[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Configuring Classify-Traffic Conditions

You can create classify-traffic conditions in JUNOSe policy rules, in JUNOS ASP and JUNOS filter policy rules, and in PCMM policy rules. To create a classify-traffic condition:

  1. In the Policy Editor navigation pane, right-click a policy rule object, and select New > Condition > ClassifyTrafficCondition.

The ClassifyTrafficCondition Name dialog box appears.

  1. Enter a name, and click OK.
  2. Select the new classify-traffic condition in the navigation pane.

The new ClassifyTrafficCondition content pane appears.

  1. Edit or accept the default values for the classify-traffic condition fields.

See Classify-Traffic Condition Fields.

For information about configuring port ranges for traffic classifiers, see Specifying Port Access for Traffic Classification.

  1. Select File > Save.

If you are configuring classifiers for PCMM policies, you can specify whether the classifier will be used in a PCMM I02 or I03 network. By default, the software translates classify-traffic conditions into PCMM I02 classifiers.

For JUNOSe policies, you can specify that the SAE expands the classifier into multiple classifiers before it installs the policy on the router.

Enabling Expansion of JUNOSe Classify Traffic Conditions

For information about expanded classifiers, see Expanded Classifiers.

To use SDX Configuration Editor to enable the expansion of JUNOSe classify-traffic conditions:

  1. In the navigation pane, select a configuration file for the SAE that you want to configure.
  2. Select the Miscellaneous tab, and expand the Policy Management Configuration section.
  3. Edit or accept the default value.

See Enable JUNOSe Classifier Expansion Field.

  1. Select File > Save.
  2. Right-click the configuration file, and select SDX System Configuration > Export to LDAP Directory.

Enable JUNOSe Classifier Expansion Field

In SDX Configuration Editor, you can edit the following field in the Policy Management Configuration section of the Miscellaneous pane in an SAE configuration file.

Enable JUNOSe Classifier Expansion

Specifying the PCMM Classifier Type

To specify which version of the PCMM classifiers that you are using, configure the Router.pcmm.disableI03policy property in the SAE property file.

See Modifying the SAE Property File in SRC-PE Subscribers and Subscriptions Guide, Chapter 5, Configuring Subscriber-Related Properties on the SAE on a Solaris Platform.

For more information about PCMM classifiers, see PCMM Classifiers.

Router.pcmm.disableI03policy

Specifying Port Access for Traffic Classification

In the SRC software, the manner in which you specify a range of port numbers greater than or less than a specific value in a traffic classifier is different than the way you define a range in the configuration on JUNOSe routers.

In Policy Editor in the ClassifyTrafficCondition content pane, you specify ranges by setting values in the Port Operation field.

For information about accessing the configuration in the ClassifyTrafficCondition content pane, see Configuring Classify-Traffic Conditions.

For information about the Port Operation and Port fields, see Source and Destination Network Fields.

To specify a range of port numbers greater or less than a specified value, you can:

To configure port numbers greater than a defined value by specifying which values are allowed:

  1. In the Port Operation field, enter eq.
  2. In the Port field, enter the range of ports allowed.

For example, to specify access to all port numbers greater than 10, specify 11..65535.

To configure port number greater than a define value by specifying which values are not allowed:

  1. In the Port Operation field, enter neq.
  2. In the Port field, enter the range of ports not allowed.

For example, to specify access to all port numbers greater than 10, specify 1..9.

To configure port numbers less than a defined value by specifying which values are allowed:

  1. In the Port Operation field, enter eq.
  2. In the Port field, enter the range of ports.

For example, to specify access to all port numbers less than 10, specify 1..9.

To configure port numbers less than a defined value by specifying which values are not allowed:

  1. In the Port Operation field, enter neq.
  2. In the Port field, enter the range of ports.

For example, to specify access to all port numbers less than 10, specify 11..65535.

Classify-Traffic Condition Fields

In Policy Editor, you can modify the fields described in this section in the ClassifyTrafficCondition content pane.

The fields displayed in the ClassifyTrafficCondition pane change depending on the type of policy rule that holds the condition and on the type of protocol that you select in the Protocol field, as well as whether you select the Grouped IP Address and Raw check boxes. The classify-traffic condition fields are all described in the following sections:

Direction Field

Appears only in JUNOS ASP policy rules.

