Application-Based Multipath Routing
Application-Based Multipath Routing Overview
Traffic for video and voice are sensitive to packet loss, latency and jitter. Packet loss directly leads to degradation in the quality of voice and video calls. in voice or video calls.
To ensure timely delivery of these sensitive application traffic, application-based multipath routing (also referred as multipath routing in this document) is supported on SRX Series Firewalls to allow the sending device to create copies of packets, send each copy through two or more WAN links.
Multipath identifies two or more paths based on the SLA configuration and sends out a copy of the original traffic on all the identified paths.
On the other end, among the multiple copies of the packet received, the receiving device selects the first received packet and drops the subsequent ones. On the receiving device, while the copy of the packet is in progress, multipath calculates the jitter and packet loss for the combined links and then estimates the jitter and packet loss for the same traffic on individual links. You can compare the reduction in packet loss when combined links are used instead of individual links used for traffic.
Sending the multiple copies of the application traffic ensures that if there is a packet loss or delay, the other link might still deliver the packet to the endpoint.
SRX Series Firewalls support application-based multipath routing starting in Junos OS Release 15.1X49-D160 in standalone mode.
SRX Series Firewalls support application-based multipath routing starting in Junos OS Release 19.2R1 and Junos OS Release 15.1X49-D170 in chassis cluster mode.
Multipath routing leverages following functionality:
-
Application identification details from Deep Packet Inspection(DPI)
-
APBR functionality for packet forwarding feature
-
AppQoE service for SLA association.
- Supported Use Cases
- Limitations
- Benefits of Multipath Routing
- Understanding Workflow in Multipath Routing
Supported Use Cases
-
SD-WAN hub and spoke topology
-
SD-WAN mesh topology
Limitations
-
All the selected WAN links must be of ECMP paths for a destination.
-
All the selected WAN interfaces which need to be a part of multipath routing sessions must belong to one single zone
-
Multipath routing feature is supported only between two book-ended security devices.
Benefits of Multipath Routing
-
Multipath support in SD-WAN uses case enhances application experience by reducing packet loss, faster delivery of the packet, and less jitter that results in better quality of service for the traffic especially for the voice and video traffic.
Understanding Workflow in Multipath Routing
The following sequences are involved in applying multipath routing:
-
Junos OS application identification identifies applications and once an application is identified, its information is saved in the application system cache (ASC).
-
Application policy-based routing (APBR) queries the application system cache (ASC) module to get the application attributes details.
-
APBR uses the application details to look for a matching rule in the APBR profile (application profile). If a matching rule is found, the traffic is redirected to the specified routing instance for the route lookup.
-
AppQoE checks whether an SLA is enabled for a session. If the session is candidate for an SLA measurement, and if multipath routing is configured, then multipath routing is triggered.
-
Based on the SLA rule, multipath routing obtains the underlay link types and corresponding overlays on which packet duplication needs to be performed. Multipath routing can be triggered based on the configuration of an SLA rule. When multipath routing is configured within an SLA rule for a specific application, AppQoE functionality is disabled for all sessions of that application matching the SLA rule.
-
Based on the application traffic and the configured bandwidth limit, multipath identifies two or more paths and triggers a copy of the original traffic on all the identified paths. Multipath routing path selection is done on the overlay paths. The parameters to limit the bandwidth is based on the underlay link-speed and selection is based on link-type.
-
On the receiving device, while the copy of the packet is in progress, multipath calculates the jitter and packet loss for the combined links and then estimates the jitter and packet-loss for same traffic on individual links.
-
On the receiving device, multipath routing accepts packets of a session arriving through different links, maintain sequence of a packet arriving on different CoS queues, and drop any duplicates.
Multipath routing copies packets on all the links belonging to a rule till the bandwidth limit is reached. The bandwidth limit is calculated based on the least link speed identified for that rule. This is applicable for all the sessions for all the applications which match that multipath routing rule. Once the limit is reached, multipath routing stops copying of packets and starts a timer for a time period as configured in max-time-wait option in the multipath routing configuration. When the timer expires, it restarts the copying of the packets again.
