示例:重写网络边界的 CoS 信息以实施 CoS 策略
此示例说明如何在网络边界重写(备注)服务等级 (CoS) 值,以实施您的内部 CoS 策略。通常,当网络边界处入站流量的 CoS 值不能可信,或者这些值与内部网络的 CoS 策略不匹配时,通常会这样做。
本文不全面介绍 CoS 重写及其底层算法。有关流量管制和 CoS 常规信息的更多信息,请参阅 Miguel Barreiros 和 Peter Lundqvist 作者的 QOS-Enabled Networks — 工具和基础 。许多在线书店和 www.juniper.net/books 都提供这本书。
要求
为了验证此过程,此示例使用流量生成器。流量生成器可以是基于硬件的,也可以是基于服务器或主机上运行的软件。
运行 Junos OS 的设备上广泛支持此过程中的功能。此处展示的示例已在运行 Junos OS 10.4 版的 MX 系列路由器上进行了测试和验证。
概述
此示例的目的是演示在网络边界处的 CoS 重写,以便根据分配给该流量的转发类和数据包丢失优先级 (PLP) 将流量的 CoS 配置文件传输到下一跃点路由器。在数据包传输到出口网络上之前,将执行 CoS 信息重写。
在此示例中,当从连接到设备 R1 的主机向连接到设备 R2 的主机发送流量时,将完成重写。此示例不包括在其他方向重写 CoS 参数所需的信息。但是,您可以使用设备 R1 中的重写信息(对使用的接口进行更改),并将其应用于设备 R2 以实现双向 CoS 重写。
Junos OS 包含几个可能满足您的需求的默认重写规则。您可以使用命令显示它们 show class-of-service rewrite-rule
。 表 1 显示了默认重写规则映射的部分列表。
来自转发类的映射 |
PLP 值 |
映射到 DSCP/DSCP IPv6/EXP/IP 代码点别名 |
---|---|---|
加速转发 |
低 |
英 孚 |
加速转发 |
高 |
英 孚 |
保证转发 |
低 |
af11 |
保证转发 |
高 |
af12(DSCP/DSCP IPv6/EXP) |
尽力而为 |
低 |
是 |
尽力而为 |
高 |
是 |
网络控制 |
低 |
nc1/cs6 |
网络控制 |
高 |
nc2/cs7 |
您还可以定义自己的自定义重写规则表,或者混合使用默认重写规则和您创建的自定义表。此示例使用默认重写规则。
配置
程序
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,然后将命令复制并粘贴到层级的 [edit]
CLI 中。
设备 R1
set interfaces ge-2/0/5 description to-Host set interfaces ge-2/0/5 unit 0 family inet address 172.16.70.2/30 set interfaces ge-2/0/5 unit 0 family inet filter input mf-classifier set interfaces ge-2/0/8 description to-R2 set interfaces ge-2/0/8 unit 0 family inet address 10.50.0.1/30 set interfaces lo0 unit 0 description looback-interface set interfaces lo0 unit 0 family inet address 192.168.13.1/32 set class-of-service forwarding-classes queue 0 BE-data set class-of-service forwarding-classes queue 1 Premium-data set class-of-service forwarding-classes queue 2 voice set class-of-service forwarding-classes queue 3 NC set class-of-service interfaces ge-2/0/8 scheduler-map test-map set class-of-service interfaces ge-2/0/8 unit 0 rewrite-rules dscp IPv4-rewrite-table set class-of-service rewrite-rules dscp IPv4-rewrite-table forwarding-class BE-data loss-priority low code-point be set class-of-service rewrite-rules dscp IPv4-rewrite-table forwarding-class Premium-data loss-priority low code-point ef set class-of-service scheduler-maps test-map forwarding-class BE-data scheduler BE-data set class-of-service scheduler-maps test-map forwarding-class Premium-data scheduler Prem-data set class-of-service schedulers BE-data transmit-rate 1m set class-of-service schedulers BE-data buffer-size percent 25 set class-of-service schedulers BE-data priority low set class-of-service schedulers Prem-data transmit-rate 1m set class-of-service schedulers Prem-data buffer-size percent 25 set class-of-service schedulers Prem-data priority high set firewall family inet filter mf-classifier term BE-data from protocol tcp set firewall family inet filter mf-classifier term BE-data from port 80 set firewall family inet filter mf-classifier term BE-data then count BE-data set firewall family inet filter mf-classifier term BE-data then forwarding-class BE-data set firewall family inet filter mf-classifier term Prem-data from protocol tcp set firewall family inet