Multifield Classification

 

Multifield Classification Overview

This topic covers the following information:

Forwarding Classes and PLP Levels

You can configure the Junos OS class of service (CoS) features to classify incoming traffic by associating each packet with a forwarding class, a packet loss priority (PLP) level, or both:

  • Based on the associated forwarding class, each packet is assigned to an output queue, and the router services the output queues according to the associated scheduling you configure.

  • Based on the associated PLP, each packet carries a lower or higher likelihood of being dropped if congestion occurs. The CoS random early detection (RED) process uses the drop probability configuration, output queue fullness percentage, and packet PLP to drop packet as needed to control congestion at the output stage.

Multifield Classification and BA Classification

The Junos OS supports two general types of packet classification: behavior aggregate (BA) classification and multifield classification:

  • BA classification, or CoS value traffic classification, refers to a method of packet classification that uses a CoS configuration to set the forwarding class or PLP of a packet based on the CoS value in the IP packet header. The CoS value examined for BA classification purposes can be the Differentiated Services code point (DSCP) value, DSCP IPv6 value, IP precedence value, MPLS EXP bits, and IEEE 802.1p value. The default classifier is based on the IP precedence value.

  • Multifield classification refers to a method of packet classification that uses a standard stateless firewall filter configuration to set the forwarding class or PLP for each packet entering or exiting the interface based on multiple fields in the IP packet header, including the DSCP value (for IPv4 only), the IP precedence value, the MPLS EXP bits, and the IEEE 802.1p bits. Multifield classification commonly matches on IP address fields, the IP protocol type field, or the port number in the UDP or TCP pseudoheader field. Multifield classification is used instead of BA classification when you need to classify packets based on information in the packet information other than the CoS values only.

    With multifield classification, a firewall filter term can specify the packet classification actions for matching packets though the use of the forwarding-class class-name or loss-priority (high | medium-high | medium-low | low) nonterminating actions in the term’s then clause.

Note

BA classification of a packet can be overridden by the stateless firewall filter actions forwarding-class and loss-priority.

Multifield Classification Used In Conjunction with Policers

To configure multifield classification in conjunction with rate limiting, a firewall filter term can specify the packet classification actions for matching packets through the use of a policer nonterminating action that references a single-rate two-color policer.

When multifield classification is configured to perform classification through a policer, the filter-matched packets in the traffic flow are rate-limited to the policer-specified traffic limits. Packets in a conforming flow of filter-matched packets are implicitly set to a low PLP. Packets in a nonconforming traffic flow can be discarded, or the packets can be set to a specified forwarding class, set to a specified PLP level, or both, depending on the type of policer and how the policer is configured to handle nonconforming traffic.

Note

Before you apply a firewall filter that performs multifield classification and also a policer to the same logical interface and for the same traffic direction, make sure that you consider the order of policer and firewall filter operations.

As an example, consider the following scenario:

  • You configure a firewall filter that performs multifield classification (acts on matched packets by setting the forwarding class, the PLP, or both) based on the packet's existing forwarding class or PLP. You apply the firewall filter at the input of a logical interface.

  • You also configure a single-rate two-color policer that acts on a red traffic flow by re-marking (setting the forwarding class, the PLP, or both) rather than discarding those packets. You apply the policer as an interface policer at the input of the same logical interface to which you apply the firewall filter.

Because of the order of policer and firewall operations, the input policer is executed before the input firewall filter. This means that the multifield classification specified by the firewall filter is performed on input packets that have already been re-marked once by policing actions. Consequently, any input packet that matches the conditions specified in a firewall filter term is then subject to a second re-marking according to the forwarding-class or loss-priority nonterminating actions also specified in that term.

