[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Configuring Classify-Traffic Conditions with the C-Web Interface

You create classify-traffic conditions in JUNOSe policy rules, in JUNOS ASP and JUNOS filter policy rules, and in PCMM policy rules.

The available configuration statements change depending on the type of policy rule that holds the condition and on the type of protocol that you specify.

To configure a classify-traffic condition, do the following:

  1. Create a classify-traffic condition. See:
  1. Configure source networks. You can configure source networks in one of two formats. See:
  1. Configure destination networks. You can configure destination networks in one of two formats. See:
  1. Configure protocol conditions. The type of protocol condition that you use depends on your configuration.
  1. For JUNOS filter policies, configure a JUNOS filter condition. See:
  1. For the stateful firewall and NAT policies, configure an application protocol condition. See:


NOTE: PCMM classifiers support only the following classifiers:

  • Source and destination IP addresses
  • Network protocol
  • Source or destination port
  • Type-of-service (ToS) byte and ToS mask

The policy engine ignores all other values.


Before You Configure Classify-Traffic Conditions

If you are configuring classifiers for PCMM policies, you can specify whether the classifier will be used in a PCMM IO2 or IO3 network. By default, the software translates classify-traffic conditions into PCMM IO2 classifiers.

For JUNOSe policies, you can specify that the SAE expand the classifier into multiple classifiers before it installs the policy on the router.

Enabling Expansion of JUNOSe Classify-Traffic Conditions

For information about expanded classifiers, see Expanded Classifiers in SRC-PE Services and Policies Guide, Chapter 6, Policy Management Overview.

To specify whether or not the SAE expands the JUNOSe classify-traffic conditions into multiple classifiers before it installs the policy on the router:

  1. Select Configure, and expand Shared>SAE>Configuration>Policy Management Configuration.
  2. Check or clear the Enable JUNOSe Classifier Expansion box, and click Apply.

Specifying the PCMM Classifier Type

To specify whether or not the SAE sends to the router classifiers that comply with PCMM I03:

  1. Select Configure, expand Shared>SAE>Configuration>Driver, and select pcmm.
  2. Check or clear the Disable PCMM I03 Policy box, and click Apply.

Specifying Port Access for Traffic Classification

In the SRC software, the way that you specify a range of port numbers greater than or less than a specific value in a traffic classifier is different from the way you define a range in the configuration on JUNOSe routers.

In the C-Web interface, you specify ranges by setting values in the Port Operation boxes.

To specify a range of port numbers greater or less than a specified value, you can:

To configure port numbers greater than a defined value by specifying which values are allowed:

  1. From the Port Operation list, select eq.
  2. In the From Port box, enter the range of ports allowed.

For example, to specify access to all port numbers greater than 10, specify 11..65535.

To configure port numbers greater than a defined value by specifying which values are not allowed:

  1. From the Port Operation list, select neq.
  2. In the From Port box, enter the range of ports not allowed.

For example, to specify access to all port numbers greater than 10, specify 1..9.

To configure port numbers less than a defined value by specifying which values are allowed:

  1. From the Port Operation list, select eq.
  2. In the From Port box, enter the range of ports.

For example, to specify access to all port numbers less than 10, specify 1..9.

To configure port numbers less than a defined value by specifying which values are not allowed:

  1. From the Port Operation list, select neq.
  2. In the From Port box, enter the range of ports.

For example, to specify access to all port numbers less than 10, specify 11..65535.

Creating a Classify-Traffic Condition

You create classify-traffic conditions within policy rules.

To add a classify-traffic condition:

  1. In the side pane, select a policy rule.
  2. From the Create new list, select Traffic Condition. Type a name for the traffic condition, and click OK.
  3. Enter information as described in the Help text in the main pane, and click Apply.

Configuring Source Networks

To configure a source network in a classify-traffic condition:

  1. In the side pane, expand a traffic condition, expand Source Network, and select Network.
  2. Click Create, enter information as described in the Help text in the main pane, and click Apply.

Configuring Source Grouped Networks

You can configure source networks in grouped format. For JUNOS ASP policy rules, you must enter source networks in grouped format.

To configure a grouped source network in a classify-traffic condition:

  1. In the side pane, expand a traffic condition, expand Source Network, and select Group Network.
  2. Click Create, enter information as described in the Help text in the main pane, and click Apply.

Configuring Destination Networks

To configure a destination network in a classify-traffic condition:

  1. In the side pane, expand a traffic condition, expand Destination Network, and select Network.
  2. Click Create, enter information as described in the Help text in the main pane, and click Apply.

Configuring Destination Grouped Networks

You can configure destination networks in grouped format. For JUNOS ASP policies rules, you must enter destination networks in grouped format.

To configure a grouped destination network in a classify-traffic condition:

  1. In the side pane, expand a traffic condition, expand Destination Network, and select Group Network.
  2. Click Create, enter information as described in the Help text in the main pane, and click Apply.

Configuring Protocol Conditions

The procedure in this sections shows how to configure general protocol conditions.

To configure general protocol conditions in a classify-traffic condition:

  1. In the side pane, expand a traffic condition, and select Protocol Condition.
  2. Click Create, enter information as described in the Help text in the main pane, and click Apply.

Configuring Protocol Conditions with Ports

To configure general protocol conditions with ports in a classify-traffic condition:

  1. In the side pane, expand a traffic condition, and select Protocol Port Condition.
  2. Click Create, enter information as described in the Help text in the main pane, and click Apply.