AMR Improvements
Starting in Junos OS Release 21.2R1, following enhancements are introduced for AMR:
- AMR Support for Reverse Traffic
- Queuing Mechanism for Out-of-Order Packets
- AMR Support for APBR Profile
- Link Selection
- AMR in SLA Violation Mode or Standalone Mode
- Support for IPv6 Traffic
- Support AMR over IPsec and Generic Routing Encapsulation (GRE) Sessions
AMR Support for Reverse Traffic
you can apply multipath functionality on the reverse traffic. Now both the sending device and the receiving device can create copies of packets, and send each copy through two WAN links to the destination device. This enhancement ensures uninterrupted delivery of the sensitive application traffic at both directions.
By default, AMR for the reverse traffic is disabled. You can enable it with the following CLI option:
set security advance-policy-based-routing multipath-rule rule-name enable-reverse-wing
To disable AMR for the reverse traffic, use the following CLI option:
delete security advance-policy-based-routing multipath-rule rule-name enable-reverse-wing
AMR support for the reverse wing traffic is available when the devices are operating in HA mode. Note that the packets in the queue are dropped during HA failover.
Queuing Mechanism for Out-of-Order Packets
Starting in Junos OS Release 21.2R1, queuing mechanism for the out-of-order packets at the receiving device is improved.
Previously, the AMR receiving device discarded out-of-order packets resulting in packet loss and degrade in the quality-of-service. With the queuing mechanism, when the receiving device receives out-of-order packets, it further waits for some more packets to arrive, and then buffers those packets in the queue for short duration. This buffering helps in reordering of packets and prevents discarding of packets.
AMR Support for APBR Profile
Starting in Junos OS Release 21.2R1, the security device supports AMR when used with a APBR profile configured with a APBR policy. You can create the APBR policy by defining source addresses, destination addresses, and applications as match conditions.
In the previous releases of Junos OS, you could attach an APBR profile to an incoming security zone of the ingress traffic. In this case, the APBR was applied per security zone basis.
Following example shows configuration snippet of a APBR policy by defining source addresses, destination addresses, and applications as match conditions. An SLA rule is applied for the traffic matching APBR policy rules. A multipath rule associated with the SLA rule gets applied and multipath routing functionality is enabled for the session.
set security advance-policy-based-routing multipath-rule amr-rule1 number-of-paths 2 set security advance-policy-based-routing multipath-rule amr-rule1 bandwidth-limit 30 set security advance-policy-based-routing multipath-rule amr-rule1 max-time-to-wait 60 set security advance-policy-based-routing multipath-rule amr-rule1 application junos:SSH set security advance-policy-based-routing multipath-rule amr-rule1 application junos:HTTP set security advance-policy-based-routing multipath-rule amr-rule1 link-type MPLS set security advance-policy-based-routing multipath-rule amr-rule1 link-type IP set security advance-policy-based-routing profile apbr1 rule rule1 match dynamic-application junos:RTP set security advance-policy-based-routing profile apbr1 rule rule1 then routing-instance TC1_VPN set security advance-policy-based-routing profile apbr1 rule rule1 then sla-rule sla1 set security advance-policy-based-routing sla-rule sla1 multipath-rule amr-rule1 set security zones security-zone trust advance-policy-based-routing-profile apbr1 set security advance-policy-based-routing from-zone trust policy sla_policy1 match source-address 10.4.0.1 set security advance-policy-based-routing from-zone trust policy sla_policy1 match destination-address 10.5.0.1 set security advance-policy-based-routing from-zone trust policy sla_policy1 match application junos-RTP set security advance-policy-based-routing from-zone trust policy sla_policy1 then application-services advance-policy-based-routing-profile apbr1
Link Selection
In previous releases, for application-based multipath routing, the link selection mechanism was either default (one of the first two available links) or based on the link type (IP/MPLS) configuration AppQoE underlay-interface configuration.
Starting in Junos OS Release 21.2R1, you can specify the link preference options as generic routing encapsulation (GRE) and secure tunnel (st). The device directly selects one of the specified interfaces for multipath routing.
If you have not configured the link-preference, then the AMR
selects links from the first two available links from the configured paths.
You can specify link preferences using the following CLI option:
set security advance-policy-based-routing multipath-rule rule-name link-preferences [st0.0 | st0.1}
AMR in SLA Violation Mode or Standalone Mode
Starting in Junos OS Release 21.2R1, AMR is enabled in one of the following two modes:
-
SLA violation mode—When the AppQoE detects SLA violation on all the links, it enables the AMR. AMR is disabled when SLA is met on any of the links based on the timer configuration .
-
Standalone mode—When you've configured AMR without configuring SLA metrics, then AMR is enabled independent of AppQoE status. In this mode, when bandwidth limit is reached, then AMR is paused for a default duration and then restarted.
