[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring and Applying a Firewall Filter for a Multifield Classifier

You configure a multifield (MF) classifier to detect packets of interest to CoS and assign the packet to the proper forwarding class independently of the DiffServ code point (DSCP). To configure a multifield classifier on a customer-facing or host-facing link, configure a firewall filter to classify traffic. Packets are classified as they arrive on an interface.

One common way to detect packets of CoS interest is by source or destination address. The destination address is used in this example, but many other matching criteria for packet detection are available to firewall filters.

This example shows how to configure the firewall filter mf-classifier and apply it to the Services Router's Fast Ethernet interface fe-0/0/0. The firewall filter consists of the rules (terms) listed in Table 103.

Table 103: Sample mf-classifier Firewall Filter Terms

assured forwarding

Detects packets destined for 192.168.44.55, assigns them to an assured forwarding class, and gives them a low likelihood of being dropped.

Match condition: destination address 192.168.44.55

Forwarding class: af-class

Loss priority: low

expedited-forwarding

Detects packets destined for 192.168.66.77, assigns them to an expedited forwarding class, and subjects them to the EF policer configured in Configuring a Policer for a Firewall Filter.

Match condition: destination address 192.168.66.77

Forwarding class: ef-class

Policer: ef-policer

network control

Detects packets with a network control precedence and forwards them to the network control class.

Match condition: precedence net-control

Forwarding class: nc-class

best-effort-data

Detects all other packets and assigns them to the best effort class.

Forwarding class: be-class

For more information about firewalls filters see Configuring Stateless Firewall Filters and the JUNOS Policy Framework Configuration Guide.

To configure a firewall filter for a multifield classifier for the Services Router:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 104.
  3. Go on to Assigning Forwarding Classes to Output Queues .

Table 104: Configuring and Applying a Firewall Filter for a Multifield Classifier

Navigate to the Firewall level in the configuration hierarchy.

In the configuration editor hierarchy, select Firewall.

From the top of the configuration hierarchy, enter

edit firewall

Create the multifield classifier filter and name it—for example, mf-classifier.
  1. Click Add new entry next to Filter.
  2. In the Filter name box, type mf-classifier.
  3. Select the check box next to Interface specific.

Enter

edit filter mf-classifier

set interface-specific

Create the term for the assured forwarding traffic class, and give it a name—for example, assured-forwarding.
  1. Click Add new entry next to Term.
  2. In the Rule name box, type assured-forwarding.

Enter

edit term assured-forwarding

Create the match condition for the assured forwarding traffic class. Use the destination address for assured forwarding traffic—for example, 192.168.44.55.
  1. Click Configure next to From.
  2. Click Add new entry next to Destination address.
  3. In the Address box, type 192.168.44.55.
  4. Click OK twice.

Enter

set from destination-address 192.168.44.55

Create the forwarding class for assured forwarding DiffServ traffic—for example, af-class.

Set the loss priority for the assured forwarding traffic class—for example, low.
  1. Click Configure next to Then.
  2. In the Forwarding class box, type af-class.
  3. From the Loss priority list, select low.
  4. Click OK twice.

From the top of the configuration hierarchy, enter

edit firewall filter mf-classifier term assured-forwarding

set then forwarding-class af-class

set then loss-priority low

Create the term for the expedited forwarding traffic class, and give it a name—for example, expedited-forwarding.
  1. Click Add new entry next to Term.
  2. In the Rule name box, type expedited-forwarding.

Enter

edit term expedited-forwarding

Create the match condition for the expedited forwarding traffic class. Use the destination address for expedited forwarding traffic—for example, 192.168.66.77.
  1. Click Configure next to From.
  2. Click Add new entry next to Destination address.
  3. In the Address box, type 192.168.66.77.
  4. Click OK twice.

Enter

set from destination-address 192.168.66.77

Create the forwarding class for expedited forwarding DiffServ traffic—for example, ef-class.

Apply the policer for the expedited forwarding traffic class. Use the EF policer previously configured for expedited forwarding DiffServ traffic—ef-policer.

(See Configuring a Policer for a Firewall Filter.)
  1. Click Configure next to Then.
  2. In the Forwarding class box, type ef-class.
  3. From the Policer choice list, select Policer.
  4. In the Policer box, type ef-policer.
  5. Click OK twice.

From the top of the configuration hierarchy, enter

edit firewall filter mf-classifier term expedited-forwarding

set then forwarding-class ef-class

set then policer ef-policer

Create the term for the network control traffic class, and give it a name—for example, network-control.
  1. Click Add new entry next to Term.
  2. In the Rule name box, type network-control.

Enter

edit term network-control

Create the match condition for the network control traffic class.
  1. Click Configure next to From.
  2. From the Precedence choice list, select Precedence.
  3. Click Add new entry next to Precedence.
  4. From the Value keyword list, select net-control.
  5. Click OK twice.

Enter

set from traffic-class net-control

Create the forwarding class for the network control traffic class, and give it a name—for example, nc-class.
  1. Click Configure next to Then.
  2. In the Forwarding class box, type nc-class.
  3. Click OK twice.

From the top of the configuration hierarchy, enter

edit firewall filter mf-classifier term network-control

set then forwarding-class nc-class

Create the term for the best-effort traffic class, and give it a name—for example, best-effort-data.
  1. Click Add new entry next to Term.
  2. In the Rule name box, type best-effort-data.

Enter

edit term best-effort-data

Create the forwarding class for the best-effort traffic class, and give it a name—for example, be-class. (Because this is the last term in the filter, it has no match condition.)
  1. Click Configure next to Then.
  2. In the Forwarding class box, type be-class.
  3. Click OK four times.

From the top of the configuration hierarchy, enter

set then forwarding-class be-class

Navigate to the Interfaces level in the configuration hierarchy.

In the configuration editor hierarchy, select Interfaces.

From the top of the configuration hierarchy, enter

edit interfaces

Apply the multifield classifier firewall filter mf-classifier as an input filter on each customer-facing or host-facing interface that needs the filter—for example, on fe-0/0/0, unit 0.
  1. Click the Interface fe-0/0/0 and Unit 0.
  2. Click Configure next to Inet.
  3. Click Configure next to Filter.
  4. In the Input box, type mf-classifier.
  5. Click OK.

Enter

set fe-0/0/0 unit 0 family inet filter input mf-classifier

[Contents] [Prev] [Next] [Index] [Report an Error]

[an error occurred while processing this directive]