Policy Information Model
Policies are made up of conditions and actions that cause the router to handle packets in a certain way.
- Condition—Defines values or fields that a packet must contain before an action is triggered; for example, packet direction, network protocol, source and destination ports, application protocol, source and destination networks, packet length, forwarding class, source and destination class
- Action—Specifies the action that the router takes on packets that match the condition; for example, filter (drop), forward, send to next interface, apply rate and burst size limits, assign a forwarding class
Here are two examples of policies with conditions and actions:
- Condition—Traffic to and from the restricted site
- Action—Access to the site is stopped if the site has a restricted rating
The SRC policy information model is designed to consolidate information models from various devices to provide a standard way to configure policies. This way, similar operations on different devices are represented as a single policy action or condition which is translated to device-specific operations. For example, the SRC policy information model provides an action that forwards traffic. This action is translated into actions such as forward, accept, or simple handoff on various routers. For instances in which policy conditions or actions are significantly different, the model provides support for each type of condition or action. For example, because rate-limiting on JUNOSe routers is significantly different than policing on JUNOS routing platforms the SRC provides a rate-limit action for JUNOSe routers and policer action for JUNOS routing platforms.
For JUNOSe routers, SRC policies are translated at the COPS-PR or COPS-XDR level. and at the router level. For JUNOS routing platforms, policies are translated at the JUNOS XML on BEEP level and at the router level.
The SRC policy model also lets you simplify policy configuration for policy conditions that classify traffic. For JUNOSe and PCMM policies, you can combine different conditions that classify traffic and configure these conditions to use a single action. In addition for JUNOSe policies, you can create a condition which actually represents a number of classifiers. The SAE expands the classifier to multiple classifiers before installing them on the router.
For more information about multiple classifiers and expanded classifiers, see Policy Conditions.
Policy Objects
The SRC policy model is made up of objects that are organized as shown in Figure 12.
![]()
The following is a description of these objects:
- Policy folders—Used to organize policy groups.
- Policy groups—Hold policy lists. You associate policy groups with a service or with an interface. The SAE sends the information in a policy group to the router, and the router uses the information to create policies that it attaches to router interfaces.
- Policy lists—Used to organize policy rules. You can create policy lists for JUNOS routing platforms, for JUNOSe routers, or for PCMM devices. Whether you create a JUNOS policy list, a JUNOSe policy list, or a PCMM policy list determines the types of policy rules that you can add to the policy list.
- Policy rules—Used to organize the conditions and actions that make up the policy rule. Policy rules consist of conditions that you use to match traffic and actions that specify the action to take if traffic matches the condition. In JUNOS terminology, a policy rule is the same as a term.
- Conditions—Define match conditions or classifiers that a packet or packet flow must contain; for example, packet direction, network protocol, application protocol, source and destination networks, packet length, forwarding class, and source and destination class
- Actions—Define the action that the router or CMTS device takes on packets that match conditions
Policy Rules
JUNOSe routers and PCMM devices support one type of policy rule. JUNOS routing platforms support five types of policy rules:
Supports stateful firewall and Network Address Translation (NAT) services.
Supports transmission scheduling and rate control parameters on interfaces that support the per-unit scheduler. Schedulers define the priority, bandwidth, delay buffer size, rate control status, and RED drop profiles to be applied to a particular class of traffic.
Supports setting a shaping rate on PICS that support shaping rate and on interfaces that support the per-unit scheduler.
Supports JUNOS firewall filters.
Supports policing, or rate limiting, by enabling you to limit the amount of traffic that passes into or out of an interface. It is an essential component of firewall filters that is designed to thwart denial-of-service attacks.
Policing applies two types of rate limits on the traffic:
- Bandwidth—Number of bps permitted, on average.
- Maximum burst size—Maximum size permitted for bursts of data that exceed the bandwidth limit.
Supported Conditions and Actions
The types of conditions and actions that are available for a policy rule depend on the type of rule. Figure 13 shows the types of conditions and actions that are available for JUNOS policy rules. Figure 14 shows the types of conditions and actions that are available for JUNOSe policy rules. Figure 15 shows the types of conditions and actions that are available for PCMM policy rules.
![]()
![]()
![]()
Policy Conditions
Policy conditions are values or fields that a packet must contain. If a policy rule does not contain a match condition, all packets are considered to match. There are two types of conditions:
- Classify-traffic condition—Matches can include source and destination addresses or networks; ports, packet types, IP options, TCP flags, network protocol, application protocol
- QoS condition—Matches the forwarding class of the packet
See also PCMM Classifiers.
