Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring Multifield Classification

    This example shows how to configure multifield classification of IPv4 traffic by using firewall filter actions and two firewall filter policers.

    Requirements

    Before you begin, make sure that your environment supports the features shown in this example:

    1. The loss-priority firewall filter action must be supported on the router and configurable to all four values.

      1. To be able to set a loss-priority firewall filter action, configure this example on logical interface ge-1/2/0.0 on one of the following routing platforms:

        • MX Series router
        • M120 or M320 router
        • M7i or M10i router with the Enhanced CFEB (CFEB-E)
        • T Series router with Enhanced II Flexible PIC Concentrator (FPC)
      2. To be able to set a loss-priority firewall filter action to medium-low or medium-high, make sure that the CoS tricolor marking feature is enabled. To enable the CoS tricolor marking feature, include the tri-color statement at the [edit class-of-service] hierarchy level.

    2. The expedited-forwarding and assured-forwarding forwarding classes must be scheduled on the underlying physical interface ge-1/2/0.

      1. Make sure that the following forwarding classes are assigned to output queues:

        • expedited-forwarding
        • assured-forwarding
        Forwarding-class assignments are configured at the [edit class-of-service forwarding-classes queue queue-number] hierarchy level.

        Note: You cannot commit a configuration that assigns the same forwarding class to two different queues.

      2. Make sure that the output queues to which the forwarding classes are assigned are associated with schedulers. A scheduler defines the amount of interface bandwidth assigned to the queue, the size of the memory buffer allocated for storing packets, the priority of the queue, and the random early detection (RED) drop profiles associated with the queue.

        • You configure output queue schedulers at the [edit class-of-service schedulers] hierarchy level.
        • You associate output queue schedulers with forwarding classes by means of a scheduler map that you configure at the [edit class-of-service scheduler-maps map-name] hierarchy level.
      3. Make sure that output-queue scheduling is applied to the physical interface ge-1/2/0.

        You apply a scheduler map to a physical interface at the [edit class-of-service interfaces ge-1/2/0 scheduler-map map-name] hierarchy level.

    Overview

    In this example, you apply multifield classification to the input IPv4 traffic at a logical interface by using stateless firewall filter actions and two firewall filter policers that are referenced from the firewall filter. Based on the source address field, packets are either set to the low loss priority or else policed. Neither of the policers discards nonconforming traffic. Packets in nonconforming flows are marked for a specific forwarding class (expedited-forwarding or assured-forwarding), set to a specific loss priority, and then transmitted.

    Note: Single-rate two-color policers always transmit packets in a conforming traffic flow after implicitly setting a low loss priority.

    Topology

    In this example, you apply multifield classification to the IPv4 traffic on logical interface ge-1/2/0.0. The classification rules are specified in the IPv4 stateless firewall filter mfc-filter and two single-rate two-color policers, ef-policer and af-policer.

    The IPv4 standard stateless firewall filter mfc-filter defines three filter terms:

    • isp1-customers—The first filter term matches packets with the source address 10.1.1.0/24 or 10.1.2.0/24. Matched packets are assigned to the expedited-forwarding forwarding class and set to the low loss priority.
    • isp2-customers—The second filter term matches packets with the source address 10.1.3.0/24 or 10.1.4.0/24. Matched packets are passed to ef-policer, a policer that rate-limits traffic to a bandwidth limit of 300 Kbps with a burst-size limit of 50 KB. This policer specifies that packets in a nonconforming flow are marked for the expedited-forwarding forwarding class and set to the high loss priority.
    • other-customers—The third and final filter term passes all other packets to af-policer, a policer that rate-limits traffic to a bandwidth limit of 300 Kbps and a burst-size limit of 50 KB (the same traffic limits as defined by ef-policer). This policer specifies that packets in a nonconforming flow are marked for the assured-forwarding forwarding class and set to the medium-high loss priority.

    Configuration

    The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

    To configure this example, perform the following tasks:

    CLI Quick Configuration

    To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

    set firewall policer ef-policer if-exceeding bandwidth-limit 300kset firewall policer ef-policer if-exceeding burst-size-limit 50kset firewall policer ef-policer then loss-priority highset firewall policer ef-policer then forwarding-class expedited-forwardingset firewall policer af-policer if-exceeding bandwidth-limit 300kset firewall policer af-policer if-exceeding burst-size-limit 50kset firewall policer af-policer then loss-priority highset firewall policer af-policer then forwarding-class assured-forwardingset firewall family inet filter mfc-filter term isp1-customers from source-address 10.1.1.0/24set firewall family inet filter mfc-filter term isp1-customers from source-address 10.1.2.0/24set firewall family inet filter mfc-filter term isp1-customers then loss-priority lowset firewall family inet filter mfc-filter term isp1-customers then forwarding-class expedited-forwardingset firewall family inet filter mfc-filter term isp2-customers from source-address 10.1.3.0/24set firewall family inet filter mfc-filter term isp2-customers from source-address 10.1.4.0/24set firewall family inet filter mfc-filter term isp2-customers then policer ef-policerset firewall family inet filter mfc-filter term other-customers then policer af-policerset interfaces ge-1/2/0 unit 0 family inet address 192.168.1.1/24set interfaces ge-1/2/0 unit 0 family inet filter input mfc-filter

