Assigning Rewrite Rules on a Per-Customer Basis Using Policy Maps
SUMMARY This topic describes the purpose and configuration of policy maps. Policy maps enable you to assign rewrite rules on a per-customer basis.
Policy Maps Overview
Traditionally, packet marking (that is, setting rewrite rules) in Junos uses the forwarding class and loss priority that have been determined through a behavior aggregate (BA) classifier or multifield classifier. The forwarding class and loss priority are also used to decide queuing behavior. This approach does not allow you to directly assign rewrite rules to each customer because of the limited number of combinations of forwarding class and loss priority. When a new customer is added, setting rewrite rules using this approach requires changes to the configuration on the core interfaces, which must be avoided as one mistake can affect traffic from all customers.
An alternative packet marking scheme, called policy map, enables you to define rewrite rules on a per-customer basis (that is, for each customer). The policy map makes it possible to use any packet field to identify a given flow and specify a rewrite value for that flow.
A policy map is defined at the [edit class-of-service policy-map]
hierarchy level. The policy map can define the following types of packet
marking:
-
IPv4 Precedence with the following options:
-
proto-ip
– Mark the packet for IPv4 to IPv4 traffic. -
proto-mpls
– Mark the packet for an IPv4 packet entering an MPLS tunnel.
-
-
IPv6 Precedence with the following options:
-
proto-ip
– Mark the packet for IPv6 to IPv6 traffic. -
proto-mpls
– Mark the packet for an IPv6 packet entering an MPLS tunnel.
-
-
IPv4 DSCP with the following options:
-
proto-ip
– Mark the packet for IPv4 to IPv4 traffic. -
proto-mpls
– Mark the packet for an IPv4 packet entering an MPLS tunnel.
-
-
IPv6 DSCP with the following options:
-
proto-ip
– Mark the packet for IPv6 to IPv6 traffic. -
proto-mpls
– Mark the packet for an IPv6 packet entering an MPLS tunnel.
-
-
MPLS EXP with the following options:
-
all-label
– Mark all labels. -
outer-label
– Mark only the outer label.
-
-
IEEE 802.1p with the following options:
-
outer
– Mark only the outer VLAN header. -
outer-and-inner
– Mark both the outer and inner VLAN headers.
-
-
IEEE 802.1ad with the following options:
-
outer
– Mark only the outer VLAN header. -
outer-and-inner
– Mark both the outer and inner VLAN headers.
-
On devices running Junos OS, creating a policy map requires you to enable
enhanced-ip
, enhanced-ethernet
, or
enhanced-mode
under [edit chassis network-services]
.
On devices running Junos OS Evolved, you must enable
policy-map-marking
on each egress logical interface that
you want to do policy map marking. You enable
policy-map-marking
at the [edit class-of-service
interfaces interface-name unit
unit-number]
hierarchy level.
Policy maps have the following configuration restrictions:
-
When configuring both
proto-ip
andproto-mpls
options forinet-precedence
,inet6-precedence
,dscp
, ordscp-ipv6
, you must configure both options with the same code point or code point alias. -
You cannot configure
inet-precedence
anddscp
in the same policy map. -
You cannot configure
inet6-precedence
anddscp-ipv6
in the same policy map. -
In case of MPLS SWAP/PUSH operation, only the new labels are marked on all label-switching routers (LSRs), except the penultimate hop case where if it exposes the next label in the stack, then the exposed label is marked. Therefore, with the penultimate hop, the service label is changed.
-
You cannot configure
ieee-802.1
andieee-802.1ad
in the same policy map. -
You cannot configure both
outer
andouter-and-inner
options forieee-802.1
andieee-802.1ad
code points in the same policy map. -
For IEEE 802.1ad with the
outer-and-inner
option, the discard eligibility (DE) bit is marked only for the outer VLAN header. For the inner VLAN header, only the three CoS Bits are marked.
You assign a policy map to a customer through a firewall action on an ingress or egress firewall filter (where the match conditions identify the customer). Alternatively, you can assign a policy map to an ingress interface or a routing instance. You can assign multiple policy maps to a customer, one for each of the customer’s traffic flows. Also, you can assign a single policy map to multiple customers.
A policy map is executed on a packet just before it is queued, so it overrides any other packet- marking scheme that was previously applied to the packet.
Configuring Policy Maps
To assign rewrite rules on a per-customer basis:
Platform-Specific Policy Map Behavior
Use Feature Explorer to confirm platform and release support for policy maps.
Use the following table to review platform-specific behaviors for your platform:
Platform |
Difference |
---|---|
PTX10002-36QDD |
|