filter mf-classifier term Prem-data from port 12345 set firewall family inet filter mf-classifier term Prem-data then count Prem-data set firewall family inet filter mf-classifier term Prem-data then forwarding-class Premium-data set firewall family inet filter mf-classifier term accept then accept set protocols ospf area 0.0.0.0 interface ge-2/0/5.0 passive set protocols ospf area 0.0.0.0 interface lo0.0 passive set protocols ospf area 0.0.0.0 interface ge-2/0/8.0
设备 R2
set interfaces ge-2/0/7 description to-Host set interfaces ge-2/0/7 unit 0 family inet address 172.16.80.1/30 set interfaces ge-2/0/8 description to-R1 set interfaces ge-2/0/8 unit 0 family inet address 10.50.0.2/30 set interfaces ge-2/0/8 unit 0 family inet filter input mf-classifier set interfaces unit 0 description looback-interface set interfaces unit 0 family inet address 192.168.14.1/32 set firewall family inet filter mf-classifier term BE-data from dscp be set firewall family inet filter mf-classifier term BE-data then count BE-data set firewall family inet filter mf-classifier term Premium-data from dscp ef set firewall family inet filter mf-classifier term Premium-data then count Premium-data set firewall family inet filter mf-classifier term accept then accept set protocols ospf area 0.0.0.0 interface ge-2/0/7.0 passive set protocols ospf area 0.0.0.0 interface lo0.0 passive set protocols ospf area 0.0.0.0 interface ge-2/0/8.0
逐步过程
以下示例要求您在配置层次结构中的各个级别上导航。有关如何操作的说明,请参阅 Junos OS CLI 用户指南中的在配置模式下使用 CLI 编辑器。
要配置设备 R1:
配置设备接口。
[edit ] user@R1# set interfaces ge-2/0/5 description to-Host user@R1# set interfaces ge-2/0/5 unit 0 family inet address 172.16.70.2/30 user@R1# set interfaces ge-2/0/5 unit 0 family inet filter input mf-classifier user@R1# set interfaces ge-2/0/8 description to-R2 user@R1# set interfaces ge-2/0/8 unit 0 family inet address 10.50.0.1/30 user@R1# set interfaces lo0 unit 0 description looback-interface user@R1# set interfaces lo0 unit 0 family inet address 192.168.13.1/32
配置防火墙参数。
[edit ] user@R1# set firewall family inet filter mf-classifier term BE-data from protocol tcp user@R1# set firewall family inet filter mf-classifier term BE-data from port 80 user@R1# set firewall family inet filter mf-classifier term BE-data then count BE-data user@R1# set firewall family inet filter mf-classifier term BE-data then forwarding-class BE-data user@R1# set firewall family inet filter mf-classifier term Prem-data from protocol tcp user@R1# set firewall family inet filter mf-classifier term Prem-data from port 12345 user@R1# set firewall family inet filter mf-classifier term Prem-data then count Prem-data user@R1# set firewall family inet filter mf-classifier term Prem-data then forwarding-class Premium-data user@R1# set firewall family inet filter mf-classifier term accept then accept
配置服务等级参数。
