帮助我们改善您的体验。

让我们了解您的想法。

您是否能抽出两分钟的时间完成一份问卷调查?

header-navigation
keyboard_arrow_up
close
keyboard_arrow_left
list Table of Contents
本页内容
keyboard_arrow_right

机器翻译对您有帮助吗?

starstarstarstarstar
Go to English page
免责声明:

我们将使用第三方机器翻译软件翻译本页面。瞻博网络虽已做出相当大的努力提供高质量译文,但无法保证其准确性。如果对译文信息的准确性有任何疑问,请参阅英文版本. 可下载的 PDF 仅提供英文版.

示例:重写网络边界的 CoS 信息以实施 CoS 策略

date_range 16-Jun-23

此示例说明如何在网络边界重写(备注)服务等级 (CoS) 值,以实施您的内部 CoS 策略。通常,当网络边界处入站流量的 CoS 值不能可信,或者这些值与内部网络的 CoS 策略不匹配时,通常会这样做。

本文不全面介绍 CoS 重写及其底层算法。有关流量管制和 CoS 常规信息的更多信息,请参阅 Miguel Barreiros 和 Peter Lundqvist 作者的 QOS-Enabled Networks — 工具和基础 。许多在线书店和 www.juniper.net/books 都提供这本书。

要求

为了验证此过程,此示例使用流量生成器。流量生成器可以是基于硬件的,也可以是基于服务器或主机上运行的软件。

运行 Junos OS 的设备上广泛支持此过程中的功能。此处展示的示例已在运行 Junos OS 10.4 版的 MX 系列路由器上进行了测试和验证。

概述

此示例的目的是演示在网络边界处的 CoS 重写,以便根据分配给该流量的转发类和数据包丢失优先级 (PLP) 将流量的 CoS 配置文件传输到下一跃点路由器。在数据包传输到出口网络上之前,将执行 CoS 信息重写。

在此示例中,当从连接到设备 R1 的主机向连接到设备 R2 的主机发送流量时,将完成重写。此示例不包括在其他方向重写 CoS 参数所需的信息。但是,您可以使用设备 R1 中的重写信息(对使用的接口进行更改),并将其应用于设备 R2 以实现双向 CoS 重写。

Junos OS 包含几个可能满足您的需求的默认重写规则。您可以使用命令显示它们 show class-of-service rewrite-rule表 1 显示了默认重写规则映射的部分列表。

表 1:默认重写规则映射的部分列表

来自转发类的映射

PLP 值

映射到 DSCP/DSCP IPv6/EXP/IP 代码点别名

加速转发

英 孚

加速转发

英 孚

保证转发

af11

保证转发

af12(DSCP/DSCP IPv6/EXP)

尽力而为

尽力而为

网络控制

nc1/cs6

网络控制

nc2/cs7

您还可以定义自己的自定义重写规则表,或者混合使用默认重写规则和您创建的自定义表。此示例使用默认重写规则。

拓扑

此示例使用 图 1 中的拓扑。

图 1:重写网络边界的 CoS 信息以实施 CoS 策略方案 Rewriting CoS Information at the Network Border to Enforce CoS Strategies Scenario

本视频介绍了此示例中使用的主题。我们建议您在继续之前观看视频。

VIDEO 1: Learning Bytes CoS Remarking Video.

配置

程序

CLI 快速配置

要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,然后将命令复制并粘贴到层级的 [edit] CLI 中。