Example:
Following is a samp configuration of an SLA metrics. SLA metrics specifies requirement parameters, which are used by AppQoE to evaluate the SLA of the link. To accomplish the SLA, AppQoE monitors the network for sources of failures or congestion. If the performance of a link is below acceptable levels as specified by the SLA, the situation is considered as an SLA violation. If the LA violation is noticed on all the links, AMR is enabled in SLA violation mode.
set security advance-policy-based-routing metrics-profile metric1 sla-threshold delay-round-trip 50000 set security advance-policy-based-routing metrics-profile metric1 sla-threshold jitter 10000 set security advance-policy-based-routing metrics-profile metric1 sla-threshold jitter-type egress-jitter set security advance-policy-based-routing metrics-profile metric1 sla-threshold packet-loss 4 set security advance-policy-based-routing metrics-profile metric1 sla-threshold match all set security advance-policy-based-routing sla-rule sla1 metrics-profile metric1
If the SLA metrics configuration (as shown in example above) is not available in the AMR configuration, then AMR is enabled in standalone mode.
Support for IPv6 Traffic
Application-based multipath routing supports IPv6 traffic:
- IPv6 traffic over IPv4 tunnels (Junos OS Release 21.2R1)
- IPv6 traffic over IPv6 tunnels (Junos OS Release 21.3R1)
Support AMR over IPsec and Generic Routing Encapsulation (GRE) Sessions
- Application-based multipath routing over direct IPsec tunnels without GRE (Junos OS Release 21.2R1)
- Application-based multipath routing over direct Generic Routing Encapsulation (GRE) tunnels without IPsec (Junos OS Release 21.2R1)
- Application-based multipath routing over direct IPsec tunnels without GRE for IPv6 traffic (Junos OS Release 21.3R1)
- Application-based multipath routing over direct GRE tunnels without IPsec for IPv6 traffic (Junos OS Release 21.3R1)
- Application-based multipath routing over MPLS-over-GRE-over-IPsec for IPv6 traffic (Junos OS Release 21.3R1)
See Also
Application-Based Multipath Routing Sample Configuration
Sample application based multipath routing configuration (hub and spoke topology)
This section covers sample application based multipath routing configuration for hub and spoke topology. The configuration uses the SLA set by the APBR and works independent of APPQoE. For APPQoE SLA, see Application Quality of Experience . You can configure the device for additional features like link selection based on preference, path selection based on link type, and multipath routing support over IPsec and GRE tunnels. Multipath routing can be configured with Contrail Service Orchestrator. See Contrail Service Orchestration (CSO) Deployment Guide for details.
Spoke side device basic configuration
user@host#set security advance-policy-based-routing profile profile1 rule r1 match dynamic-application junos:HTTPuser@host#set security advance-policy-based-routing profile profile1 rule r1 match dynamic-application junos:SIPuser@host#set security advance-policy-based-routing profile profile1 rule r1 then routing-instance TC1_VPNuser@host#set security advance-policy-based-routing profile profile1 rule r1 sla-rule sla_rule1user@host#set security advance-policy-based-routing sla-rule sla_rule1 multipath-rule mult1user@host#set security advance-policy-based-routing multipath-rule mult1 number-of-paths 2user@host#set security advance-policy-based-routing multipath-rule mult1 bandwidth-limit 90user@host#set security advance-policy-based-routing multipath-rule mult1 application junos:HTTPuser@host#set security advance-policy-based-routing multipath-rule mult1 application junos:SIP
Hub side device basic configuration
user@host#set security advance-policy-based-routing multipath-rule mult1 number-of-paths 2user@host#set security advance-policy-based-routing multipath-rule mult1 bandwidth-limit 90user@host#set security advance-policy-based-routing multipath-rule mult1 enable-reverse-winguser@host#set security advance-policy-based-routing multipath-rule mult1 application junos:HTTPuser@host#sset security advance-policy-based-routing multipath-rule mult1 application junos:SIP
Link preference configuration
user@host#set security advance-policy-based-routing multipath-rule mult1 link-preferences gr-0/0/0.0user@host#set security advance-policy-based-routing multipath-rule mult1 link-preferences gr-0/0/0.1
