Configuring Classify-Traffic Conditions
You create classify-traffic conditions in JUNOSe policy rules, in JUNOS ASP and JUNOS filter policy rules, and in PCMM policy rules.
The available configuration statements change depending on the type of policy rule that holds the condition and on the type of protocol that you specify.
To configure a classify-traffic condition, do the following:
- Configure protocol conditions. The type of protocol condition that you use depends on your configuration.
NOTE: PCMM classifiers support only the following classifiers:
Before You Configure Classify-Traffic Conditions
If you are configuring classifiers for PCMM policies, you can specify whether the classifier will be used in a PCMM IO2 or IO3 network. By default, the software translates classify-traffic conditions into PCMM IO2 classifiers.
For JUNOSe policies, you can specify that the SAE expand the classifier into multiple classifiers before it installs the policy on the router.
Enabling Expansion of JUNOSe Classify-Traffic Conditions
For information about expanded classifiers, see Expanded Classifiers.
Use the following configuration statement to enable or disable the expansion of JUNOSe classifiers.
shared sae configuration policy-management-configuration {enable-junose-classifier-expansion;}To enable or disable the expansion of JUNOSe classifiers:
- From configuration mode, access the configuration statement that configures policy management properties on the SAE.
user@host#edit shared sae configuration policy-management-configuration
- Specify whether or not the SAE expands the JUNOSe classify-traffic conditions into multiple classifiers before it installs the policy on the router.
[edit shared sae configuration policy-management-configuration]user@host#
set enable-junose-classifier-expansion
Specifying the PCMM Classifier Type
Use the following configuration statement to specify which version of the PCMM classifiers you are using:
shared sae configuration driver pcmm {disable-pcmm-iO3-policydisable-pcmm-iO3-policy
;}To specify whether or not the SAE sends classifiers to the router that comply with PCMM IO3:
- From configuration mode, access the configuration statement that configures the PCMM driver.
user@host#edit shared sae configuration driver pcmm
- Enable or disable the SAE to send classifiers to the router that comply with PCMM IO3. Disable this option if your network deployment has CMTS devices that do not support PCMM IO3.
[edit shared sae configuration driver pcmm]user@host#
set disable-pcmm-iO3-policy
disable-pcmm-iO3-policy
Specifying Port Access for Traffic Classification
In the SRC software, the way that you specify a range of port numbers greater than or less than a specific value in a traffic classifier is different from the way you define a range in the configuration on JUNOSe routers.
In the SRC CLI, you specify ranges by setting values in the
port-operation
options in command statements.To specify a range of port numbers greater or less than a specified value, you can:
- Define the full set of port numbers in the range to be allowed.
- Define the full set of port numbers in the range not allowed.
To configure port numbers greater than a defined value by specifying which values are allowed:
- For the
port-operation
option, entereq
.- For the
from-port
option, enter the range of ports allowed.For example, to specify access to all port numbers greater than 10, specify
11..65535
.To configure port numbers greater than a defined value by specifying which values are not allowed:
- For the
port-operation
option, enterneq
.- For the
from-port
option, enter the range of ports not allowed.For example, to specify access to all port numbers greater than 10, specify
1..9
.To configure port numbers less than a defined value by specifying which values are allowed:
For example, to specify access to all port numbers less than 10, specify
1..9
.To configure port numbers less than a defined value by specifying which values are not allowed:
For example, to specify access to all port numbers less than 10, specify
11..65535
.Creating a Classify-Traffic Condition
You create classify-traffic conditions within policy rules. Use the following configuration statements to create a classify-traffic condition:
policies groupname
listname
rulename
traffic-conditionname
{match-directionmatch-direction
; descriptiondescription
;}To add a classify-traffic condition:
- From configuration mode, create a classify-traffic condition inside a policy rule that has already been created and configured. For example, to create a traffic-condition called ctc within policy rule nat:
user@host#edit policies group junos list staticnat rule nat traffic-condition ctc
- (Optional) For JUNOS ASP policy rules, specify the direction of the packet flow on which you want to match packets.
[edit policies group junos list staticnat rule nat traffic-condition ctc]user@host#set match-direction
match-direction
- (Optional) Provide a description of the classify-traffic condition.
[edit policies group junos list staticnat rule nat traffic-condition ctc]user@host#set description
description
- (Optional) Verify your classify-traffic condition configuration.