设备 R1

content_copy zoom_out_map
set interfaces ge-2/0/5 description to-Host
set interfaces ge-2/0/5 unit 0 family inet address 172.16.70.2/30
set interfaces ge-2/0/5 unit 0 family inet filter input mf-classifier
set interfaces ge-2/0/8 description to-R2
set interfaces ge-2/0/8 unit 0 family inet address 10.50.0.1/30
set interfaces lo0 unit 0 description looback-interface
set interfaces lo0 unit 0 family inet address 192.168.13.1/32
set class-of-service forwarding-classes queue 0 BE-data
set class-of-service forwarding-classes queue 1 Premium-data
set class-of-service forwarding-classes queue 2 voice
set class-of-service forwarding-classes queue 3 NC
set class-of-service interfaces ge-2/0/8 scheduler-map test-map
set class-of-service interfaces ge-2/0/8 unit 0 rewrite-rules dscp IPv4-rewrite-table
set class-of-service rewrite-rules dscp IPv4-rewrite-table forwarding-class BE-data loss-priority low code-point be
set class-of-service rewrite-rules dscp IPv4-rewrite-table forwarding-class Premium-data loss-priority low code-point ef
set class-of-service scheduler-maps test-map forwarding-class BE-data scheduler BE-data
set class-of-service scheduler-maps test-map forwarding-class Premium-data scheduler Prem-data
set class-of-service schedulers BE-data transmit-rate 1m
set class-of-service schedulers BE-data buffer-size percent 25
set class-of-service schedulers BE-data priority low
set class-of-service schedulers Prem-data transmit-rate 1m
set class-of-service schedulers Prem-data buffer-size percent 25
set class-of-service schedulers Prem-data priority high
set firewall family inet filter mf-classifier term BE-data from protocol tcp
set firewall family inet filter mf-classifier term BE-data from port 80
set firewall family inet filter mf-classifier term BE-data then count BE-data
set firewall family inet filter mf-classifier term BE-data then forwarding-class BE-data
set firewall family inet filter mf-classifier term Prem-data from protocol tcp
set firewall family inet filter mf-classifier term Prem-data from port 12345
set firewall family inet filter mf-classifier term Prem-data then count Prem-data
set firewall family inet filter mf-classifier term Prem-data then forwarding-class Premium-data
set firewall family inet filter mf-classifier term accept then accept
set protocols ospf area 0.0.0.0 interface ge-2/0/5.0 passive
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface ge-2/0/8.0

设备 R2

content_copy zoom_out_map
set interfaces ge-2/0/7 description to-Host
set interfaces ge-2/0/7 unit 0 family inet address 172.16.80.1/30
set interfaces ge-2/0/8 description to-R1
set interfaces ge-2/0/8 unit 0 family inet address 10.50.0.2/30
set interfaces ge-2/0/8 unit 0 family inet filter input mf-classifier
set interfaces unit 0 description looback-interface
set interfaces unit 0 family inet address 192.168.14.1/32
set firewall family inet filter mf-classifier term BE-data from dscp be
set firewall family inet filter mf-classifier term BE-data then count BE-data
set firewall family inet filter mf-classifier term Premium-data from dscp ef
set firewall family inet filter mf-classifier term Premium-data then count Premium-data
set firewall family inet filter mf-classifier term accept then accept
set protocols ospf area 0.0.0.0 interface ge-2/0/7.0 passive
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface ge-2/0/8.0

逐步过程

以下示例要求您在配置层次结构中的各个级别上导航。有关如何操作的说明,请参阅 Junos OS CLI 用户指南中的在配置模式下使用 CLI 编辑器

要配置设备 R1:

  1. 配置设备接口。

    content_copy zoom_out_map
    [edit ]
    user@R1# set interfaces ge-2/0/5 description to-Host
    user@R1# set interfaces ge-2/0/5 unit 0 family inet address 172.16.70.2/30
    user@R1# set interfaces ge-2/0/5 unit 0 family inet filter input mf-classifier
    user@R1# set interfaces ge-2/0/8 description to-R2
    user@R1# set interfaces ge-2/0/8 unit 0 family inet address 10.50.0.1/30
    user@R1# set interfaces lo0 unit 0 description looback-interface
    user@R1# set interfaces lo0 unit 0 family inet address 192.168.13.1/32
    
  2. 配置防火墙参数。

    content_copy zoom_out_map
    [edit ]
    user@R1# set firewall family inet filter mf-classifier term BE-data from protocol tcp
    user@R1# set firewall family inet filter mf-classifier term BE-data from port 80
    user@R1# set firewall family inet filter mf-classifier term BE-data then count BE-data
    user@R1# set firewall family inet filter mf-classifier term BE-data then forwarding-class BE-data
    user@R1# set firewall family inet filter mf-classifier term Prem-data from protocol tcp
    user@R1# set firewall family inet filter mf-classifier term Prem-data from port 12345
    user@R1# set firewall family inet filter mf-classifier term Prem-data then count Prem-data
    user@R1# set firewall family inet filter mf-classifier term Prem-data then forwarding-class Premium-data
    user@R1# set firewall family inet filter mf-classifier term accept then accept
    