Link type based path selection configuration
user@host#set security advance-policy-based-routing multipath-rule mult1 link-type MPLSuser@host#set security advance-policy-based-routing multipath-rule mult1 link-type IP
Interface based configuration at application based multipath routing level
user@host#set security advance-policy-based-routing interface gr-0/0/0.0 link-tag IPuser@host#set security advance-policy-based-routing interface gr-0/0/0.1 link-tag MPLS
IPsec VPN configuration with IPv6 tunnels and IPv4 traffic at spoke side device for application based multipath routing
user@host#set groups ipsec-groups security ike proposal salausehdotp1 authentication-method pre-shared-keysuser@host#set groups ipsec-groups security ike proposal salausehdotp1 dh-group group5user@host#set groups ipsec-groups security ike proposal salausehdotp1 encryption-algorithm aes-256-gcmuser@host#set groups ipsec-groups security ike policy salauspolitiikkap1 mode mainuser@host#set groups ipsec-groups security ike policy salauspolitiikkap1 proposals salausehdotp1user@host#set groups ipsec-groups security ike policy salauspolitiikkap1 pre-shared-key ascii-text "$9$1-7ESeLxd2oGdbPQnCB1-VwYgJDi.TF/aZ"user@host#set groups ipsec-groups security ike gateway gateway1 ike-policy salauspolitiikkap1user@host#set groups ipsec-groups security ike gateway gateway1 version v2-onlyuser@host#set groups ipsec-groups security ipsec proposal salausehdotp2 protocol espuser@host#set groups ipsec-groups security ipsec proposal salausehdotp2 encryption-algorithm aes-256-gcmuser@host#set groups ipsec-groups security ipsec policy salauspolitiikkap2 perfect-forward-secrecy keys group5user@host#set groups ipsec-groups security ipsec policy salauspolitiikkap2 proposals salausehdotp2user@host#set groups ipsec-groups security ipsec vpn vpn1 df-bit clearuser@host#set groups ipsec-groups security ipsec vpn vpn1 ike ipsec-policy salauspolitiikkap2user@host#set groups ipsec-groups security ipsec vpn vpn1 establish-tunnels immediatelyuser@host#set system host-name SRX345-2user@host#set system root-authentication encrypted-password "$ABC123"user@host#set system services ssh root-login allowuser@host#set services application-identificationuser@host#set security apply-groups ipsec-groupsuser@host#set security ike gateway SRX345-1-A address fdf:a::1user@host#set security ike gateway SRX345-1-A external-interface ge-0/0/0.0user@host#set security ike gateway SRX345-1-B address fdf:b::1user@host#set security ike gateway SRX345-1-B external-interface ge-0/0/1.0user@host#set security ipsec vpn SRX345-1-A bind-interface st0.0user@host#set security ipsec vpn SRX345-1-A ike gateway SRX345-1-Auser@host#set security ipsec vpn SRX345-1-B bind-interface st0.1user@host#set security ipsec vpn SRX345-1-B ike gateway SRX345-1-Buser@host#set security application-tracking first-updateuser@host#set security application-tracking session-update-interval 1user@host#set security forwarding-options family inet6 mode flow-baseduser@host#set security forwarding-options family mpls mode flow-baseduser@host#set security flow allow-dns-replyuser@host#set security flow allow-embedded-icmpuser@host#set security flow sync-icmp-sessionuser@host#set security flow tcp-mss all-tcp mss 1300user@host#set security flow tcp-mss ipsec-vpn mss 1350user@host#set security flow tcp-session no-syn-checkuser@host#set security flow tcp-session no-syn-check-in-tunneluser@host#set security flow tcp-session no-sequence-checkuser@host#set security policies default-policy permit-alluser@host#set security zones security-zone Untrust host-inbound-traffic system-services alluser@host#set security zones security-zone Untrust host-inbound-traffic protocols alluser@host#set security zones security-zone Untrust interfaces ge-0/0/0.0user@host#set security zones security-zone Untrust interfaces ge-0/0/1.0user@host#set security zones security-zone Untrust application-trackinguser@host#set security zones security-zone Untrust enable-reverse-rerouteuser@host#set security zones security-zone trust host-inbound-traffic system-services alluser@host#set security zones security-zone trust host-inbound-traffic protocols alluser@host#set security zones security-zone trust interfaces ge-0/0/6.0user@host#set security zones security-zone trust application-trackinguser@host#set security zones security-zone trust advance-policy-based-routing-profile apbruser@host#set security zones