Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring and Applying a Firewall Filter for a Multifield Classifier

 

This example shows how to configure a firewall filter to classify traffic using a multifield classifier. The classifier detects packets of interest to CoS as they arrive on an interface.

Requirements

One common way to detect packets of CoS interest is by source or destination address. The destination address is used in this example, but many other matching criteria for packet detection are available to firewall filters.

Overview

In this example, you configure the firewall filter mf-classifier. You create and name the assured forwarding traffic class, set the match condition, and specify the destination address as 192.168.44.55. You create the forwarding class for assured forwarding DiffServ traffic as af-class and set the loss priority to low.

Then you create and name the expedited forwarding traffic class, set the match condition, for the expedited forwarding traffic class, and specify the destination address as 192.168.66.77. You then create the forwarding class for expedited forwarding DiffServ traffic as ef-class and set the policer to ef-policer. Then you create and name the network-control traffic class and set the match condition.

You then create and name the forwarding class for the network control traffic class as nc-class. You create and name the forwarding class for the best-effort traffic class as be-class. Finally, you apply the multifield classifier firewall filter as an input filter on each customer-facing or host-facing that needs the filter. In this example, the interface is ge-0/0/0.

Configuration

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a firewall filter for a multifield classifier for a device:

  1. Create and name the multifield classifier filter.
  2. Create and name the term for the assured forwarding traffic class.
  3. Specify the destination address for assured forwarding traffic.
  4. Create the forwarding class and set the loss priority for the assured forwarding traffic class.
  5. Create and name the term for the expedited forwarding traffic class.
  6. Specify the destination address for the expedited forwarding traffic.
  7. Create the forwarding class and apply the policer for the expedited forwarding traffic class.
  8. Create and name the term for the network control traffic class.
  9. Create the match condition for the network control traffic class.
  10. Create and name the forwarding class for the network control traffic class.
  11. Create and name the term for the best-effort traffic class.
  12. Create and name the forwarding class for the best-effort traffic class.
    Note

    Because this is the last term in the filter, it has no match condition.

  13. Apply the multifield classifier firewall filter as an input filter.

Results

From configuration mode, confirm your configuration by entering the show firewall filter mf-classifier command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying a Firewall Filter for a Multifield Classifier Configuration

Purpose

Verify that a firewall filter for a multifield classifier is configured properly on a device.

Action

From configuration mode, enter the show firewall filter mf-classifier command.