  3. 配置服务等级参数。

    content_copy zoom_out_map
    [edit ]
    user@R1# set class-of-service forwarding-classes queue 0 BE-data
    user@R1# set class-of-service forwarding-classes queue 1 Premium-data
    user@R1# set class-of-service forwarding-classes queue 2 voice
    user@R1# set class-of-service forwarding-classes queue 3 NC
    user@R1# set class-of-service interfaces ge-2/0/8 scheduler-map test-map
    user@R1# set class-of-service interfaces ge-2/0/8 unit 0 rewrite-rules dscp IPv4-rewrite-table
    user@R1# set class-of-service rewrite-rules dscp IPv4-rewrite-table forwarding-class BE-data loss-priority low code-point be
    user@R1# set class-of-service rewrite-rules dscp IPv4-rewrite-table forwarding-class Premium-data loss-priority low code-point ef
    user@R1# set class-of-service scheduler-maps test-map forwarding-class BE-data scheduler BE-data
    user@R1# set class-of-service scheduler-maps test-map forwarding-class Premium-data scheduler Prem-data
    user@R1# set class-of-service schedulers BE-data transmit-rate 1m
    user@R1# set class-of-service schedulers BE-data buffer-size percent 25
    user@R1# set class-of-service schedulers BE-data priority low
    user@R1# set class-of-service schedulers Prem-data transmit-rate 1m
    user@R1# set class-of-service schedulers Prem-data buffer-size percent 25
    user@R1# set class-of-service schedulers Prem-data priority high
    
  4. 配置 OSPF。

    content_copy zoom_out_map
    [edit protocols ospf]
    user@R1# set area 0.0.0.0 interface ge-2/0/5.0 passive
    user@R1# set area 0.0.0.0 interface lo0.0 passive
    user@R1# set area 0.0.0.0 interface ge-2/0/8.0
    

逐步过程

要配置设备 R2:

  1. 配置设备接口。

    content_copy zoom_out_map
    [edit ]
    user@R1# set interfaces ge-2/0/7 description to-Host
    user@R1# set interfaces ge-2/0/7 unit 0 family inet address 172.16.80.1/30
    user@R1# set interfaces ge-2/0/8 description to-R1
    user@R1# set interfaces ge-2/0/8 unit 0 family inet address 10.50.0.2/30
    user@R2# set interfaces ge-2/0/8 unit 0 family inet filter input mf-classifier
    user@R1# set interfaces unit 0 description looback-interface
    user@R1# set interfaces unit 0 family inet address 192.168.14.1/32
    
  2. 配置防火墙参数。

    content_copy zoom_out_map
    [edit ]
    user@R2# set firewall family inet filter mf-classifier term BE-data from dscp be
    user@R2# set firewall family inet filter mf-classifier term BE-data then count BE-data
    user@R2# set firewall family inet filter mf-classifier term Premium-data from dscp ef
    user@R2# set firewall family inet filter mf-classifier term Premium-data then count Premium-data
    user@R2# set firewall family inet filter mf-classifier term accept then accept
    
  3. 配置 OSPF。

    content_copy zoom_out_map
    [edit protocols ospf]
    user@R1# set area 0.0.0.0 interface ge-2/0/7.0 passive
    user@R1# set area 0.0.0.0 interface lo0.0 passive
    user@R1# set area 0.0.0.0 interface ge-2/0/8.0
    

结果

在配置模式下,输入 show interfacesshow firewallshow class-of-serviceshow protocols ospf 命令,以确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明,以更正配置。

content_copy zoom_out_map
user@R1 show interfaces
    ge-2/0/5 {
    description to-Host;
    unit 0 {
        family inet {
            filter {
                input mf-classifier;
            }
            address 172.16.70.2/30;
        }
    }
}
ge-2/0/8 {
    description to-R2;
    unit 0 {
        family inet {
            address 10.50.0.1/30;
        }
    }
}
lo0 {
    unit 0 {
        description looback-interface;
        family inet {
            address 192.168.13.1/32;
        }
    }
}
content_copy zoom_out_map
user@R1 show firewall
family inet {
    filter mf-classifier {
        term BE-data {
            from {
                protocol tcp;
                port 80;
            }
            then {
                count BE-data;
                forwarding-class BE-data;
            }
        }
        term Prem-data {
            from {
                protocol tcp;
                port 12345;
            }
            then {
                count Prem-data;
                forwarding-class Premium-data;
            }
        }
        term accept {
            then accept;
        }
    }
}
content_copy zoom_out_map
user@R1 show class-of-service
forwarding-classes {
    queue 0 BE-data;
    queue 1 Premium-data;
    queue 2 voice;
    queue 3 NC;
}
interfaces {
    ge-2/0/8 {
        scheduler-map test-map;
        unit 0 {
            rewrite-rules {
                dscp IPv4-rewrite-table;
            }
        }
    }
}
rewrite-rules {
    dscp IPv4-rewrite-table {
        forwarding-class BE-data {
            loss-priority low code-point be;
        }
        forwarding-class Premium-data {
            loss-priority low code-point ef;
        }
    }
}
scheduler-maps {
    test-map {
        forwarding-class BE-data scheduler BE-data;
        forwarding-class Premium-data scheduler Prem-data;
    }
}
schedulers {
    BE-data {
        transmit-rate 1m;
        buffer-size percent 25;
        priority low;
    }
    Prem-data {
        transmit-rate 1m;
        buffer-size percent 25;
        priority high;
    }
}
content_copy zoom_out_map
user@R1# show protocols ospf
area 0.0.0.0 {
    interface ge-2/0/5.0 {
        passive;
    }
    interface lo0.0 {
        passive;
    }
    interface ge-2/0/8.0;
}

