Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure)

    You can configure firewall filters with multifield classifiers to classify packets transiting a port, VLAN, or Layer 3 interface on an EX Series switch.

    You specify multifield classifiers in a firewall filter configuration to set the forwarding class and packet loss priority (PLP) for incoming or outgoing packets. By default, the data traffic that is not classified is assigned to the best-effort class associated with queue 0.

    You can specify any of the following default forwarding classes:

    Forwarding class

    Queue

    best-effort

    0

    assured-forwarding

    1

    expedited-forwarding

    5

    network-control

    7

    To assign multifield classifiers in firewall filters:

    1. Configure the family name and filter name for the filter at the [edit firewall] hierarchy level, for example:
      [edit firewall]
      user@switch# set family ethernet-switching
      user@switch# set family ethernet-switching filter ingress-filter
    2. Configure the terms of the filter, including the forwarding-class and loss-priority action modifiers as appropriate. When you specify a forwarding class you must also specify the packet loss priority. For example, each of the following terms examines different packet header fields and assigns an appropriate classifier and the packet loss priority:
      • The term voice-traffic matches packets on the voice-vlan and assigns the forwarding class expedited-forwarding and packet loss priority low:
        [edit firewall family ethernet-switching filter ingress-filter]
        user@switch# set term voice-traffic from vlan-id voice-vlan
        user@switch# set term voice-traffic then forwarding-class expedited-forwarding
        user@switch# set term voice-traffic then loss-priority low
      • The term data-traffic matches packets on employee-vlan and assigns the forwarding class assured-forwarding and packet loss priority low:
        [edit firewall family ethernet-switching filter ingress-filter]
        user@switch# set term data-traffic from vlan-id employee-vlan
        user@switch# set term data-traffic then forwarding-class assured-forwarding
        user@switch# set term data-traffic then loss-priority low
      • Because loss of network-generated packets can jeopardize proper network operation, delay is preferable to discard of packets. The following term, network-traffic, assigns the forwarding class network-control and packet loss priority low:
        [edit firewall family ethernet-switching filter ingress-filter]
        user@switch# set term network-traffic from precedence net-control
        user@switch# set term network-traffic then forwarding-class network
        user@switch# set term network-traffic then loss-priority low
      • The last term accept-traffic matches any packets that did not match on any of the preceding terms and assigns the forwarding class best-effort and packet loss priority low:
        [edit firewall family ethernet-switching filter ingress-filter]
        user@switch# set term accept-traffic from precedence net-control
        user@switch# set term accept-traffic then forwarding-class best-effort
        user@switch# set term accept-traffic then loss-priority low
    3. Apply the filter ingress-filter to a port, VLAN or Layer 3 interface. For information about applying the filter, see Configuring Firewall Filters (CLI Procedure).
     

    Related Documentation

     

    Published: 2012-12-07

    Previous Page Next Page