[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring and Applying a Firewall Filter for a Multifield Classifier

You configure a multifield (MF) classifier to detect packets of interest to CoS and assign the packet to the proper forwarding class independently of the DiffServ code point (DSCP). To configure a multifield classifier on a customer-facing or host-facing link, configure a firewall filter to classify traffic. Packets are classified as they arrive on an interface.

One common way to detect packets of CoS interest is by source or destination address. The destination address is used in this example, but many other matching criteria for packet detection are available to firewall filters.

This example shows how to configure the firewall filter mf-classifier and apply it to the Services Router's Fast Ethernet interface fe-0/0/0. The firewall filter consists of the rules (terms) listed in Table 118.

Table 118: Sample mf-classifier Firewall Filter Terms

Rule (Term)

Purpose

Contents

assured forwarding

Detects packets destined for 192.168.44.55, assigns them to an assured forwarding class, and gives them a low likelihood of being dropped.

Match condition: destination address 192.168.44.55

Forwarding class: af-class

Loss priority: low

expedited-forwarding

Detects packets destined for 192.168.66.77, assigns them to an expedited forwarding class, and subjects them to the EF policer configured in Configuring a Policer for a Firewall Filter.

Match condition: destination address 192.168.66.77

Forwarding class: ef-class

Policer: ef-policer

network control

Detects packets with a network control precedence and forwards them to the network control class.

Match condition: precedence net-control

Forwarding class: nc-class

best-effort-data

Detects all other packets and assigns them to the best effort class.

Forwarding class: be-class

For more information about firewalls filters see Configuring Stateless Firewall Filters and the JUNOS Policy Framework Configuration Guide.

To configure a firewall filter for a multifield classifier for the Services Router:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 119.
  3. Go on to Assigning Forwarding Classes to Output Queues .

Table 119: Configuring and Applying a Firewall Filter for a Multifield Classifier

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Firewall level in the configuration hierarchy.
  1. In the J-Web interface, select Configuration>View and Edit>Edit Configuration.
  2. Next to Firewall, click Configure or Edit.

From the [edit] hierarchy level, enter

edit firewall

Create the multifield classifier filter and name it—for example, mf-classifier.
  1. Click Add new entry next to Filter.
  2. In the Filter name box, type mf-classifier.
  3. Select the check box next to Interface specific.

Enter

edit filter mf-classifier

set interface-specific

Create the term for the assured forwarding traffic class, and give it a name—for example, assured-forwarding.
  1. Click Add new entry next to Term.
  2. In the Rule name box, type assured-forwarding.

Enter

edit term assured-forwarding

Create the match condition for the assured forwarding traffic class. Use the destination address for assured forwarding traffic—for example, 192.168.44.55.
  1. Click Configure next to From.
  2. Click Add new entry next to Destination address.
  3. In the Address box, type 192.168.44.55.
  4. Click OK twice.

Enter

set from destination-address 192.168.44.55

Create the forwarding class for assured forwarding DiffServ traffic—for example, af-class.

Set the loss priority for the assured forwarding traffic class—for example, low.
  1. Click Configure next to Then.
  2. In the Forwarding class box, type af-class.
  3. From the Loss priority list, select low.
  4. Click OK twice.

Enter

set then forwarding-class af-class

set then loss-priority low

Create the term for the expedited forwarding traffic class, and give it a name—for example, expedited-forwarding.
  1. Click Add new entry next to Term.
  2. In the Rule name box, type expedited-forwarding.

From the [edit firewall filter mf-classifer] hierarchy level, enter

edit term expedited-forwarding

Create the match condition for the expedited forwarding traffic class. Use the destination address for expedited forwarding traffic—for example, 192.168.66.77.
  1. Click Configure next to From.
  2. Click Add new entry next to Destination address.
  3. In the Address box, type 192.168.66.77.
  4. Click OK twice.

Enter

set from destination-address 192.168.66.77

Create the forwarding class for expedited forwarding DiffServ traffic—for example, ef-class.

Apply the policer for the expedited forwarding traffic class. Use the EF policer previously configured for expedited forwarding DiffServ traffic—ef-policer.

(See Configuring a Policer for a Firewall Filter.)
  1. Click Configure next to Then.
  2. In the Forwarding class box, type ef-class.
  3. From the Policer choice list, select Policer.
  4. In the Policer box, type ef-policer.
  5. Click OK twice.

Enter

set then forwarding-class ef-class

set then policer ef-policer

Create the term for the network control traffic class, and give it a name—for example, network-control.
  1. Click Add new entry next to Term.
  2. In the Rule name box, type network-control.

From the [edit firewall filter mf-classifer] hierarchy level, enter

edit term network-control

Create the match condition for the network control traffic class.
  1. Click Configure next to From.
  2. From the Precedence choice list, select Precedence.
  3. Click Add new entry next to Precedence.
  4. From the Value keyword list, select net-control.
  5. Click OK twice.

Enter

set from precedence net-control

Create the forwarding class for the network control traffic class, and give it a name—for example, nc-class.
  1. Click Configure next to Then.
  2. In the Forwarding class box, type nc-class.
  3. Click OK twice.

Enter

set then forwarding-class nc-class

Create the term for the best-effort traffic class, and give it a name—for example, best-effort-data.
  1. Click Add new entry next to Term.
  2. In the Rule name box, type best-effort-data.

From the [edit firewall filter mf-classifer] hierarchy level, enter

edit term best-effort-data

Create the forwarding class for the best-effort traffic class, and give it a name—for example, be-class. (Because this is the last term in the filter, it has no match condition.)
  1. Click Configure next to Then.
  2. In the Forwarding class box, type be-class.
  3. Click OK four times.

Enter

set then forwarding-class be-class

Navigate to the Interfaces level in the configuration hierarchy.

On the main Configuration page next to Interfaces, click Configure or Edit.

From the [edit] hierarchy level, enter

edit interfaces

Apply the multifield classifier firewall filter mf-classifier as an input filter on each customer-facing or host-facing interface that needs the filter—for example, on fe-0/0/0, unit 0.
  1. Click the Interface fe-0/0/0 and Unit 0.
  2. Click Configure next to Inet.
  3. Click Configure next to Filter.
  4. From the Input choice list, select Input.
  5. In the Input box, type mf-classifier.
  6. Click OK.

Enter

set fe-0/0/0 unit 0 family inet filter input mf-classifier

[Contents] [Prev] [Next] [Index] [Report an Error]

[an error occurred while processing this directive]