完成设备 R1 配置后,请从配置模式进入 commit

content_copy zoom_out_map
user@R2# show interfaces
ge-2/0/7 {
    unit 0 {
        description to-Host;
        family inet {
            address 172.16.80.2;
        }
    }
}
ge-2/0/8 {
    description to-R1;
    unit 0 {
        family inet {
            filter {
                input mf-classifier;
            }
            address 10.50.0.2/30;
        }
    }
}
lo0 {
    unit 0 {
        description looback-interface;
        family inet {
            address 192.168.14.1/32;
        }
    }
}
content_copy zoom_out_map
user@R2# show firewall
family inet {
    filter mf-classifier {
        term BE-data {
            from {
                dscp be;
            }
            then count BE-data;
        }
        term Premium-data {
            from {
                dscp ef;
            }
            then count Premium-data;
        }
        term accept {
            then accept;
        }
    }
}
content_copy zoom_out_map
user@R2# show protocols ospf
area 0.0.0.0 {
    interface ge-2/0/7.0 {
        passive;
    }
    interface lo0.0 {
        passive;
    }
    interface ge-2/0/8.0;
}

完成设备 R2 配置后,请从配置模式进入 commit

验证

确认配置工作正常。

清除防火墙计数器

目的

确认防火墙计数器已清除。

行动

在设备 R1 和 R2 上,运行 clear firewall all 命令将防火墙计数器重置为 0。

content_copy zoom_out_map
user@R1> clear firewall all
user@R2> clear firewall all

从 TCP HTTP 端口 80 和 12345 向网络发送流量并监控结果

目的

将流量从连接到设备 1 的主机发送到网络中,以便设备 R1 和设备 R2 上的防火墙可以监控流量。

行动

  1. 使用流量生成器将源端口为 80 的 20 个 TCP 数据包发送到网络。

    -s 标志设置源端口。-k 标记会使源端口保持稳定在 80,而不是递增。-c 标志将数据包数设置为 20。-d 标志设置数据包大小。

    content_copy zoom_out_map
    [User@host]#  hping 172.16.80.1  -c 20 -s 80  -k -d 300
    HPING 172.16.80.1 (eth1 172.16.80.1): NO FLAGS are set, 40 headers + 0 data bytes
    len=46 ip=172.16.80.1 ttl=62 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.9 ms
    .
    .
    .
    --- 172.16.80.1 hping statistic ---
    20 packets transmitted, 20 packets received, 0% packet loss
    round-trip min/avg/max = 0.9/9501.4/19002.4 ms
    
  2. 使用流量生成器将源端口为 12345 的 20 个 TCP 数据包发送到网络。

    content_copy zoom_out_map
    [User@host]#  hping 172.16.80.1  -c 20 -s 12345  -k -d 300
    HPING 172.16.80.1 (eth1 172.16.80.1): NO FLAGS are set, 40 headers + 0 data bytes
    len=46 ip=172.16.80.1 ttl=62 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.3 ms
    .
    .
    .
    --- 172.16.80.1 hping statistic ---
    20 packets transmitted, 20 packets received, 0% packet loss
    round-trip min/avg/max = 0.3/9501.5/19002.7 ms
  3. 在设备 R1 上,使用 show firewall 命令检查防火墙计数器。

    content_copy zoom_out_map
    user@R1> show firewall
    Filter: mf-classifier
    Counters:
    Name                                                Bytes              Packets
    BE-data                                               800               20
    Prem-data                                             800               20
    
  4. 在设备 R2 上,使用 show firewall 命令检查防火墙计数器。

    content_copy zoom_out_map
    user@R2> show firewall
    Filter: mf-classifier
    Counters:
    Name                                                Bytes              Packets
    BE-data                                               800               20
    Premium-data                                          800               20
    

意义

设备 R1 已将 TCP 数据包的代码点正确设置为端口 12345 至 bf。设备 R1 已将 TCP 数据包的代码点正确设置为端口 80 以 ef。设备 R2 已正确识别到端口 12345 的 TCP 数据包代码点为 bf。设备 R2 正确识别到端口 80 的 TCP 数据包代码点为 ef。

footer-navigation