[edit policies group junos list staticnat rule nat traffic-condition ctc]user@host#show
match-direction output;description "Static NAT destination classifier";Configuring Source Networks
Use the following configuration statements to add source networks to a classify-traffic condition:
policies groupname
listname
rulename
traffic-conditionname
source-network network {ip-addressip-address
; ip-maskip-mask
; ip-operationip-operation
;}To add a source network to a classify-traffic condition:
- From configuration mode, enter the source network within a classify-traffic condition. For example:
user@host#edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp source-network network
- (Optional) Configure the IP address of the source network or host.
[edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp source-network network]user@host#set ip-address
ip-address
- (Optional) Configure the IP mask of the source network or host.
[edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp source-network network]user@host#set ip-mask
ip-mask
- (Optional) Specify whether the software matches packets with an IP address that is equal or not equal to the specified address and mask.
[edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp source-network network]user@host#set ip-operation
ip-operation
- (Optional) Verify your source network configuration.
[edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp source-network network]user@host#show
ip-address interface_ipAddress;ip-mask interface_ipMask;ip-operation is_not;Configuring Source Grouped Networks
You can configure source networks in grouped format. For JUNOS ASP policy rules, you must enter source networks in grouped format.
Use the following configuration statement to add source networks in a grouped format to a classify-traffic condition:
policies groupname
listname
rulename
traffic-conditionname
source-network group-network {network-specifiernetwork-specifier
;}To add a grouped source network to a classify-traffic condition:
- From configuration mode, enter the source network within a classify-traffic condition. For example:
user@host#edit policies folder junose group dhcp list in rule forward-dhcp traffic-condition client-dhcp source-network group-network
- (Optional) Configure the IP address of the source network or host.
For JUNOS ASP policies rules, you must enter networks in the format <ip address>/<prefix length>. The <ip address>/<mask> format is rejected by the router.
[edit policies folder junose group dhcp list in rule forward-dhcp traffic-condition client-dhcp source-network group-network]user@host#set network-specifier
network-specifier
- (Optional) Verify your source network configuration.
[edit policies folder junose group dhcp list in rule forward-dhcp traffic-condition client-dhcp source-network group-network]user@host#show
network-specifier gateway_ipAddress;Configuring Destination Networks
Use the following configuration statements to add destination networks to a classify-traffic condition:
policies groupname
listname
rulename
traffic-conditionname
destination-network network {ip-addressip-address
; ip-maskip-mask
; ip-operationip-operation
;}To add a destination network to a classify-traffic condition:
- From configuration mode, enter the destination network within a classify-traffic condition. For example:
user@host#edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp destination-network network
- (Optional) Configure the IP address of the destination network or host.
[edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp destination-network network]user@host#set ip-address
ip-address
- (Optional) Configure the IP mask of the destination network or host.
[edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp destination-network network]user@host#set ip-mask
ip-mask
- (Optional) Specify whether the software matches packets with an IP address that is equal or not equal to the specified address and mask.
[edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp destination-network network]user@host#set ip-operation
ip-operation
- (Optional) Verify your destination network configuration.
[edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp destination-network network]user@host#show
ip-address interface_ipAddress;ip-mask interfac_ipMask;ip-operation is;Configuring Destination Grouped Networks
You can configure destination networks in grouped format. For JUNOS ASP policies rules, you must enter destination networks in grouped format.
Use the following configuration statements to add destination networks in a grouped format to a classify-traffic condition:
policies groupname
listname
rulename
traffic-conditionname
destination-network group-network {network-specifiernetwork-specifier
;}To add a grouped destination network to a classify-traffic condition:
- From configuration mode, enter the destination network within a classify-traffic condition. For example:
user@host#edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp destination-network group-network
- (Optional) Configure the IP address of the destination network or host.
For JUNOS ASP policies rules, you must enter networks in the format "<ip address>/<prefix length>".
[edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp destination-network group-network]user@host#set network-specifier
network-specifier
- (Optional) Verify your destination network configuration.
[edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp destination-network group-network]user@host#show
network-specifier any;Configuring Protocol Conditions
The procedure in this sections shows how to configure general protocol conditions.
- If your condition includes port numbers, use the procedure in Configuring Protocol Conditions with Ports.
- If your condition consists of a protocol that is assigned with a parameter value, use the procedure in Configuring Protocol Conditions with Parameters.
Use the following configuration statements to add general protocol conditions to a classify-traffic condition:
policies groupname
listname
rulename
traffic-conditionname
protocol-condition {protocolprotocol
; protocol-operationprotocol-operation
; ip-flagsip-flags
; ip-flags-maskip-flags-mask
; fragment-offsetfragment-offset
; packet-lengthpacket-length
;}To add general protocol conditions to a classify-traffic condition:
- From configuration mode, enter the general protocol condition configuration. For example:
user@host#edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp protocol-condition
- Configure the protocol matched by this classify-traffic condition.
[edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp protocol-condition]user@host#set protocol
protocol
- Configure the policy to match packets with the protocol that is either equal or not equal to the specified protocol.
[edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp protocol-condition]user@host#set protocol-operation
protocol-operation
- (Optional) Configure the value of the IP flags field in the IP header.
[edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp protocol-condition]user@host#set ip-flags
ip-flags
- (Optional) Configure the mask that is associated with the IP flag.
[edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp protocol-condition]user@host#set ip-flags-mask
ip-flags-mask
- (Optional) Configure the value of the fragment offset field.
[edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp protocol-condition]user@host#set fragment-offset
fragment-offset
- (Optional) Configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.
[edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp protocol-condition]user@host#set packet-length
packet-length
- (Optional) Verify your protocol condition configuration.
[edit policies group dhcp list in rule forward-dhcp traffic-condition client-dhcp protocol-condition]user@host#show
protocol 0;protocol-operation 1;ip-flags 0;ip-flags-mask 0;fragment-offset any;Configuring Protocol Conditions with Ports
Use the following configuration statements to add general protocol conditions with ports to a classify-traffic condition:
policies groupname
listname
rulename
traffic-conditionname
protocol-port-condition {protocolprotocol
; protocol-operationprotocol-operation
; ip-flagsip-flags
; ip-flags-maskip-flags-mask
; fragment-offsetfragment-offset;
packet-lengthpacket-length
;}policies groupname
listname
rulename
traffic-conditionname
protocol-port-condition destination-portport
{port-operationport-operation
; from-portfrom-port
;}policies groupname
listname
rulename
traffic-conditionname
protocol-port-condition source-portport
{port-operationport-operation
; from-portfrom-port
;}To add general protocol conditions with ports to a classify-traffic condition:
- From configuration mode, enter the protocol port condition configuration. For example:
user@host#edit policies group junos list bodVpn rule pr traffic-condition ctc protocol-port-condition
- Configure the protocol matched by this classify-traffic condition.
[edit policies group junos list bodVpn rule pr traffic-condition ctc protocol-port-condition]user@host#set protocol
protocol
- Configure the policy to match packets with the protocol that is either equal or not equal to the specified protocol.
[edit policies group junos list bodVpn rule pr traffic-condition ctc protocol-port-condition]user@host#set protocol-operation
protocol-operation
- (Optional) Configure the value of the IP flags field in the IP header.
[edit policies group junos list bodVpn rule pr traffic-condition ctc protocol-port-condition]user@host#set ip-flags
ip-flags
- (Optional) Configure the mask that is associated with the IP flag.
[edit policies group junos list bodVpn rule pr traffic-condition ctc protocol-port-condition]user@host#set ip-flags-mask
ip-flags-mask
- (Optional) Configure the value of the fragment offset field.
[edit policies group junos list bodVpn rule pr traffic-condition ctc protocol-port-condition]user@host#set fragment-offset
fragment-offset
- (Optional) Configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.
[edit policies group junos list bodVpn rule pr traffic-condition ctc protocol-port-conditionuser@host#set packet-length
packet-length
- (Optional) Enter the destination port configuration for the protocol port configuration.
[edit policies group junos list bodVpn rule pr traffic-condition ctc protocol-port-condition]user@host#edit destination-port
- (Optional) Configure the policy to match packets with a port that is either equal or not equal to the specified port.
[edit policies group junos list bodVpn rule pr traffic-condition ctc protocol-port-condition destination-port port]user@host#set port-operation
port-operation
- (Optional) Configure the destination port.
[edit policies group junos list bodVpn rule pr traffic-condition ctc protocol-port-condition destination-port port]user@host#set from-port
from-port
- (Optional) Enter the source port configuration for the protocol port configuration.
user@host#up
[edit policies group junos list bodVpn rule pr traffic-condition ctc protocol-port-condition]user@host#edit source-port
- (Optional) Configure the policy to match packets with a port that is either equal or not equal to the specified port.
[edit policies group junos list bodVpn rule pr traffic-condition ctc protocol-port-condition source-port port]user@host#set port-operation
port-operation
- (Optional) Configure the source port.
[edit policies group junos list bodVpn rule pr traffic-condition ctc protocol-port-condition source-port port]user@host#set from-port
from-port
[edit policies group junos list bodVpn rule pr traffic-condition ctc protocol-port-condition source-port port]user@host#up
- (Optional) Verify your protocol condition configuration.
[edit policies group junos list bodVpn rule pr traffic-condition ctc protocol-port-condition]user@host#show
protocol 17;protocol-operation 1;ip-flags ipFlags;ip-flags-mask ipFlagsMask;fragment-offset ipFragOffset;packet-length packetLength;destination-port {port {port-operation eq;from-port service_port;}}source-port {port {port-operation eq;from-port service_port;}}Configuring Protocol Conditions with Parameters
Use the following configuration statements to configure classify-traffic conditions that contain a parameter value for the protocol:
policies groupname
listname
rulename
traffic-conditionname
parameter-protocol-condition {protocolprotocol
; protocol-operationprotocol-operation
; tcp-flagstcp-flags
; tcp-flags-masktcp-flags-mask
; spispi
; ip-flagsip-flags
; ip-flags-maskip-flags-mask
; fragment-offsetfragment-offset
; packet-lengthpacket-length
;}policies groupname
listname
rulename
traffic-conditionname
parameter-protocol-condition proto-attr {icmp-typeicmp-type
; icmp-codeicmp-code
; igmp-typeigmp-type
;}policies groupname
listname
rulename
traffic-conditionname
parameter-protocol-condition proto-attr destination-port port {port-operationport-operation
; from-portfrom-port
;}policies groupname
listname
rulename
traffic-conditionname
parameter-protocol-condition proto-attr source-port port {port-operationport-operation
; from-portfrom-port
;}To configure a protocol condition that contains a parameter value for the protocol:
- From configuration mode, enter the parameter protocol condition configuration. For example:
user@host#edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition
- Assign a parameter as the protocol matched by this classify-traffic condition.
Before you assign a parameter, you must create a parameter of type protocol and commit the parameter configuration.
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition]user@host#set protocol
protocol
- (Optional) Configure the policy to match packets with the protocol that is either equal or not equal to the specified protocol.
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition]user@host#set protocol-operation
protocol-operation
- (Optional) Configure the value of the TCP flags field in the IP header.
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition]user@host#set tcp-flags
tcp-flags
- (Optional) Configure the mask associated with TCP flags.
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition]user@host#set tcp-flags-mask
tcp-flags-mask
- (Optional) Specify the authentication header (AH) or the encapsulating security payload (ESP) security parameter index (SPI).
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition]user@host#set spi
spi
- (Optional) Configure the value of the IP flags field in the IP header.
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition]user@host#set ip-flags
ip-flags
- (Optional) Configure the mask that is associated with the IP flag.
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition]user@host#set ip-flags-mask
ip-flags-mask
- (Optional) Configure the value of the fragment offset field.
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition]user@host#set fragment-offset
fragment-offset
- (Optional) Configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition]user@host#set packet-length
packet-length
- (Optional) Enter the protocol attribute configuration.
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition]user@host#edit proto-attr
- (Optional) Configure the ICMP packet type.
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition proto-attr]user@host#set icmp-type
icmp-type
- (Optional) Configure the ICMP code.
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition proto-attr]user@host#set icmp-code
icmp-code
- (Optional) Configure the IGMP packet type on which to match.
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition proto-attr]user@host#set igmp-type
igmp-type
- (Optional) Enter the destination port configuration.
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition proto-attr]user@host#edit destination-port port
- (Optional) Configure the policy to match packets with a port that is either equal or not equal to the specified port.
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition proto-attr destination-port port]user@host#set port-operation
port-operation
- (Optional) Configure the TCP or UDP destination port.
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition proto-attr destination-port port]user@host#set from-port
from-port
- (Optional) Enter the source port configuration.
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition proto-attr destination-port port]user@host#up
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc param-proto-condition proto-attr]user@host#edit source-port port
- (Optional) Configure the policy to match packets with a port that is either equal or not equal to the specified port.
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition proto-attr source-port port]user@host#set port-operation
port-operation
- (Optional) Configure the TCP or UDP source port.
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition proto-attr source-port port]user@host#set from-port
from-port
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition proto-attr source-port port]user@host#up
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition proto-attr source-port]user@host#up
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition proto-attr]user@host#up
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition]user@host#up
- (Optional) Verify the parameter protocol configuration.
[edit policies group junose list dhcp rule forward-dhcp traffic-condition ctc parameter-protocol-condition]user@host#show
protocol protocol;protocol-operation is;tcp-flags 0;tcp-flags-mask 0;ip-flags 0;ip-flags-mask 0;proto-attr {icmp-type 255;icmp-code 255;destination-port {port {port-operation eq;from-port outsidePort;}}}Configuring TCP Conditions
Use the following configuration statements to add TCP conditions to a classify-traffic condition:
policies groupname
listname
rulename
traffic-conditionname
tcp-condition {tcp-flagstcp-flags
;tcp-flags-masktcp-flags-mask
;protocolprotocol
;protocol-operationprotocol-operation
;ip-flagsip-flags
;ip-flags-maskip-flags-mask
;fragment-offsetfragment-offset
;packet-lengthpacket-length
;}Because the protocol is already set to TCP, do not change the
protocol
orprotocol-operation
options.policies groupname
listname
rulename
traffic-conditionname
tcp-condition destination-port port {port-operationport-operation
; from-portfrom-port
;}policies groupname
listname
rulename
traffic-conditionname
tcp-condition source-port port {port-operationport-operation
; from-portfrom-port
;}To add TCP conditions to a classify-traffic condition:
- From configuration mode, enter the TCP configuration. For example:
user@host#edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition
- (Optional) Configure the value of the TCP flags field in the IP header.
[edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition]user@host#set tcp-flags
tcp-flags
- (Optional) Configure the mask associated with TCP flags.
[edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition]user@host#set tcp-flags-mask
tcp-flags-mask
- (Optional) Configure the value of the IP flags field in the IP header.
[edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition]user@host#set ip-flags
ip-flags
- (Optional) Configure the mask that is associated with the IP flag.
[edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition]user@host#set ip-flags-mask
ip-flags-mask
- (Optional) Configure the value of the fragment offset field.
[edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition]user@host#set fragment-offset
fragment-offset
- (Optional) For JUNOS filter policies, configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.
[edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition]user@host#set packet-length
packet-length
- (Optional) Enter the destination port configuration for the TCP configuration.
[edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition]user@host#edit destination-port port
- (Optional) Configure the policy to match packets with a port that is either equal or not equal to the specified port.
[edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition destination-port port]user@host#set port-operation
port-operation
- (Optional) Configure the destination port.
[edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition destination-port port]user@host#set from-port
from-port
- (Optional) Enter the source port configuration for the TCP configuration.
[edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition destination-port port]user@host#up
[edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition]user@host#edit source-port port
- (Optional) Configure the policy to match packets with a port that is either equal or not equal to the specified port.
[edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition source-port port]user@host#set port-operation
port-operation
- (Optional) Configure the source port.
[edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition source-port port]user@host#set from-port
from-port
[edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition source-port port]user@host#up
[edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition source-port]user@host#up
- (Optional) Verify the TCP condition configuration.
[edit policies group junos list tcpCondition rule pr traffic-condition ctc tcp-condition]user@host#show
tcp-flags 0;tcp-flags-mask 0;protocol tcp;protocol-operation is;ip-flags 0;ip-flags-mask 0;destination-port {port {port-operation eq;from-port service_port;}}source-port {port {port-operation eq;from-port service_port;}}Configuring ICMP Conditions
Use the following configuration statements to add ICMP conditions to a classify-traffic condition:
policies groupname
listname
rulename
traffic-conditionname
icmp-condition {protocolprotocol
; protocol-operationprotocol-operation
; ip-flagsip-flags
; ip-flags-maskip-flags-mask
; fragment-offsetfragment-offset
; packet-lengthpacket-length
; icmp-typeicmp-type
; icmp-codeicmp-code
;}Because the protocol is already set to ICMP, do not change the
protocol
orprotocol-operation
options.To add ICMP conditions to a classify-traffic condition:
- From configuration mode, enter the ICMP configuration. For example:
user@host#edit policies group bod list input rule pr traffic-condition ctc icmp-condition
- (Optional) Configure the value of the IP flags field in the IP header.
[eedit policies group bod list input rule pr traffic-condition ctc icmp-condition]user@host#set ip-flags
ip-flags
- (Optional) Configure the mask that is associated with the IP flag.
