 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
To configure the MF filter, perform the following actions:
The firewall filter called classify matches on the transport protocol and ports identified in the incoming packets and classifies packets into the forwarding classes specified by your criteria.
The first term, sip, classifies SIP signaling messages. The port statement matches any source port or destination port (or both) that is coded to 5060.
Classifying SIP Signaling Messages
- firewall {
-
- family inet {
-
- filter classify {
- interface-specific;
-
- term sip {
-
- from {
- protocol [ udp tcp ];
- port 5060;
- }
-
- then {
- forwarding-class expedited-forwarding;
- accept;
- }
- }
- }
- }
- }
The second term, rtp, classifies VoIP media channels that use UDP-based transport.
Classifying VoIP Channels That Use UDP
- term rtp {
-
- from {
- protocol udp;
- port 16384-32767;
- }
-
- then {
- forwarding-class expedited-forwarding;
- accept;
- }
- }
The policer’s burst tolerance is set to the recommended value for a low-speed interface, which is ten times the interface MTU. For a high-speed interface, the recommended burst size is the transmit rate of the interface times 3 to 5 milliseconds.
Configuring the Policer
- policer be-policer {
-
- if-exceeding {
- bandwidth-limit 1m;
- burst-size-limit 15k;
- }
- then loss-priority high;
- }
The third term, be, ensures that all remaining traffic is policed according to a bandwidth restriction.
Policing All Remaining Traffic
- term be {
- then policer be-policer;
- }
The be term does not include a forwarding-class action modifier. Furthermore, there is no explicit treatment of network control (NC) traffic provided in the classify filter. You can configure explicit classification of NC traffic and all remaining IP traffic, but you do not need to, because the default IP precedence classifier correctly classifies the remaining traffic. To confirm, display the default classifiers in effect on the interface by issuing the show class-of-service interface interface-name command. The display confirms that the ipprec-compatibility classifier is in effect by default.
Confirming Default Classificationuser@host> show class-of-service fe-0/0/2
Physical interface: so-0/2/3, Index: 135
Queues supported: 8, Queues in use: 4
Scheduler map: <default>, Index: 2032638653
Logical interface: fe-0/0/1.0, Index: 68
Shaping rate: 32000
Object Name Type Index
Scheduler-map <default> 27
Rewrite exp-default exp 21
Classifier exp-default exp 5
Classifier ipprec-compatibility ip 8
To view the default classifier mappings, issue the show class-of-service classifier name name command. The highlighted output confirms that traffic with IP precedence setting of 0 is correctly classified as BE, and NC traffic, with precedence values of 6 or 7, is properly classified as NC.
Displaying Default Classifier Mappingsuser@host> show class-of-service classifier
name ipprec-compatibility
Classifier: ipprec-compatibility, Code point type: inet-precedence, Index: 12 Code point Forwarding class Loss priority 000 best-effort low 001 best-effort high 010 best-effort low 011 best-effort high 100 best-effort low 101 best-effort high 110 network-control low 111 network-control high
Apply the classify classifier to the fe-0/0/2 interface:
Applying the Classifier
- interfaces {
-
- fe-0/0/2 {
-
- unit 0 {
-
- family inet {
-
- filter {
- input classify;
- }
- address 10.12.0.13/30;
- }
- }
- }
- }
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |