Configuring Policy Rules
The type of policy rule that you can create depends on the type and applicability of the policy list in which you create the policy rule. There is only one type of policy rule for JUNOSe policy lists and PCMM policy lists. For JUNOS policy lists, you can create the following policy rule types:
- JUNOS ASP—Applicability of policy list must be both input and output.
- JUNOS FILTER—Applicability of policy list must be input or output.
- JUNOS POLICER—Applicability of policy list must be input or output.
- JUNOS SCHEDULER—Applicability of policy list must be both.
- JUNOS SHAPING—Applicability of policy list must be both.
Before You Configure JUNOS Policy Rules
The following are prerequisites to using policy rules on JUNOS routing platforms.
JUNOS Scheduler and JUNOS Shaping Policy Rules
Before you use the JUNOS scheduler and JUNOS shaping policy rules, check that your Physical Interface Card (PIC) supports JUNOS scheduling and shaping rate. Also, check that your interface supports the per-unit-scheduler.
You must enable the per-unit-scheduler on the interface. To do so, on the JUNOS routing platform, include the per-unit-scheduler statement at the [edit interfaces interface-name] hierarchy level:
[edit interfaces interface-name]JUNOS ASP Policy Rules
Before you use the Adaptive Services PIC (ASP) policy rule to create a stateful firewall or NAT policy, you must configure the Adaptive Services PIC on the JUNOS routing platform. For example:
sp-0/1/0 {unit 0 {family inet {address 10.10.1.1/32;}}}For more information about configuring AS PICs, see the JUNOS Services Interfaces Configuration Guide.
Setting the Policy Rule Precedence
Policy lists can have more than one policy rule. Policy rules are assigned a precedence that determines the order in which the policy manager applies policy rules. Rules are evaluated from lowest to highest precedence value. For JUNOSe policies, rules with equal precedence are evaluated in the order of creation. For JUNOS policies, rules with equal precedence are evaluated in random order.
Note that for JUNOS SCHEDULER and JUNOS POLICER policy rules, precedence is not a factor.
The router classifies packets beginning with the classify condition in the policy list that has the policy rule with the lowest precedence.
- If the packet matches the condition, the router applies the policy rule actions to the packet and does not continue to examine further conditions.
- If the packet does not match the condition, the router tries to match the packet with the classify condition in the policy rule with the next higher precedence.
- If the packet does not match any of the classify conditions, it is forwarded. There are some exceptions. For example, in the case of a JUNOS ASP stateful firewall, packets that do not match the classify conditions are dropped. Only matching packets are forwarded.
For JUNOSe routers, if you want the router to take two corresponding actions on a packet, you would create a JUNOSe policy list that has more than one policy rule with the same precedence. For example, you may want a policy rule that marks a packet and a policy rule that forwards the packet to the next interface. Or you could have a policy rule that applies a traffic class and a policy rule that forwards the packet to the next hop.
Adding a Policy Rule
- In the navigation pane, right-click a policy list.
- Select New > PolicyRule, and select a policy rule from the list.
The PolicyRule Name dialog box appears.
The new policy rule appears in the navigation pane.
![]()
See Policy Rule Fields.
Policy Rule Fields
In Policy Editor, you can modify the following fields in the PolicyRule content pane.
Description
Caption
Keywords
- Series of words that Policy Editor uses as a filter for keyword searches.
- Value—Text
- Default—No value
Precedence
- Precedence in which the policy rule is evaluated. Rules are evaluated from lowest to highest precedence value. Precedence is not a factor for JUNOS SCHEDULER and JUNOS POLICER policy rules. Precedence has meaning only if two rules have different classifiers and if those classifiers overlap. If this is the case and a packet is received that satisfies both classifiers, then only the action of the rule with the lower precedence value is performed. (See Setting the Policy Rule Precedence.)
- Value
- For JUNOS and JUNOSe policies, integer in the range 0-32767
- For PCMM policies, integer in the range 64-191
- Parameter of type prPrecedence
Accounting
- Specifies whether accounting data is collected for the actions specified in the rule. (See Collecting Accounting Statistics.)
- Value—Checked or unchecked
- Default—Unchecked
Using the PolicyRule Summary Table
The PolicyRule pane contains a table that summarizes the conditions and actions that are within the policy rule. It contains one row for each action that the policy rule contains. The fields in the table vary depending on the type of conditions and actions that are contained in the policy rule. You can modify conditions and actions from within the summary table, or you can modify them by selecting objects from the navigation pane. The fields in the summary table are explained in Table 25.