Configuring Classify-Traffic Conditions with the C-Web Interface
You create classify-traffic conditions in JUNOSe policy rules, in JUNOS ASP and JUNOS filter policy rules, and in PCMM policy rules.
The available configuration statements change depending on the type of policy rule that holds the condition and on the type of protocol that you specify.
To configure a classify-traffic condition, do the following:
- Configure protocol conditions. The type of protocol condition that you use depends on your configuration.
NOTE: PCMM classifiers support only the following classifiers:
Before You Configure Classify-Traffic Conditions
If you are configuring classifiers for PCMM policies, you can specify whether the classifier will be used in a PCMM IO2 or IO3 network. By default, the software translates classify-traffic conditions into PCMM IO2 classifiers.
For JUNOSe policies, you can specify that the SAE expand the classifier into multiple classifiers before it installs the policy on the router.
Enabling Expansion of JUNOSe Classify-Traffic Conditions
For information about expanded classifiers, see Expanded Classifiers in SRC-PE Services and Policies Guide, Chapter 6, Policy Management Overview.
To specify whether or not the SAE expands the JUNOSe classify-traffic conditions into multiple classifiers before it installs the policy on the router:
- Select Configure, and expand Shared>SAE>Configuration>Policy Management Configuration.
- Check or clear the Enable JUNOSe Classifier Expansion box, and click Apply.
Specifying the PCMM Classifier Type
To specify whether or not the SAE sends to the router classifiers that comply with PCMM I03:
- Select Configure, expand Shared>SAE>Configuration>Driver, and select pcmm.
- Check or clear the Disable PCMM I03 Policy box, and click Apply.
Specifying Port Access for Traffic Classification
In the SRC software, the way that you specify a range of port numbers greater than or less than a specific value in a traffic classifier is different from the way you define a range in the configuration on JUNOSe routers.
In the C-Web interface, you specify ranges by setting values in the Port Operation boxes.
To specify a range of port numbers greater or less than a specified value, you can:
- Define the full set of port numbers in the range to be allowed.
- Define the full set of port numbers in the range not allowed.
To configure port numbers greater than a defined value by specifying which values are allowed:
For example, to specify access to all port numbers greater than 10, specify
11..65535
.To configure port numbers greater than a defined value by specifying which values are not allowed:
- From the Port Operation list, select
neq
.- In the From Port box, enter the range of ports not allowed.
For example, to specify access to all port numbers greater than 10, specify
1..9
.To configure port numbers less than a defined value by specifying which values are allowed:
For example, to specify access to all port numbers less than 10, specify
1..9
.To configure port numbers less than a defined value by specifying which values are not allowed:
For example, to specify access to all port numbers less than 10, specify
11..65535
.Creating a Classify-Traffic Condition
You create classify-traffic conditions within policy rules.
To add a classify-traffic condition:
- In the side pane, select a policy rule.
- From the Create new list, select Traffic Condition. Type a name for the traffic condition, and click OK.
- Enter information as described in the Help text in the main pane, and click Apply.
Configuring Source Networks
To configure a source network in a classify-traffic condition:
- In the side pane, expand a traffic condition, expand Source Network, and select Network.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
Configuring Source Grouped Networks
You can configure source networks in grouped format. For JUNOS ASP policy rules, you must enter source networks in grouped format.
To configure a grouped source network in a classify-traffic condition:
- In the side pane, expand a traffic condition, expand Source Network, and select Group Network.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
Configuring Destination Networks
To configure a destination network in a classify-traffic condition:
- In the side pane, expand a traffic condition, expand Destination Network, and select Network.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
Configuring Destination Grouped Networks
You can configure destination networks in grouped format. For JUNOS ASP policies rules, you must enter destination networks in grouped format.
To configure a grouped destination network in a classify-traffic condition:
- In the side pane, expand a traffic condition, expand Destination Network, and select Group Network.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
Configuring Protocol Conditions
The procedure in this sections shows how to configure general protocol conditions.
- If your condition includes port numbers, use the procedure in Configuring Protocol Conditions with Ports.
- If your condition consists of a protocol that is assigned with a parameter value, use the procedure in Configuring Protocol Conditions with Parameters.