security-zone trust enable-reverse-rerouteuser@host#set security zones security-zone VPN host-inbound-traffic system-services alluser@host#set security zones security-zone VPN host-inbound-traffic protocols alluser@host#set security zones security-zone VPN interfaces st0.0user@host#set security zones security-zone VPN interfaces st0.1user@host#set security zones security-zone VPN application-trackinguser@host#set security zones security-zone VPN enable-reverse-rerouteuser@host#set security zones security-zone test interfaces ge-0/0/7.0 host-inbound-traffic system-services alluser@host#set security zones security-zone test interfaces ge-0/0/7.0 host-inbound-traffic protocols alluser@host#set security advance-policy-based-routing profile apbr rule r1 match dynamic-application junos:ICMPuser@host#set security advance-policy-based-routing profile apbr rule r1 match dynamic-application junos:SSHuser@host#set security advance-policy-based-routing profile apbr rule r1 match dynamic-application junos:ICMP-ECHOuser@host#set security advance-policy-based-routing profile apbr rule r1 then routing-instance apbruser@host#set security advance-policy-based-routing profile apbr rule r1 then sla-rule sla1user@host#set security advance-policy-based-routing sla-rule sla1 multipath-rule amr-rule1user@host#set security advance-policy-based-routing multipath-rule amr-rule1 number-of-paths 2user@host#set security advance-policy-based-routing multipath-rule amr-rule1 bandwidth-limit 30user@host#set security advance-policy-based-routing multipath-rule amr-rule1 enable-reverse-winguser@host#set security advance-policy-based-routing multipath-rule amr-rule1 max-time-to-wait 60user@host#set security advance-policy-based-routing multipath-rule amr-rule1 application junos:ICMPuser@host#set security advance-policy-based-routing multipath-rule amr-rule1 application junos:SSHuser@host#set security advance-policy-based-routing multipath-rule amr-rule1 application junos:ICMP-ECHOuser@host#set security advance-policy-based-routing multipath-rule amr-rule1 link-preferences st0.0user@host#set security advance-policy-based-routing multipath-rule amr-rule1 link-preferences st0.1user@host#set interfaces ge-0/0/0 unit 0 family inet6 address fdf:a::2/64user@host#set interfaces ge-0/0/1 unit 0 family inet6 address fdf:b::2/640user@host#set interfaces ge-0/0/6 unit 0 family inet address 10.0.12.1/24user@host#set interfaces ge-0/0/7 unit 0 family inet address 10.0.12.10/24user@host#set interfaces fxp0 unit 0 family inet address 192.168.123.2/24user@host#set interfaces st0 unit 0 family inet address 10.0.0.2/30user@host#set interfaces st0 unit 1 family inet address 10.0.1.2/30user@host#set policy-options policy-statement ecmp then load-balance per-packetuser@host#set routing-instances IPSEC protocols ospf area 0.0.0.0 interface st0.0 interface-type p2puser@host#set routing-instances IPSEC protocols ospf area 0.0.0.0 interface st0.1 interface-type p2puser@host#set routing-instances IPSEC protocols ospf area 0.0.0.0 interface ge-0/0/6.0 passiveuser@host#set routing-instances IPSEC interface ge-0/0/6.0user@host#set routing-instances IPSEC interface st0.0user@host#set routing-instances IPSEC interface st0.1user@host#set routing-instances IPSEC instance-type virtual-routeruser@host#set routing-instances IPSEC routing-options interface-routes rib-group inet apbr-groupuser@host#set routing-instances apbr instance-type forwardinguser@host#set routing-instances apbr routing-options static route 0.0.0.0/0 next-hop st0.0user@host#set routing-instances apbr routing-options static route 0.0.0.0/0 next-hop st0.1user@host#set routing-instances test interface ge-0/0/7.0user@host#set routing-instances test instance-type virtual-routeruser@host#set routing-instances test routing-options static route 0.0.0.0/0 next-hop 10.0.12.1user@host#set routing-options rib-groups apbr-group import-rib IPSEC.inet.0user@host#set routing-options rib-groups apbr-group import-rib apbr.inet.0user@host#set routing-options forwarding-table export ecmp
For GRE tunnels replace ipsec with gre. For
IPv4 tunnel, IPv4 traffic and IPv6 traffic, replace the configuration with
IPv4 and IPv6 appropriately.
Example: Configuring Application-Based Multipath Routing
This example shows how to configure multipath routing to provide quality of experience (QoE) by enabling real-time monitoring of the application traffic according to the specified SLA.