Multiple Classifiers
JUNOSe and PCMM policy rules can contain multiple classify-traffic conditions. Having multiple classifiers in a policy rule gives you more flexibility for defining services and allows you to use fewer policy rules for some applications.
If multiple policy rules have the same action, but different classify conditions, you can combine the policy rules into one policy rule. You can also set up one policy rule that has multiple classifiers, each for a different subnet or range of addresses.
If you want to collect accounting data on internal versus external traffic, you can configure one policy rule with a set of classifiers for internal traffic and one policy rule with a set of classifiers for external traffic.
Rate-Limiting with Multiple Classifiers
Multiple classifiers give you more flexibility for rate-limiting policies. Without multiple classifiers, you can rate-limit only individual traffic flows. With multiple classifiers, you can rate-limit the aggregate of traffic flows from all sources.
The following example uses multiple classifiers to rate-limit traffic to 1 Mbps for traffic going to two different subnets.
Policy List je-inPolicy Rule rate-limiterClassifyTrafficCondition CTC1SourceNetwork:anyDestinationNetwork:ipAddress=172.60.40.0/0.0.0.255ClassifyTrafficCondition CTC2SourceNetwork:anyDestinationNetwork:ipAddress=172.60.20.0/0.0.0.255Rate limit action that limits to 1 MbpsPolicy List je-outPolicy Rule forwardClassifyTrafficConditionDestinationNetwork:anySourceNetwork:anyForward actionExpanded Classifiers
For JUNOSe policies, you can create classify-traffic conditions that the SAE expands into multiple classifiers before it installs the policy on the router. If you enter a comma-separated list of values in the source and destination network (IP address, mask, and IP operation) or port fields (for port-related protocols), the software creates a classifier for each possible combination of address and port. Note that the software does not expand classifiers for values that are entered as a range.
You would use this feature in policies that are used in IP multimedia subsystem (IMS) environments. You can also use it to simplify the configuration of JUNOSe policies.
For example, the source configuration in the classify-traffic condition in Figure 16 would cause the condition to be expanded into four classifiers that have the following combination of source addresses and source ports:
192.1.1.0/255.255.255.0 eq 80192.1.1.0/255.255.255.0 eq 8080192.2.1.1/255.255.255.0 eq 80192.2.1.1/255.255.255.0 eq 8080
![]()
Policy Actions
JUNOS policy rules and PCMM policy rules can have multiple actions. JUNOSe policy rules can have only one action. The types of actions available for a policy rule depend on the type of rule. See Supported Conditions and Actions. The following table is a description of all actions.
Combining Actions
JUNOS policy rules and PCMM policy rules support multiple actions. For example, in PCMM policies, you can combine a mark action with a DOCSIS parameter action, a service schedule action, or a FlowSpec action. In JUNOS policy rules you can combine the forwarding class action, routing instance action, and loss priority action. The result is that packets that match the condition are assigned to a forwarding class, directed to a routing instance on the router, and assigned a packet loss priority.
Only one of the following actions can exist in a policy rule: next-hop action, next-interface action, forward action, filter action, and reject action.
For example, if you add the next-rule action to a policy rule, do not add a next-hop action, next-interface action, forward action, filter action, or reject action to the same policy rule.
Although you can have only one action in a JUNOSe policy rule, you can set up a policy list to take two corresponding actions on a packet. To do so, you create a JUNOSe policy list that has more than one policy rule with the same precedence. For example, you might want a policy rule that marks a packet and a policy rule that forwards the packet to the next interface. Or you could have a policy rule that applies a traffic-class action and a policy rule that forwards the packet to the next hop.
Policy LDAP Schema Model
The policy information model is based on the Policy Core Information Model (PCIM) that is mapped to the Policy Framework LDAP core schema by the IETF. SRC software extends this model in such a way to be very close to the policy model used by the router. A policy folder might be the base of the policy subtree (o=policies, o=umc) or an organizationalUnit object, underneath the policy base. Such a policy folder contains group objects consisting of one or many policy lists that contain one or many policy rules. A policy rule consists of policy actions and policy conditions.
The objects policy group, policy list, and policy rule are mapped to structural object classes. Each of those classes is derived from the object class policy. This abstract policy object class is inherited from dlm1ManagedElement, which is the top class of the CIM. The policy actions and policy conditions are mapped to auxiliary classes that are attached to the object policyRule. The classes policyActionAuxClass and policyConditionAuxClass are the top classes for any policy action and policy condition. SSP service objects point through the DN pointer to one policy group.
For detailed information about the SRC LDAP schema, see the documentation in the SRC software distribution in the folder /SDK/doc/ldap or on the Juniper Networks Web site at
http://www.juniper.net/techpubs/software/management/sdx