Traffic Policy

This chapter covers some aspects related to traffic policy, which is a set of rules that allows us to perform different actions on network packets; such as packet mangling (ToS, TTL, etc), PBR (Policy-Based Routing), firewalling, or rate-limit.

Policies can be applied to the different types of traffic:

  • link traffic: incoming level 2 traffic (only for physical devices).

  • in traffic: incoming traffic.

  • out traffic: outgoing traffic.

  • local-in: local incoming traffic.

  • local-out: local outgoing traffic.

Every traffic policy contains a set of rules that are processed in order. If a rule has a traffic selector configured and the network packet matches at least one of the selector rules, policy actions are applied. If the policy rule has no traffic selector configured, then all packets will match.

Here you can find more information about traffic selectors.

Policy rules always perform an action, the default one being to accept the packet; i.e., no more policy rules are processed. This default behavior can be changed by setting the action field. For example, with the drop action we can drop a packet. Therefore, later stages or hooks in the network path will not be aware of the existence of that packet. Another useful action is continue. This can be set to change some fields in the packet (like dscp, ttl, tcp-mss) and continue the policy rule processing.

Note

traffic policies can be set both at interface and at system level. System policies have less priority and are processed after the interface ones.

Therefore, if an interface policy drops a packet (for example), subsequent system policies (if any) will not be processed.

Configuration

This is the syntax to create a traffic policy:

set traffic policy <policy_name> [ ... ]

In order to assign a traffic policy to an interface, you have to use the following command:

set interfaces <if_type> <if_name> traffic policy <in / out / local-in / local-out> <policy_name>

Examples

Let’s suppose we want to define a traffic policy to process outgoing traffic. We need to mark all packets that match the ‘’SEL_1’’ selector and we want to drop all packets that match ‘’SEL_2’’.

In order to create that policy we have to type the following commands:

set traffic policy POLICY_1 rule 1 selector SEL_1
set traffic policy POLICY_1 rule 1 set mark 1
set traffic policy POLICY_1 rule 2 selector SEL_2
set traffic policy POLICY_1 rule 2 action drop

Now, if we want to attach that traffic policy to a specific interface, we can use the following command:

set interfaces ethernet eth1 traffic policy out POLICY_1

On the other hand, if we want to always execute that traffic policy, (regardless of the interface the packets traverses), we would use this command:

set system traffic policy out POLICY_1

Here, you can find more examples related to traffic policies.

Monitoring

Operational command traffic policy [ <policy_name> ] show [ detailed ] can be used to display some network statistics.

Example:

admin@osdx$ traffic policy show detailed
Policy SET_VRF -- ifc eth0 -- hook in

---------------------------------------------------------------------
rule      selector     pkts match  pkts eval  bytes match  bytes eval
---------------------------------------------------------------------
1      ACTION_TRIGGER           7          7          444         444
---------------------------------------------------------------------
Total                           7          7          444         444

Selector ACTION_TRIGGER (Policy SET_VRF -- ifc eth0 -- hook in -- rule 1)

---------------------------------------------------------
  rule     pkts match  pkts eval  bytes match  bytes eval
---------------------------------------------------------
1 (excl.)           0          7            0         444
2                   7          7          444         444
---------------------------------------------------------
Total               7          7          444         444

Configuration commands