[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring and Applying a Firewall Filter for a Multifield Classifier (Required)

You configure a multifield (MF) classifier to detect packets of interest to CoS and assign the packet to the proper forwarding class independently of the DiffServ code point (DSCP). To configure a multifield classifier on a customer-facing or host-facing link, configure a firewall filter to classify traffic. Packets are classified as they arrive on an interface.

One common way to detect packets of CoS interest is by source or destination address. The destination address is used in this example, but many other matching criteria for packet detection are available to firewall filters.

This example shows how to configure the firewall filter mf-classifier and apply it to the Services Router's Fast Ethernet interface fe-0/0/0. The firewall filter consists of the rules (terms) listed in Table 123.

Table 123: Sample mf-classifier Firewall Filter Terms

Rule (Term)

Purpose

Contents

assured forwarding

Detects packets destined for 192.168.44.55, assigns them to an assured forwarding class, and gives them a low likelihood of being dropped.

Match condition: destination address 192.168.44.55

Forwarding class: af-class

Loss priority: low

expedited-forwarding

Detects packets destined for 192.168.66.77, assigns them to an expedited forwarding class, and subjects them to the EF policer configured in Configuring a Policer for a Firewall Filter (Required).

Match condition: destination address 192.168.66.77

Forwarding class: ef-class

Policer: ef-policer

network control

Detects packets with a network control precedence and forwards them to the network control class.

Match condition: precedence net-control

Forwarding class: nc-class

best-effort-data

Detects all other packets and assigns them to the best effort class.

Forwarding class: be-class

For more information about firewalls filters see Configuring Firewall Filters and NAT and the JUNOS Policy Framework Configuration Guide.

To configure a firewall filter for a multifield classifier for the Services Router:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 124.
  3. Go on to Assigning Forwarding Classes to Output Queues (Required).

Table 124: Configuring and Applying a Firewall Filter for a Multifield Classifier

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Firewall level in the configuration hierarchy.

In the configuration editor hierarchy, select Firewall.

From the top of the configuration hierarchy, enter

edit firewall

Create and name the multifield classifier filter.
  1. Click Add new entry next to Filter.
  2. In the Filter name box, type a name for the multifield classifier filter—for example, mf-classifier.
  3. Select the check box next to Interface specific.

Enter

edit filter mf-classifier

set interface-specific

Create and name the term for the assured forwarding traffic class.
  1. Click Add new entry next to Term.
  2. In the Rule name box, type a name for the assured forwarding term—for example, assured-forwarding.

Enter

edit term assured-forwarding

Create the match condition for the assured forwarding traffic class.
  1. Click Configure next to From.
  2. Click Add new entrynext to Destination address.
  3. In the Address box, type the destination address for assured forwarding traffic in dotted decimal notation—for example, 192.168.44.55.
  4. Click OK three times.

Enter

set from destination-address 192.168.44.55

Create the priority for the assured forwarding traffic class.
  1. Click Configure next to Then.
  2. In the Forwarding class box, type the forwarding class for assured forwarding DiffServ traffic—for example, af-class.
  3. From the Loss priority list, select low.
  4. Click OK twice.

From the top of the configuration hierarchy, enter

edit firewall filter mf-classifier term assured-forwarding

set then forwarding-class af-class

set then loss-priority low

Create and name the term for the expedited forwarding traffic class.
  1. Click Add new entry next to Term.
  2. In the Rule name box, type a name for the expedited term—for example, expedited-forwarding.

Enter

edit term expedited-forwarding

Create the match condition for the assured forwarding traffic class.
  1. Click Configure next to From.
  2. Click Add new entry next to Destination address.
  3. In the Address box, type the destination address for assured forwarding traffic in dotted decimal notation—for example, 192.168.66.77.
  4. Click OK twice.

Enter

set from destination-address 192.168.66.77

Create the priority and apply the policer for the expedited forwarding traffic class.
  1. Click Configure next to Then.
  2. In the Forwarding class box, type the forwarding class for expedited forwarding DiffServ traffic—for example, ef-class.
  3. In the Policer box, type the name of the EF policer previously configured for expedited forwarding DiffServ traffic—ef-policer.

    (See Configuring a Policer for a Firewall Filter (Required).)

  4. Click OK twice.

From the top of the configuration hierarchy, enter

edit firewall filter mf-classifier term expedited-forwarding

set then forwarding-class ef-class

set then policer ed-policer

Create and name the term for the network control traffic class.
  1. Click Add new entry next to Term.
  2. In the Rule name box, type a name for the network control term—for example, network-control.

Enter

edit term network-control

Create the match condition for the network control traffic class.
  1. Click Configure next to From.
  2. From the Precedence choice list, select Precedence.
  3. Click Add new entry next to Precedence.
  4. From the Value keyword list, select net-control.
  5. Click OK twice.

Enter

set from traffic-class net-control

Create the forwarding class for the network control traffic class.
  1. Click Configure next to Then.
  2. In the Forwarding class box, type the forwarding class for network control traffic—for example, nc-class.
  3. Click OK twice.

From the top of the configuration hierarchy, enter

edit firewall filter mf-classifier term network-control

set then forwarding-class nc-class

Create and name the term for the best-effort traffic class.
  1. Click Add new entry next to Term.
  2. In the Rule name box, type a name for the best-effort term—for example, best-effort-data.

Enter

edit term best-effort-data

Create the forwarding class for the best-effort traffic class. (Because this is the last term in the filter, it has no match condition.)
  1. Click Configure next to Then.
  2. In the Forwarding class box, type the forwarding class for best effort traffic—for example, be-class.
  3. Click OK four times.

From the top of the configuration hierarchy, enter

set then forwarding-class be-class

Navigate to the Interfaces level in the configuration hierarchy.

In the configuration editor hierarchy, select Interfaces.

From the top of the configuration hierarchy, enter

edit interfaces

Apply the multifield classifier firewall filter as an input filter on the customer-facing or host-facing interfaces.
  1. Click the Interface and Unit of each interface needing the filter—for example, fe-0/0/0, unit 0.
  2. Click Configure next to Inet.
  3. Click Configure next to Filter.
  4. In the Input box, type the name of the previously configured filter—for example, mf-classifier.
  5. Click OK five times.

Enter

set fe-0/0/0 unit 0 family inet filter input mf-classifier

[Contents] [Prev] [Next] [Index] [Report an Error]

[an error occurred while processing this directive]