Multifield Classification Requirements and Restrictions

This topic covers the following information:

Supported Platforms

The loss-priority firewall filter action is supported on the following routing platforms only:

  • EX Series switches

  • M7i and M10i routers with the Enhanced CFEB (CFEB-E)

  • M120 and M320 routers

  • MX Series routers

  • T Series routers with Enhanced II Flexible PIC Concentrators (FPCs)

  • PTX Series routers

CoS Tricolor Marking Requirement

The loss-priority firewall filter action has platform-specific requirements dependencies on the CoS tricolor marking feature, as defined in RFC 2698:

  • On an M320 router, you cannot commit a configuration that includes the loss-priority firewall filter action unless you enable the CoS tricolor marking feature.

  • On all routing platforms that support the loss-priority firewall filter action, you cannot set the loss-priority firewall filter action to medium-low or medium-high unless you enable the CoS tricolor marking feature. .

To enable the CoS tricolor marking feature, include the tri-color statement at the [edit class-of-service] hierarchy level.

Restrictions

You cannot configure the loss-priority and three-color-policer nonterminating actions for the same firewall filter term. These two nonterminating actions are mutually exclusive.

Note

On a PTX Series router, you must configure the policer action in a separate rule and not combine it with the rule configuring the forwarding-class, and loss-priority actions. See Firewall and Policing Differences Between PTX Series Packet Transport Routers and T Series Matrix Routers.

Multifield Classification Limitations on M Series Routers

This topic covers the following information:

Problem: Output-Filter Matching on Input-Filter Classification

On M Series routers (except M120 routers), you cannot classify packets with an output filter match based on the ingress classification that is set with an input filter applied to the same IPv4 logical interface.

For example, in the following configuration, the filter called ingress assigns all incoming IPv4 packets to the expedited-forwarding class. The filter called egress counts all packets that were assigned to the expedited-forwarding class in the ingress filter. This configuration does not work on most M Series routers. It works on all other routing platforms, including M120 routers, MX Series routers, and T Series routers.

Workaround: Configure All Actions in the Ingress Filter

As a workaround, you can configure all of the actions in the ingress filter.

Example: Configuring Multifield Classification

This example shows how to configure multifield classification of IPv4 traffic by using firewall filter actions and two firewall filter policers.

Requirements

Before you begin, make sure that your environment supports the features shown in this example:

  1. The loss-priority firewall filter action must be supported on the router and configurable to all four values.

    1. To be able to set a loss-priority firewall filter action, configure this example on logical interface ge-1/2/0.0 on one of the following routing platforms:

      • MX Series router

      • M120 or M320 router

      • M7i or M10i router with the Enhanced CFEB (CFEB-E)

      • T Series router with Enhanced II Flexible PIC Concentrator (FPC)

    2. To be able to set a loss-priority firewall filter action to medium-low or medium-high, make sure that the CoS tricolor marking feature is enabled. To enable the CoS tricolor marking feature, include the tri-color statement at the [edit class-of-service] hierarchy level.

  2. The expedited-forwarding and assured-forwarding forwarding classes must be scheduled on the underlying physical interface ge-1/2/0.

    1. Make sure that the following forwarding classes are assigned to output queues:

      • expedited-forwarding

      • assured-forwarding

      Forwarding-class assignments are configured at the [edit class-of-service forwarding-classes queue queue-number] hierarchy level.

      Note

      You cannot commit a configuration that assigns the same forwarding class to two different queues.

    2. Make sure that the output queues to which the forwarding classes are assigned are associated with schedulers. A scheduler defines the amount of interface bandwidth assigned to the queue, the size of the memory buffer allocated for storing packets, the priority of the queue, and the random early detection (RED) drop profiles associated with the queue.

      • You configure output queue schedulers at the [edit class-of-service schedulers] hierarchy level.

      • You associate output queue schedulers with forwarding classes by means of a scheduler map that you configure at the [edit class-of-service scheduler-maps map-name] hierarchy level.

    3. Make sure that output-queue scheduling is applied to the physical interface ge-1/2/0.

      You apply a scheduler map to a physical interface at the [edit class-of-service interfaces ge-1/2/0 scheduler-map map-name] hierarchy level.