[edit policies group bod list input rule pr traffic-condition ctc icmp-condition]user@host#set ip-flags-mask
ip-flags-mask
- (Optional) Configure the value of the fragment offset field.
[edit policies group bod list input rule pr traffic-condition ctc icmp-condition]user@host#set fragment-offset
fragment-offset
- (Optional) Configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.
[edit policies group bod list input rule pr traffic-condition ctc icmp-condition]user@host#set packet-length
packet-length
- (Optional) Configure the ICMP packet type on which to match. The packet type must be supported by the router or CMTS device.
[edit policies group bod list input rule pr traffic-condition ctc icmp-condition]user@host#set icmp-type
icmp-type
- (Optional) Configure the ICMP code on which to match. The ICMP code must be supported by the router or CMTS device.
[edit policies group bod list input rule pr traffic-condition ctc icmp-condition]user@host#set icmp-code
icmp-code
- (Optional) Verify the ICMP condition configuration.
[edit policies group bod list input rule pr traffic-condition ctc icmp-condition]user@host#show
protocol icmp;protocol-operation 1;ip-flags ipFlags;ip-flags-mask ipFlagsMask;fragment-offset ipFragOffset;icmp-type icmpType;icmp-code icmpCode;Configuring IGMP Conditions
Use the following configuration statements to add IGMP conditions to a classify-traffic condition:
policies groupname
listname
rulename
traffic-conditionname
igmp-condition {protocolprotocol
; protocol-operationprotocol-operation
; ip-flagsip-flags;
ip-flags-maskip-flags-mask
; fragment-offsetfragment-offset
; packet-lengthpacket-length
; igmp-typeigmp-type
;}Because the protocol is already set to IGMP, do not change the
protocol
orprotocol-operation
options.To add IGMP conditions to a classify-traffic condition:
- From configuration mode, enter the IGMP configuration. For example:
user@host#edit policies group junose list pl rule pr traffic-condition ctc igmp-condition
- (Optional) Configure the value of the IP flags field in the IP header.
[edit policies group junose list pl rule pr traffic-condition ctc igmp-condition]user@host#set ip-flags
ip-flags
- (Optional) Configure the mask that is associated with the IP flag.
[edit policies group junose list pl rule pr traffic-condition ctc igmp-condition]user@host#set ip-flags-mask
ip-flags-mask
- (Optional) Configure the value of the fragment offset field.
[edit policies group junose list pl rule pr traffic-condition ctc igmp-condition]user@host#set fragment-offset
fragment-offset
- (Optional) Configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.
[edit policies group junose list pl rule pr traffic-condition ctc igmp-condition]user@host#set packet-length
packet-length
- (Optional) Configure the IGMP packet type on which to match.
[edit policies group junose list pl rule pr traffic-condition ctc igmp-condition]user@host#set igmp-type
icmp-type
- (Optional) Verify the IGMP condition configuration.
[edit policies group junose list pl rule pr traffic-condition ctc igmp-condition]user@host#show
protocol igmp;protocol-operation 1;ip-flags 0;ip-flags-mask 0;fragment-offset 0;igmp-type igmpType;Configuring IPSec Conditions
You can configure IPSec conditions for JUNOS policy rules. Use the following configuration statements to add IPSec conditions to a classify-traffic condition:
policies groupname
listname
rulename
traffic-conditionname
ipsec-condition {spispi
; ip-flagsip-flags
; ip-flags-maskip-flags-mask
; fragment-offsetfragment-offset
; packet-lengthpacket-length
; protocolprotocol
; protocol-operationprotocol-operation;
}To add IPSec conditions to a classify-traffic condition:
- From configuration mode, enter the IPSec configuration. For example:
user@host#edit policies group vpn list input rule pr traffic-condition ctc ipsec-condition
- (Optional) Specify the authentication header (AH) or the encapsulating security payload (ESP) security parameter index (SPI).
[edit policies group vpn list input rule pr traffic-condition ctc ipsec-condition]user@host#set spi
spi
- (Optional) Configure the value of the IP flags field in the IP header.
[edit policies group vpn list input rule pr traffic-condition ctc ipsec-condition]user@host#set ip-flags
ip-flags
- (Optional) Configure the mask that is associated with the IP flag.
[edit policies group vpn list input rule pr traffic-condition ctc ipsec-condition]user@host#set ip-flags-mask
ip-flags-mask
- (Optional) Configure the value of the fragment offset field.