Match Direction

Network Protocol Fields

This section of the pane specifies how protocols are matched.

Protocol Operation

Protocol

Source and Destination Network Fields

This section of the pane specifies source and destination networks. The Port Operation field appears only if you selected to match the TCP or UDP protocols. The Port field appears after you specify a port operation.

Grouped IP Address

Network Operation

IP Address

IP Wildcard/IP Mask

Network

where pubIp is a local address parameter and 32 is the prefix length

Port Operation

Port

Use a range of ports to specify port numbers that are greater than or less than a specified port number. For example:

Note that PCMM 102 classifiers do not support port ranges. PCMM I03 classifiers do support port ranges.

Packet Length Field

Matches packets according to packet length. This field appears only in JUNOS policy rules.

Packet Length (bytes)

IP Protocol Fields

In this section of the screen, you can configure values to match fields in the IP header.

Raw

IP Flags

IP Flags Mask

IP Fragmentation Offset

IP Flags Value

To configure the IP flags:

  1. In the Selected column, select the IP flags that you want as part of the result string.
  2. In the Not column, select the Not operator(s) that you want applied to the corresponding flag in the result string.

You cannot check boxes in the Not column unless the check box in the corresponding Selected column is checked.

  1. Click OK.

ToS Byte

Use this condition to define a particular traffic flow to the service's network for the DA IP field in the IP packet.

The CoS feature on JUNOS routing platforms supports DiffServ as well as six-bit IP header ToS byte settings. The DiffServ protocol uses the ToS byte in the IP header. The most significant six bits of this byte form the Differentiated Services code point (DSCP). The CoS feature uses DSCPs to determine the forwarding class associated with each packet. It also uses the ToS byte and ToS byte mask to determine IP precedence.

TOS Byte

TOS Byte Mask

TCP, ICMP, IGMP, and IPSec Protocol Fields

If you specified the TCP, ICMP, IGMP, or the AH or ESP IPSec protocols, you can also specify the corresponding condition as shown in Figure 30.


Figure 30: Classify Conditions for TCP, ICMP, IGMP, and IPSec Protocols

Raw

TCP Flags

TCP Flags Mask

TCP Flags Value

The Configure TCP Flags dialog box appears.

To configure the TCP flags:

  1. In the Selected column, select the TCP flags that you want as part of the result string.
  2. In the Not column, select the Not operator(s) that you want applied to the corresponding flag in the result string.

You cannot check boxes in the Not column unless the check box in the corresponding Selected column is checked.

  1. Click OK.

ICMP Type

ICMP Code

IGMP Type

SPI

JUNOS Filter Condition Fields

The conditions described in this section appear only in JUNOS filter policy rules.

Forwarding Class

Interface Group

Source Class

Destination Class

Allow IP Options

Application Protocol Fields

You can define application protocols for the stateful firewall and NAT services to use in match condition rules. An application protocol defines application parameters by using information from network layer 3 and above. Examples of such applications are FTP and H.323.

The ClassifyTrafficCondition pane displays a table with configured application protocol conditions.

Configure the table as follows:

The Application Protocol Condition dialog box changes depending on the application protocol and protocol conditions that you select. Figure 31 shows an example of the dialog box with all possible fields.


Figure 31: Application Protocol Condition Dialog Box

Using Map Expressions in Application Protocol Conditions

The application protocol condition is a case in which you might use a map expression to define multiple attributes in one field—the Application Protocol field. Maps are a list of attributeName=value pairs separated by commas and enclosed in curly brackets. For example, the map {applicationProtocol="ftp", sourcePort=123, inactivityTimeout=60} supplies the application protocol, source port, and inactivity timeout in one field. "

Another map {applicationType="tcp", inactivityTimeout=60, destinationPort=80} supplies the protocol, inactivity timeout, and destination port.

You can enter the map expressions in the Application Protocol field.

You can also create a local parameter, add a map expression as the default value of the parameter, and then select the local parameter in the Application Protocol field.

Filling in Application Protocol Fields

This section describes the fields in the Application Protocol Condition dialog box.

Application Protocol

Protocol

Inactivity Timeout (s)

Source Port

Destination Port

ICMP Type

ICMP Code

SNMP Command

RPC Program Number

TTL Threshold

UUID

For information about UUIDs, see http://www.opengroup.org/onlinepubs/9629399/apdxa.htm.


[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]