Overview

In this example, you apply multifield classification to the input IPv4 traffic at a logical interface by using stateless firewall filter actions and two firewall filter policers that are referenced from the firewall filter. Based on the source address field, packets are either set to the low loss priority or else policed. Neither of the policers discards nonconforming traffic. Packets in nonconforming flows are marked for a specific forwarding class (expedited-forwarding or assured-forwarding), set to a specific loss priority, and then transmitted.

Note

Single-rate two-color policers always transmit packets in a conforming traffic flow after implicitly setting a low loss priority.

Topology

In this example, you apply multifield classification to the IPv4 traffic on logical interface ge-1/2/0.0. The classification rules are specified in the IPv4 stateless firewall filter mfc-filter and two single-rate two-color policers, ef-policer and af-policer.

The IPv4 standard stateless firewall filter mfc-filter defines three filter terms:

  • isp1-customers—The first filter term matches packets with the source address 10.1.1.0/24 or 10.1.2.0/24. Matched packets are assigned to the expedited-forwarding forwarding class and set to the low loss priority.

  • isp2-customers—The second filter term matches packets with the source address 10.1.3.0/24 or 10.1.4.0/24. Matched packets are passed to ef-policer, a policer that rate-limits traffic to a bandwidth limit of 300 Kbps with a burst-size limit of 50 KB. This policer specifies that packets in a nonconforming flow are marked for the expedited-forwarding forwarding class and set to the high loss priority.

  • other-customers—The third and final filter term passes all other packets to af-policer, a policer that rate-limits traffic to a bandwidth limit of 300 Kbps and a burst-size limit of 50 KB (the same traffic limits as defined by ef-policer). This policer specifies that packets in a nonconforming flow are marked for the assured-forwarding forwarding class and set to the medium-high loss priority.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

CLI Quick Configuration

To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

Configuring Policers to Rate-Limit Expedited-Forwarding and Assured-Forwarding Traffic

Step-by-Step Procedure

To configure policers to rate-limit expedited-forwarding and assured-forwarding traffic:

  1. Define traffic limits for expedited-forwarding traffic.

  2. Configure a policer for assured-forwarding traffic.

Results

Confirm the configuration of the policer by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Configuring a Multifield Classification Filter That Also Applies Policing

Step-by-Step Procedure

To configure a multifield classification filter that additionally applies policing:

  1. Enable configuration of a firewall filter term for IPv4 traffic.

  2. Configure the first term to match on source addresses and then classify the matched packets.

  3. Configure the second term to match on different source addresses and then police the matched packets.

  4. Configure the third term to police all other packets to a different set of traffic limits and actions.

Results

Confirm the configuration of the filter by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Applying Multifield Classification Filtering and Policing to the Logical Interface

Step-by-Step Procedure

To apply multifield classification filtering and policing to the logical interface:

  1. Enable configuration of IPv4 on the logical interface.

  2. Configure an IP address for the logical interface.

  3. Apply the firewall filter to the logical interface input.

    Note

    Because the policer is executed before the filter, if an input policer is also configured on the logical interface, it cannot use the forwarding class and PLP of a multifield classifier associated with the interface.

Results

Confirm the configuration of the interface by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Displaying the Number of Packets Processed by the Policer at the Logical Interface

Purpose

Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface.

Action

Use the show firewall operational mode command for the filter you applied to the logical interface.

user@host> show firewall filter rate-limit-in

The command output lists the policers applied by the firewall filter rate-limit-in, and the number of packets that matched the filter term.

Note

The packet count includes the number of out-of-specification (out-of-spec) packet counts, not all packets policed by the policer.

The policer name is displayed concatenated with the name of the firewall filter term in which the policer is referenced as an action.

Example: Configuring and Applying a Firewall Filter for a Multifield Classifier

This example shows how to configure a firewall filter to classify traffic using a multifield classifier. The classifier detects packets of interest to class of service (CoS) as they arrive on an interface. Multifield classifiers are used when a simple behavior aggregate (BA) classifier is insufficient to classify a packet, when peering routers do not have CoS bits marked, or the peering router’s marking is untrusted.