    Configuring Policers to Rate-Limit Expedited-Forwarding and Assured-Forwarding Traffic

    Step-by-Step Procedure

    To configure policers to rate-limit expedited-forwarding and assured-forwarding traffic:

    1. Define traffic limits for expedited-forwarding traffic.

      [edit]user@host# edit firewall policer ef-policer[edit firewall policer ef-policer]user@host# set if-exceeding bandwidth-limit 300kuser@host# set if-exceeding burst-size-limit 50kuser@host# set then loss-priority highuser@host# set then forwarding-class expedited-forwarding

    2. Configure a policer for assured-forwarding traffic.

      [edit firewall policer ef-policer]user@host# up [edit firewall]user@host# edit policer af-policer [edit firewall policer af-policer]user@host# set if-exceeding bandwidth-limit 300kuser@host# set if-exceeding burst-size-limit 50kuser@host# set then loss-priority highuser@host# set then forwarding-class assured-forwarding

    Results

    Confirm the configuration of the policer by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

    [edit]user@host# show firewallpolicer af-policer {if-exceeding {bandwidth-limit 300k;burst-size-limit 50k;}then {loss-priority high;forwarding-class assured-forwarding;}}policer ef-policer {if-exceeding {bandwidth-limit 300k;burst-size-limit 50k;}then {loss-priority high;forwarding-class expedited-forwarding;}}

    Configuring a Multifield Classification Filter That Also Applies Policing

    Step-by-Step Procedure

    To configure a multifield classification filter that additionally applies policing:

    1. Enable configuration of a firewall filter term for IPv4 traffic.

      [edit]user@host# edit firewall family inet filter mfc-filter

    2. Configure the first term to match on source addresses and then classify the matched packets.

      [edit firewall family inet filter mfc-filter]user@host# set term isp1-customers from source-address 10.1.1.0/24user@host# set term isp1-customers from source-address 10.1.2.0/24user@host# set term isp1-customers then loss-priority lowuser@host# set term isp1-customers then forwarding-class expedited-forwarding

    3. Configure the second term to match on different source addresses and then police the matched packets.

      [edit firewall family inet filter mfc-filter]user@host# set term isp2-customers from source-address 10.1.3.0/24user@host# set term isp2-customers from source-address 10.1.4.0/24user@host# set term isp2-customers then policer ef-policer

    4. Configure the third term to police all other packets to a different set of traffic limits and actions.

      [edit firewall family inet filter mfc-filter]user@host# set term other-customers then policer af-policer

    Results

    Confirm the configuration of the filter by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

    [edit]user@host# show firewallfamily inet {filter mfc-filter {term isp1-customers {from {source-address 10.1.1.0/24;source-address 10.1.2.0/24;}then {loss-priority low;forwarding-class expedited-forwarding;}}term isp2-customers {from {source-address 10.1.3.0/24;source-address 10.1.4.0/24;}then {policer ef-policer;}}term other-customers {then {policer af-policer;}}}}policer af-policer {if-exceeding {bandwidth-limit 300k;burst-size-limit 50k;}then discard;}policer ef-policer {if-exceeding {bandwidth-limit 200k;burst-size-limit 50k;}then {loss-priority high;forwarding-class expedited-forwarding;}}

    Applying Multifield Classification Filtering and Policing to the Logical Interface

    Step-by-Step Procedure

    To apply multifield classification filtering and policing to the logical interface:

    1. Enable configuration of IPv4 on the logical interface.

      [edit]user@host# edit interfaces ge-1/2/0 unit 0 family inet

    2. Configure an IP address for the logical interface.

      [edit interfaces ge-1/2/0 unit 0 family inet ]user@host# set address 192.168.1.1/24

    3. Apply the firewall filter to the logical interface input.

      [edit interfaces ge-1/2/0 unit 0 family inet ]user@host# set filter input mfc-filter

      Note: Because the policer is executed before the filter, if an input policer is also configured on the logical interface, it cannot use the forwarding class and PLP of a multifield classifier associated with the interface.

    Results

    Confirm the configuration of the interface by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

    [edit]user@host# show interfacesge-1/2/0 {unit 0 {family inet {filter {input mfc-filter;}address 192.168.1.1/24;}}}

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    Confirm that the configuration is working properly.

    Displaying the Number of Packets Processed by the Policer at the Logical Interface

    Purpose

    Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface.

    Action

    Use the show firewall operational mode command for the filter you applied to the logical interface.

    user@host> show firewall filter rate-limit-in
    Filter: rate-limit-in                                          
Policers:
Name                                              Packets 
ef-policer-isp2-customers                           32863
af-policer-other-customers                           3870

    The command output lists the policers applied by the firewall filter rate-limit-in, and the number of packets that matched the filter term.

    Note: The packet count includes the number of out-of-specification (out-of-spec) packet counts, not all packets policed by the policer.

    The policer name is displayed concatenated with the name of the firewall filter term in which the policer is referenced as an action.

     

    Related Documentation

     

    Published: 2012-11-16

    Previous Page Next Page