[edit ] user@R1# set class-of-service forwarding-classes queue 0 BE-data user@R1# set class-of-service forwarding-classes queue 1 Premium-data user@R1# set class-of-service forwarding-classes queue 2 voice user@R1# set class-of-service forwarding-classes queue 3 NC user@R1# set class-of-service interfaces ge-2/0/8 scheduler-map test-map user@R1# set class-of-service interfaces ge-2/0/8 unit 0 rewrite-rules dscp IPv4-rewrite-table user@R1# set class-of-service rewrite-rules dscp IPv4-rewrite-table forwarding-class BE-data loss-priority low code-point be user@R1# set class-of-service rewrite-rules dscp IPv4-rewrite-table forwarding-class Premium-data loss-priority low code-point ef user@R1# set class-of-service scheduler-maps test-map forwarding-class BE-data scheduler BE-data user@R1# set class-of-service scheduler-maps test-map forwarding-class Premium-data scheduler Prem-data user@R1# set class-of-service schedulers BE-data transmit-rate 1m user@R1# set class-of-service schedulers BE-data buffer-size percent 25 user@R1# set class-of-service schedulers BE-data priority low user@R1# set class-of-service schedulers Prem-data transmit-rate 1m user@R1# set class-of-service schedulers Prem-data buffer-size percent 25 user@R1# set class-of-service schedulers Prem-data priority high
配置 OSPF。
[edit protocols ospf] user@R1# set area 0.0.0.0 interface ge-2/0/5.0 passive user@R1# set area 0.0.0.0 interface lo0.0 passive user@R1# set area 0.0.0.0 interface ge-2/0/8.0
逐步过程
要配置设备 R2:
配置设备接口。
[edit ] user@R1# set interfaces ge-2/0/7 description to-Host user@R1# set interfaces ge-2/0/7 unit 0 family inet address 172.16.80.1/30 user@R1# set interfaces ge-2/0/8 description to-R1 user@R1# set interfaces ge-2/0/8 unit 0 family inet address 10.50.0.2/30 user@R2# set interfaces ge-2/0/8 unit 0 family inet filter input mf-classifier user@R1# set interfaces unit 0 description looback-interface user@R1# set interfaces unit 0 family inet address 192.168.14.1/32
配置防火墙参数。
[edit ] user@R2# set firewall family inet filter mf-classifier term BE-data from dscp be user@R2# set firewall family inet filter mf-classifier term BE-data then count BE-data user@R2# set firewall family inet filter mf-classifier term Premium-data from dscp ef user@R2# set firewall family inet filter mf-classifier term Premium-data then count Premium-data user@R2# set firewall family inet filter mf-classifier term accept then accept
配置 OSPF。
[edit protocols ospf] user@R1# set area 0.0.0.0 interface ge-2/0/7.0 passive user@R1# set area 0.0.0.0 interface lo0.0 passive user@R1# set area 0.0.0.0 interface ge-2/0/8.0
结果
在配置模式下,输入 show interfaces
、 show firewall
、 show class-of-service
和 show protocols ospf
命令,以确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明,以更正配置。
user@R1 show interfaces ge-2/0/5 { description to-Host; unit 0 { family inet { filter { input mf-classifier; } address 172.16.70.2/30; } } } ge-2/0/8 { description to-R2; unit 0 { family inet { address 10.50.0.1/30; } } } lo0 { unit 0 { description looback-interface; family inet { address 192.168.13.1/32; } } }
user@R1 show firewall family inet { filter mf-classifier { term BE-data { from { protocol tcp; port 80; } then { count BE-data; forwarding-class BE-data; } } term Prem-data { from { protocol tcp; port 12345; } then { count Prem-data; forwarding-class Premium-data; } } term accept { then accept; } } }