[edit policies group vpn list input rule pr traffic-condition ctc ipsec-condition]user@host#set fragment-offset
fragment-offset
- (Optional) Configure the packet length on which to match. The length refers only to the IP packet, including the packet header, and does not include any layer 2 encapsulation overhead.
[eedit policies group vpn list input rule pr traffic-condition ctc ipsec-condition]user@host#set packet-length
packet-length
- Configure the protocol matched by this classify-traffic condition.
[edit policies group vpn list input rule pr traffic-condition ctc ipsec-conditionuser@host#set protocol
protocol
- (Optional) Verify the IPSec condition configuration.
[edit policies group vpn list input rule pr traffic-condition ctc ipsec-conditionuser@host#show
spi 2;ip-flags 0;ip-flags-mask 0;fragment-offset 0;packet-length packetLength;protocol ah;protocol-operation 1;Configuring ToS Byte Conditions
Use this condition to define a particular traffic flow to the service's network for the DA IP field in the IP packet.
The CoS feature on JUNOS routing platforms supports DiffServ as well as six-bit IP header ToS byte settings. The DiffServ protocol uses the ToS byte in the IP header. The most significant six bits of this byte form the Differentiated Services code point (DSCP). The CoS feature uses DSCPs to determine the forwarding class associated with each packet. It also uses the ToS byte and ToS byte mask to determine IP precedence.
Use the following configuration statements to add ToS conditions to a classify-traffic condition:
policies groupname
listname
rulename
traffic-conditionname
tos {tos-bytetos-byte
;tos-byte-masktos-byte-mask
;}To add ToS conditions to a classify-traffic condition:
- From configuration mode, enter the ToS configuration. For example:
user@host#edit policies group junos list bodVpn rule pr traffic-condition ctc tos
- (Optional) Configure the value of the ToS byte in the IP packet header.
[edit policies group junos list bodVpn rule pr traffic-condition ctc tos]user@host#set tos-byte
tos-byte
- (Optional) Configure the mask associated with the ToS byte.
[edit policies group junos list bodVpn rule pr traffic-condition ctc tos]user@host#set tos-byte-mask
tos-byte-mask
- (Optional) Verify the ToS condition configuration.
[edit policies group junos list bodVpn rule pr traffic-condition ctc tos]user@host#show
tos-byte tosByte;tos-byte-mask tosMask;Configuring JUNOS Filter Conditions
Use the following configuration statements to configure JUNOS filter conditions.
policies groupname
listname
rulename
traffic-conditionname
traffic-match-condition {forwarding-classforwarding-class
;interface-groupinterface-group
;source-classsource-class
;destination-classdestination-class
;allow-ip-optionsallow-ip-options
;}To add JUNOS filter conditions to a classify-traffic condition:
- From configuration mode, enter the application protocol configuration. For example:
user@host#edit policies group junos list bodVpn rule pr traffic-condition ctc traffic-match-condition
- (Optional) Configure the name of a forwarding class to match.
[edit policies group junos list bodVpn rule pr traffic-condition ctc traffic-match-condition]user@host#set forwarding-class
forwarding-class
- (Optional) Configure the condition to match packets based on the interface group on which the packet was received.
[edit policies group junos list bodVpn rule pr traffic-condition ctc traffic-match-conditionuser@host#set interface-group
interface-group
- (Optional) Configure the condition to match packets based on source class. A source class is a set of source prefixes grouped together and given a class name. You usually match source and destination classes for output firewall filters.
You cannot match on both source class and destination class at the same time. You must choose one or the other.
[edit policies group junos list bodVpn rule pr traffic-condition ctc traffic-match-condition]user@host#set source-class
source-class
- (Optional) Configure the condition to match packets based on destination class. A destination class is a set of destination prefixes grouped together and given a class name. You usually match source and destination classes for output firewall filters.
You cannot match on both source class and destination class at the same time. You must choose one or the other.
[edit policies group junos list bodVpn rule pr traffic-condition ctc traffic-match-condition]user@host#set destination-class
destination-class
- (Optional) Configure the condition to match packets based on IP options.
[edit policies group junos list bodVpn rule pr traffic-condition ctc traffic-match-condition]user@host#set allow-ip-options
allow-ip-options
- (Optional) Verify the JUNOS filter condition configuration.