Requirements

To verify this procedure, this example uses a traffic generator. The traffic generator can be hardware-based or it can be software running on a server or host machine.

The functionality in this procedure is widely supported on devices that run Junos OS. The example shown here was tested and verified on MX Series routers running Junos OS Release 10.4.

Overview

A classifier is a software operation that inspects a packet as it enters the router or switch. The packet header contents are examined, and this examination determines how the packet is treated when the network becomes too busy to handle all of the packets and you want your devices to drop packets intelligently, instead of dropping packets indiscriminately. One common way to detect packets of interest is by source port number. The TCP port numbers 80 and 12345 are used in this example, but many other matching criteria for packet detection are available to multifield classifiers, using firewall filter match conditions. The configuration in this example specifies that TCP packets with source port 80 are classified into the BE-data forwarding class and queue number 0. TCP packets with source port 12345 are classified into the Premium-data forwarding class and queue number 1.

Multifield classifiers are typically used at the network edge as packets enter an autonomous system (AS).

In this example, you configure the firewall filter mf-classifier and specify some custom forwarding classes on Device R1. In specifying the custom forwarding classes, you also associate each class with a queue.

The classifier operation is shown in Figure 1.

Figure 1: Multifield Classifier Based on TCP Source Ports
Multifield Classifier Based on TCP Source Ports

You apply the multifield classifier’s firewall filter as an input filter on each customer-facing or host-facing interface that needs the filter. The incoming interface is ge-1/0/0 on Device R1. The classification and queue assignment is verified on the outgoing interface. The outgoing interface is Device R1’s ge-1/0/2 interface.

Topology

Figure 2 shows the sample network.

Figure 2: Multifield Classifier Scenario
Multifield Classifier Scenario

CLI Quick Configuration shows the configuration for all of the Juniper Networks devices in Figure 2.

The section Step-by-Step Procedure describes the steps on Device R1.

Classifiers are described in more detail in the following Juniper Networks Learning Byte video.

 

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from the configuration mode.

Device R1

Device R2

Step-by-Step Procedure

The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure Device R1:

  1. Configure the device interfaces.
  2. Configure the custom forwarding classes and associated queue numbers.
  3. Configure the firewall filter term that places TCP traffic with a source port of 80 (HTTP traffic) into the BE-data forwarding class, associated with queue 0.
  4. Configure the firewall filter term that places TCP traffic with a source port of 12345 into the Premium-data forwarding class, associated with queue 1.
  5. At the end of your firewall filter, configure a default term that accepts all other traffic.

    Otherwise, all traffic that arrives on the interface and is not explicitly accepted by the firewall filter is discarded.

  6. Apply the firewall filter to the ge-1/0/0 interface as an input filter.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show class-of-service, show firewall commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Checking the CoS Settings

Purpose

Confirm that the forwarding classes are configured correctly.

Action

From Device R1, run the show class-of-service forwardng-classes command.

user@R1> show class-of-service forwarding-class

Meaning

The output shows the configured custom classifier settings.

Sending TCP Traffic into the Network and Monitoring the Queue Placement

Purpose

Make sure that the traffic of interest is sent out the expected queue.

Action

  1. Clear the interface statistics on Device R1’s outgoing interface.

    user@R1> clear interfaces statistics ge-1/0/2
  2. Use a traffic generator to send 50 TCP port 80 packets to Device R2 or to some other downstream device.

  3. On Device R1, check the queue counters.

    Notice that you check the queue counters on the downstream output interface, not on the incoming interface.

    user@R1> show interfaces extensive ge-1/0/2 | find "Queue counters"
  4. Use a traffic generator to send 50 TCP port 12345 packets to Device R2 or to some other downstream device.

    [root@host]# hping 172.16.60.1 -c 50 -s 12345 -k
  5. On Device R1, check the queue counters.

    user@R1> show interfaces extensive ge-1/0/2 | find "Queue counters"

Meaning

The output shows that the packets are classified correctly. When port 80 is used in the TCP packets, queue 0 is incremented. When port 12345 is used, queue 1 is incremented.