user@R1 show class-of-service forwarding-classes { queue 0 BE-data; queue 1 Premium-data; queue 2 voice; queue 3 NC; } interfaces { ge-2/0/8 { scheduler-map test-map; unit 0 { rewrite-rules { dscp IPv4-rewrite-table; } } } } rewrite-rules { dscp IPv4-rewrite-table { forwarding-class BE-data { loss-priority low code-point be; } forwarding-class Premium-data { loss-priority low code-point ef; } } } scheduler-maps { test-map { forwarding-class BE-data scheduler BE-data; forwarding-class Premium-data scheduler Prem-data; } } schedulers { BE-data { transmit-rate 1m; buffer-size percent 25; priority low; } Prem-data { transmit-rate 1m; buffer-size percent 25; priority high; } }
user@R1# show protocols ospf area 0.0.0.0 { interface ge-2/0/5.0 { passive; } interface lo0.0 { passive; } interface ge-2/0/8.0; }
完成设备 R1 配置后,请从配置模式进入 commit
。
user@R2# show interfaces ge-2/0/7 { unit 0 { description to-Host; family inet { address 172.16.80.2; } } } ge-2/0/8 { description to-R1; unit 0 { family inet { filter { input mf-classifier; } address 10.50.0.2/30; } } } lo0 { unit 0 { description looback-interface; family inet { address 192.168.14.1/32; } } }
user@R2# show firewall family inet { filter mf-classifier { term BE-data { from { dscp be; } then count BE-data; } term Premium-data { from { dscp ef; } then count Premium-data; } term accept { then accept; } } }
user@R2# show protocols ospf area 0.0.0.0 { interface ge-2/0/7.0 { passive; } interface lo0.0 { passive; } interface ge-2/0/8.0; }
完成设备 R2 配置后,请从配置模式进入 commit
。
验证
确认配置工作正常。
清除防火墙计数器
目的
确认防火墙计数器已清除。
行动
在设备 R1 和 R2 上,运行 clear firewall all
命令将防火墙计数器重置为 0。
user@R1> clear firewall all user@R2> clear firewall all
从 TCP HTTP 端口 80 和 12345 向网络发送流量并监控结果
目的
将流量从连接到设备 1 的主机发送到网络中,以便设备 R1 和设备 R2 上的防火墙可以监控流量。
行动
使用流量生成器将源端口为 80 的 20 个 TCP 数据包发送到网络。
-s 标志设置源端口。-k 标记会使源端口保持稳定在 80,而不是递增。-c 标志将数据包数设置为 20。-d 标志设置数据包大小。
[User@host]# hping 172.16.80.1 -c 20 -s 80 -k -d 300 HPING 172.16.80.1 (eth1 172.16.80.1): NO FLAGS are set, 40 headers + 0 data bytes len=46 ip=172.16.80.1 ttl=62 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.9 ms . . . --- 172.16.80.1 hping statistic --- 20 packets transmitted, 20 packets received, 0% packet loss round-trip min/avg/max = 0.9/9501.4/19002.4 ms
使用流量生成器将源端口为 12345 的 20 个 TCP 数据包发送到网络。
[User@host]# hping 172.16.80.1 -c 20 -s 12345 -k -d 300 HPING 172.16.80.1 (eth1 172.16.80.1): NO FLAGS are set, 40 headers + 0 data bytes len=46 ip=172.16.80.1 ttl=62 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.3 ms . . . --- 172.16.80.1 hping statistic --- 20 packets transmitted, 20 packets received, 0% packet loss round-trip min/avg/max = 0.3/9501.5/19002.7 ms
在设备 R1 上,使用
show firewall
命令检查防火墙计数器。user@R1> show firewall Filter: mf-classifier Counters: Name Bytes Packets BE-data 800 20 Prem-data 800 20
在设备 R2 上,使用
show firewall
命令检查防火墙计数器。user@R2> show firewall Filter: mf-classifier Counters: Name Bytes Packets BE-data 800 20 Premium-data 800 20
意义
设备 R1 已将 TCP 数据包的代码点正确设置为端口 12345 至 bf。设备 R1 已将 TCP 数据包的代码点正确设置为端口 80 以 ef。设备 R2 已正确识别到端口 12345 的 TCP 数据包代码点为 bf。设备 R2 正确识别到端口 80 的 TCP 数据包代码点为 ef。