[edit policies group junos list bodVpn rule pr traffic-condition ctc traffic-match-condition]user@host#show
forwarding-class fc_expedited;interface-group 42;source-class gold-class;destination-class gold-class;allow-ip-options strict-source-route;Configuring Application Protocol Conditions
You can define application protocols for the stateful firewall and NAT services to use in match condition rules. An application protocol defines application parameters by using information from network layer 3 and above. Examples of such applications are FTP and H.323.
Use the following configuration statements to add application protocol conditions to a classify-traffic condition:
policies groupname
listname
rulename
traffic-conditionname
application-protocol-conditionname
{protocolprotocol
;application-protocolapplication-protocol
;idle-timeoutidle-timeout
;dce-rpc-uuiddce-rpc-uuid
;rpc-program-numberrpc-program-number
;snmp-commandsnmp-command
;ttl-thresholdttl-threshold
;}policies groupname
listname
rulename
traffic-conditionname
application-protocol-conditionname
proto-attr {icmp-typeicmp-type
;icmp-codeicmp-code
;}policies groupname
listname
rulename
traffic-conditionname
application-protocol-conditionname
proto-attr destination-port port {from-portfrom-port
;}policies groupname
listname
rulename
traffic-conditionname
application-protocol-conditionname
proto-attr source-port port {from-portfrom-port
;}To add application protocol conditions to a classify-traffic condition:
- From configuration mode, enter the application protocol configuration. In this procedure, apc is the name of the application protocol condition. For example:
user@host#edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc
- (Optional) Configure the network protocol to match.
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc]user@host#set protocol
protocol
- (Optional) Configure the application protocol to match.
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc]user@host#set application-protocol
application-protocol
- (Optional) Configure the length of time the application is inactive before it times out.
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc]user@host#set idle-timeout
idle-timeout
- (Optional) For the DCE RPC application protocol, configure the universal unique identifier (UUID).
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc]user@host#set dce-rpc-uuid
dce-rpc-uuid
- (Optional) For the remote procedure call (RPC) application protocol, configure an RPC program number.
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc]user@host#set rpc-program-number
rpc-program-number
- (Optional) Configure the SNMP command for packet matching.
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc]user@host#set snmp-command
snmp-command
- (Optional) For the traceroute application protocol, configure the traceroute time-to-live (TTL) threshold value. This value sets the acceptable level of network penetration for trace routing.
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc]user@host#set ttl-threshold
ttl-threshold
- (Optional) Enter configuration mode for the protocol attribute.
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc]user@host#edit proto-attr
- (Optional) For the ICMP protocol, configure the ICMP packet type.
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc proto-attr]user@host#set icmp-type
icmp-type
- (Optional) For the ICMP protocol, configure the ICMP code.
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc proto-attr]user@host#set icmp-code
icmp-code
- (Optional) Enter the destination port configuration.
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc proto-attr]user@host#edit destination-port port
- (Optional) Configure the TCP or UDP destination port.
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc proto-attr destination-port port]user@host#set from-port
from-port
- (Optional) Enter the source port configuration.
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc proto-attr destination-port port]user@host#up
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc proto-attr]user@host#edit source-port port
- (Optional) Configure the TCP or UDP source port.
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc proto-attr source-port port]user@host#set from-port
from-port
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc proto-attr source-port port]user@host#up
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc proto-attr source-port]user@host#up
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc proto-attr]user@host#up
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc proto-attr]user@host#up
- (Optional) Verify the application protocol condition configuration.
[edit policies group junos list staticnat rule nat traffic-condition ctc application-protocol-condition apc]user@host#show
protocol ip;application-protocol dce_rpc;idle-timeout 900;dce-rpc-uuid dce_rpc;snmp-command get;ttl-threshold 25;proto-attr {icmp-type icmpType;icmp-code icmpCode;destination-port {port {from-port 11..655;}}source-port {port {from-port service_port;}}}Using Map Expressions in Application Protocol Conditions
The application protocol condition is a case in which you might use a map expression to define multiple attributes in one option—the
application-protocol
option. Maps are a list of attributeName=value pairs separated by commas and enclosed in curly brackets. For example, the map {applicationProtocol="ftp", sourcePort=123, inactivityTimeout=60} supplies the application protocol, source port, and inactivity timeout in one option. "Another map {applicationType="tcp", inactivityTimeout=60, destinationPort=80} supplies the protocol, inactivity timeout, and destination port.
You can also create a local parameter, add a map expression as the default value of the parameter, and then enter the local parameter in the
application-protocol
option.