Configuring Differentiated Services Code Point (DSCP) values
in IDP policies provides a method of associating class-of-service
(CoS) values—thus different levels of reliability—for
different types of traffic on the network.
Before You Begin
For background information, read:
Class of Service chapters in the JUNOS Software Interfaces and Routing Configuration Guide.
DSCP is an integer value encoded in the 6-bit field defined
in IP packet headers. It is used to enforce CoS distinctions. CoS
allows you to override the default packet forwarding behavior and
assign service levels to specific traffic flows.
You can configure DSCP value as an action in an IDP policy rule.
You first define the traffic by defining match conditions in the IDP
policy and then associate a DiffServ marking action with it. Based
on the DSCP value, behavior aggregate classifiers set the forwarding
class and loss priority for the traffic deciding the forwarding treatment
the traffic receives.
All packets that match the IDP policy rule have the CoS field
in their IP header rewritten with the DSCP value specified in the
matching policy. If the traffic matches multiple rules with differing
DSCP values, the first IDP rule that matches takes effect and this
IDP rule then applies to all traffic for that session.
The configuration instructions in this topic describe how to
create a policy called policy1, specify a rulebase for this
policy, and then add a rule R1 to this rulebase. In this
example, rule R1:
Specifies the match condition to include any traffic from
a previously configured zone called zone1 to another previously
configured zone called zone2. The match condition also includes
a predefined attack group called Critical - HTTP. The application
setting in the match condition is specified as default and
matches any application configured in the attack object.
Specifies an action to rewrite the CoS field in the IP
header with the DSCP value 50 for any traffic that matches
the criteria for rule R1,
You can use either J-Web or the CLI configuration editor to
configure the DSCP value in an IDP policy.
Create a policy by assigning a meaningful name
to it. The following statement specifies policy1 as the policy
name:
user@host# set security idp idp-policy policy1
Associate a rulebase with the policy.
The following statement associates an IPS rulebase with policy1:
user@host# set security idp idp-policy policy1
rulebase-ips
Add rules to the rulebase The following
statement adds a rule R1 to the rulebase:
user@host# set security idp idp-policy policy1
rulebase-ips rule R1
Define the match criteria for the rule.
The following statements specify that any traffic from zone1 to zone2 that includes a predefined attack group Critical
- HTTP matches the criteria for rule R1. The default application setting matches any application configured in the attack
object.
user@host# set security idp idp-policy policy1
rulebase-ips R1 match from-zone zone1 to-zone zone2 source-address
any destination-address any application default
user@host# set security idp idp-policy policy1
rulebase-ips R1 match attacks predefined-attack-group “Critical
- HTTP”
Specify an action for the rule. The following
statement specifies that for all traffic matching the criteria defined
for rule R1, the CoS field in the IP header is rewritten
with the DSCP value 50:
user@host# set security idp idp-policy policy1
rulebase-ips R1 then action mark-diffserv 50
Continue to specify any notification
or logging options for the rule, if required.
Activate the policy. The following specifies policy1 as the active policy:
user@host# set security idp active-policy
policy1
If you are finished configuring the router,
commit the configuration.
From configuration mode in the CLI, enter the show security idp command to verify the configuration. For more
information, see the JUNOS Software CLI Reference.