To configure source and destination ports for protocol conditions:

  1. In the side pane, expand Protocol Port Condition>Source Port, and select Port.
  2. Click Create, enter information as described in the Help text in the main pane, and click Apply.
  3. In the side pane, expand Protocol Port Condition>Destination Port, and select Port.
  4. Click Create, enter information as described in the Help text in the main pane, and click Apply.

Configuring Protocol Conditions with Parameters

Before you assign a parameter for the protocol, you must create a parameter of type protocol and commit the parameter configuration.

To configure a protocol condition that contains a parameter value for the protocol:

  1. In the side pane, select a policy rule.
  2. From the Create new list, expand a traffic condition, and select Parameter Protocol Condition.
  3. Click Create, enter information as described in the Help text in the main pane, and click Apply.
  4. (Optional) To configure protocol attributes:
  1. In the side pane, expand Parameter Protocol Condition, and select Proto Attr.
  2. Click Create, enter information as described in the Help text in the main pane, and click Apply.

To configure source and destination ports:

  1. In the side pane, expand Proto Attr>Source Port, and select Port.
  2. Click Create, enter information as described in the Help text in the main pane, and click Apply.
  3. In the side pane, expand Proto Attr>Destination Port, and select Port.
  4. Click Create, enter information as described in the Help text in the main pane, and click Apply.

Configuring TCP Conditions

To configure TCP conditions:

  1. In the side pane, expand a traffic condition, and select TCP Condition.
  2. Click Create, enter information as described in the Help text in the main pane, and click Apply.

To configure source and destination ports for TCP conditions:

  1. In the side pane, expand TCP Condition>Source Port, and select Port.
  2. Click Create, enter information as described in the Help text in the main pane, and click Apply.
  3. In the side pane, expand TCP Condition>Destination Port, and select Port.
  4. Click Create, enter information as described in the Help text in the main pane, and click Apply.

Configuring ICMP Conditions

To configure ICMP conditions:

  1. In the side pane, expand a traffic condition, and select Icmp Condition.
  2. Click Create, enter information as described in the Help text in the main pane, and click Apply.

Configuring IGMP Conditions

To configure IGMP conditions:

  1. In the side pane, expand a traffic condition, and select Igmp Condition.
  2. Click Create, enter information as described in the Help text in the main pane, and click Apply.

Configuring IPSec Conditions

You can configure IPSec conditions for JUNOS policy rules.

To configure IPSec conditions:

  1. In the side pane, expand a JUNOS traffic condition, and select Ipsec.
  2. Enter information as described in the Help text in the main pane, and click Apply.

Configuring ToS Byte Conditions

Use this condition to define a particular traffic flow to the service's network for the DA IP field in the IP packet.

The CoS feature on JUNOS routing platforms supports DiffServ as well as six-bit IP header ToS byte settings. The DiffServ protocol uses the ToS byte in the IP header. The most significant six bits of this byte form the Differentiated Services code point (DSCP). The CoS feature uses DSCPs to determine the forwarding class associated with each packet. It also uses the ToS byte and ToS byte mask to determine IP precedence.

To configure ToS byte conditions in a classify-traffic condition:

  1. In the side pane, expand a traffic condition, and select ToS.
  2. Click Create, enter information as described in the Help text in the main pane, and click Apply.

Configuring JUNOS Filter Conditions

To configure traffic match conditions in JUNOS filter policy rules:

  1. In the side pane, select a JUNOS filter policy rule.
  2. From the Create new list, select Traffic Condition. Type a name for the traffic condition, and click OK.
  3. In the side pane, expand the traffic condition, and select Traffic Match Condition.
  4. Click Create, enter information as described in the Help text in the main pane, and click Apply.

Configuring Application Protocol Conditions

You can define application protocols for the stateful firewall and NAT services to use in match condition rules. An application protocol defines application parameters by using information from network layer 3 and above. Examples of such applications are FTP and H.323.

Creating and Configuring an Application Protocol Condition

To create and configure an application protocol condition:

  1. In the side pane, select an ASP policy rule.
  2. From the Create new list, select Traffic Condition. Type a name for the traffic condition, and click OK.
  3. Enter information as described in the Help text in the main pane, and click Apply.
  4. From the Create new list, select Application Protocol Condition. Type a name for the application protocol condition, and click OK.
  5. Enter information as described in the Help text in the main pane, and click Apply.
  6. (Optional) To configure protocol attributes:
  1. In the side pane, expand the application protocol condition, and select Proto Attr.
  2. Click Create, enter information as described in the Help text in the main pane, and click Apply.
  1. (Optional) To configure source ports:
  1. In the side pane, expand Proto Attr>Destination Port, and select Port.
  2. Click Create, enter information as described in the Help text in the main pane, and click Apply.
  1. (Optional) To configure destination ports:
  1. In the side pane, expand Proto Attr>Source Port, and select Port.
  2. Click Create, enter information as described in the Help text in the main pane, and click Apply.

Using Map Expressions in Application Protocol Conditions

The application protocol condition is a case in which you might use a map expression to define multiple attributes in one option—the application-protocol option. Maps are a list of attributeName=value pairs separated by commas and enclosed in curly brackets. For example, the map {applicationProtocol="ftp", sourcePort=123, inactivityTimeout=60} supplies the application protocol, source port, and inactivity timeout in one option.

Another map {applicationType="tcp", inactivityTimeout=60, destinationPort=80} supplies the protocol, inactivity timeout, and destination port.

You can also create a local parameter, add a map expression as the default value of the parameter, and then enter the local parameter in the application-protocol option.


[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]