To configure general protocol conditions in a classify-traffic condition:
- In the side pane, expand a traffic condition, and select Protocol Condition.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
Configuring Protocol Conditions with Ports
To configure general protocol conditions with ports in a classify-traffic condition:
- In the side pane, expand a traffic condition, and select Protocol Port Condition.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
To configure source and destination ports for protocol conditions:
- In the side pane, expand Protocol Port Condition>Source Port, and select Port.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
- In the side pane, expand Protocol Port Condition>Destination Port, and select Port.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
Configuring Protocol Conditions with Parameters
Before you assign a parameter for the protocol, you must create a parameter of type protocol and commit the parameter configuration.
To configure a protocol condition that contains a parameter value for the protocol:
- In the side pane, select a policy rule.
- From the Create new list, expand a traffic condition, and select Parameter Protocol Condition.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
- (Optional) To configure protocol attributes:
- In the side pane, expand Parameter Protocol Condition, and select Proto Attr.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
To configure source and destination ports:
- In the side pane, expand Proto Attr>Source Port, and select Port.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
- In the side pane, expand Proto Attr>Destination Port, and select Port.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
Configuring TCP Conditions
- In the side pane, expand a traffic condition, and select TCP Condition.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
To configure source and destination ports for TCP conditions:
- In the side pane, expand TCP Condition>Source Port, and select Port.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
- In the side pane, expand TCP Condition>Destination Port, and select Port.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
Configuring ICMP Conditions
- In the side pane, expand a traffic condition, and select Icmp Condition.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
Configuring IGMP Conditions
- In the side pane, expand a traffic condition, and select Igmp Condition.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
Configuring IPSec Conditions
You can configure IPSec conditions for JUNOS policy rules.
To configure IPSec conditions:
- In the side pane, expand a JUNOS traffic condition, and select Ipsec.
- Enter information as described in the Help text in the main pane, and click Apply.
Configuring ToS Byte Conditions
Use this condition to define a particular traffic flow to the service's network for the DA IP field in the IP packet.
The CoS feature on JUNOS routing platforms supports DiffServ as well as six-bit IP header ToS byte settings. The DiffServ protocol uses the ToS byte in the IP header. The most significant six bits of this byte form the Differentiated Services code point (DSCP). The CoS feature uses DSCPs to determine the forwarding class associated with each packet. It also uses the ToS byte and ToS byte mask to determine IP precedence.
To configure ToS byte conditions in a classify-traffic condition:
- In the side pane, expand a traffic condition, and select ToS.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
Configuring JUNOS Filter Conditions
To configure traffic match conditions in JUNOS filter policy rules:
- In the side pane, select a JUNOS filter policy rule.
- From the Create new list, select Traffic Condition. Type a name for the traffic condition, and click OK.
- In the side pane, expand the traffic condition, and select Traffic Match Condition.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
Configuring Application Protocol Conditions
You can define application protocols for the stateful firewall and NAT services to use in match condition rules. An application protocol defines application parameters by using information from network layer 3 and above. Examples of such applications are FTP and H.323.
Creating and Configuring an Application Protocol Condition
To create and configure an application protocol condition:
- In the side pane, select an ASP policy rule.
- From the Create new list, select Traffic Condition. Type a name for the traffic condition, and click OK.
- Enter information as described in the Help text in the main pane, and click Apply.
- From the Create new list, select Application Protocol Condition. Type a name for the application protocol condition, and click OK.
- Enter information as described in the Help text in the main pane, and click Apply.
- (Optional) To configure protocol attributes:
- In the side pane, expand the application protocol condition, and select Proto Attr.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
- In the side pane, expand Proto Attr>Destination Port, and select Port.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
- In the side pane, expand Proto Attr>Source Port, and select Port.
- Click Create, enter information as described in the Help text in the main pane, and click Apply.
Using Map Expressions in Application Protocol Conditions
The application protocol condition is a case in which you might use a map expression to define multiple attributes in one option—the
application-protocol
option. Maps are a list of attributeName=value pairs separated by commas and enclosed in curly brackets. For example, the map {applicationProtocol="ftp", sourcePort=123, inactivityTimeout=60} supplies the application protocol, source port, and inactivity timeout in one option.Another map {applicationType="tcp", inactivityTimeout=60, destinationPort=80} supplies the protocol, inactivity timeout, and destination port.
You can also create a local parameter, add a map expression as the default value of the parameter, and then enter the local parameter in the
application-protocol
option.