parameter index (SPI). This field appears only in JUNOS policy rules.
- Value
JUNOS Filter Condition Fields
The conditions described in this section appear only in JUNOS filter policy rules.
![]()
Forwarding Class
- String expression that matches a forwarding class on the router; for example, "assured-forwarding," "best-effort," "expedited-forwarding," or "network-control"
- Parameter of type forwardingClass
Interface Group
Source Class
- Matches packets based on source class. A source class is a set of source prefixes grouped together and given a class name. You would usually match source and destination classes for output firewall filters.
- Note that you cannot match on both source class and destination class at the same time. You must choose one or the other.
- Value
- String expression that matches a source class that is configured on the router; for example, "gold-class"
- Parameter of type trafficClassSpec
Destination Class
- Matches packets based on destination class. A destination class is a set of destination prefixes grouped together and given a class name. You would usually match source and destination classes for output firewall filters.
- Note that you cannot match on both source class and destination class at the same time. You must choose one or the other.
- Value
- String expression that matches a destination class that is configured on the router; for example, "gold-class"
- Parameter of type trafficClassSpec
Allow IP Options
- Numeric value of the IP option
- String expression that matches a text synonym of an IP option on the router; for example, "loose-source-route," "record-route," "router-alert," "strict-source-route," or "timestamp"
- Parameter of type allowIpOptions
Application Protocol Fields
You can define application protocols for the stateful firewall and NAT services to use in match condition rules. An application protocol defines application parameters by using information from network layer 3 and above. Examples of such applications are FTP and H.323.
The ClassifyTrafficCondition pane displays a table with configured application protocol conditions.
![]()
Configure the table as follows:
- To add an application protocol condition, click Add. Policy Editor displays the Application Protocol Condition dialog box.
- To modify a condition, select the condition, and click Modify. Policy Editor displays the Application Protocol Condition dialog box.
- To delete a condition, select the condition, and click Delete.
The Application Protocol Condition dialog box changes depending on the application protocol and protocol conditions that you select. Figure 31 shows an example of the dialog box with all possible fields.
![]()
Using Map Expressions in Application Protocol Conditions
The application protocol condition is a case in which you might use a map expression to define multiple attributes in one field—the Application Protocol field. Maps are a list of attributeName=value pairs separated by commas and enclosed in curly brackets. For example, the map {applicationProtocol="ftp", sourcePort=123, inactivityTimeout=60} supplies the application protocol, source port, and inactivity timeout in one field. "
Another map {applicationType="tcp", inactivityTimeout=60, destinationPort=80} supplies the protocol, inactivity timeout, and destination port.
You can enter the map expressions in the Application Protocol field.
You can also create a local parameter, add a map expression as the default value of the parameter, and then select the local parameter in the Application Protocol field.
Filling in Application Protocol Fields
This section describes the fields in the Application Protocol Condition dialog box.
Application Protocol
- Predefined global parameter—Select a protocol from the pull-down list
- String expression that matches an application protocol name supported on the router
- Map expression—See Using Map Expressions in Application Protocol Conditions
- Parameter of type applicationProtocol
Protocol
- Predefined global parameter—Select a protocol from the drop-down list
- Integer in the range 0-255
- Numeric expression
- Parameter of type protocol
Inactivity Timeout (s)
Source Port
- Integer in the range 0-65535
- String expression that matches a port name supported on the router; for example, "http"
- Parameter of type port
Destination Port
- Integer in the range 0-65535
- String expression that matches a port name or number supported on the router; for example, "http"
- Parameter of type port
ICMP Type
- Integer in the range 0-255 that represents an ICMP packet type supported on the router
- Numeric expression
- Parameter of type icmpType
ICMP Code
- Integer in the range 0-255 that represents an ICMP code supported on the router
- Numeric expression
- Parameter of type icmpCode
SNMP Command
- String expression that matches an SNMP command supported on the router
- Parameter of type snmpCommand
RPC Program Number
- Integer—RPC or DCE program number in the range 100000-400000
- Numeric expression
- Parameter of type rpcProgramNumber
TTL Threshold
- For the traceroute application protocol, specifies the traceroute time-to-live (TTL) threshold value. This value sets the acceptable level of network penetration for trace routing.
- Value
UUID
For information about UUIDs, see http://www.opengroup.org/onlinepubs/9629399/apdxa.htm.