Requirements
-
Supported SRX Series Firewall with Junos OS Release 15.1X49-D160, Junos OS Release 19.2R1, or later. This configuration example is tested for Junos OS Release 15.1X49-D160.
-
Valid application identification feature license installed on a security device.
-
Appropriate security policies to enforce rules for the transit traffic, in terms of what traffic can pass through the device, and the actions that need to take place on the traffic as it passes through the device.
-
Enable application tracking support enabled for the zone. See Application Tracking.
-
Ensure that following features are configured:
Overview
To ensure uninterrupted delivery of these sensitive application traffic, application-based multipath routing is supported on security devices to allow the sending device to create copies of packets, and send each copy through two WAN links to the destination.
Multipath routing identifies two paths based on the SLA configuration and creates duplicate copy of the application traffic and sends the traffic simultaneously on different physical paths. On the receiving device, while the copy of the packet is in progress, multipath routing estimates on the reduction in jitter, RTT and packet loss and analyzes the quality of service for routing the traffic to the best link to provide SLA to the end user. This also helps in estimation on the reduction in jitter, RTT and packet loss is done. If both the copies are received on the remote end, then the first received packet is considered, and drops the subsequent ones.
Table 1 provides the details of the parameters used in this example.
|
Parameter |
Options |
Values |
|---|---|---|
|
Multipath rule (multi1) |
Number of paths |
2 |
|
bandwidth-limit |
60 |
|
|
Maximum time to wait |
60 |
|
|
Link type |
MPLS, IP |
|
|
application |
junos:YAHOO, junos:GOOGLE |
|
|
application-group |
junos:web |
|
|
SLA rule (sla1) |
Associated multipath rule |
multi1 |
|
APBR profile (apbr1) |
Match applications |
junos:YAHOO |
|
APBR rule |
rule1 |
|
|
SLA rule |
sla1 |
|
|
Underlay interface |
ge-0/0/2 and ge-0/0/3
|
In this example, you configure a multipath rules for junos:YAHOO and junos:GOOGLE application traffic. Then configure an SLA rule and associate multipath rules with multipath rule.
Next, associate the SLA rules with APBR rules created for the Yahoo application. APBR uses the application details to look for a matching rule in the APBR profile (application profile).
Multipath rule is applied on the traffic matching junos:YAHOO or junos:GOOGLE, and forwarded to and the next-hop address as specified in the routing instance.
Multipath routing obtains the underlay link types and corresponding overlays on which packet duplication is required based on the SLA rule. Based on the application traffic and the configured bandwidth limit, multipath identifies two or more paths and triggers a copy of the original traffic on all the identified paths.
When traffic reaches on receiving end, the receiving device accepts packets of a session arriving through different links, and maintains sequence of a packet arriving on different CoS queues and drops any duplicate packets.
Ensure that configuration is the same across the devices on both the sending-side and on the receiving-side device is such that devices can to act as both sender and a receiver.
Configuration
- Configure Multipath Rules for Application Traffic (Device Configured to Send Traffic)
- Configure Multipath Rules for Application Traffic (Device Configured to Receive Traffic))
Configure Multipath Rules for Application Traffic (Device Configured to Send Traffic)
Step-by-Step Procedure
Configure APBR profiles for different applications traffic and associate SLA rule and multipath rule.
-
Create routing instances.
user@host#set routing-instances TC1_VPN instance-type vrfuser@host#set routing-instances TC1_VPN route-distinguisher 10.150.0.1:101user@host#set routing-instances TC1_VPN vrf-target target:100:101user@host#set routing-instances TC1_VPN vrf-table-labeluser@host#set routing-instances TC1_VPN routing-options static route 10.19.0.0/8 next-table Default_VPN.inet.0 -
Group one or more routing tables to form a RIB group and import routes into the routing tables.
user@host#set routing-options rib-groups Default-VPN-to-TC1_VPN import-rib [ Default_VPN.inet.0 TC1_VPN.inet.0 ] -
Configure AppQoE as service. You must configure AppQoE as service for host inbound traffic for a desired zone.
user@host#set security zones security-zone untrust1 host-inbound-traffic system-services appqoe -
Create the APBR profile and define the rules.
user@host#set security advance-policy-based-routing profile apbr1 rule rule1 match dynamic-application junos:GOOGLEuser@host#set security advance-policy-based-routing profile apbr1 rule rule1 match dynamic-application junos:YAHOOuser@host#set security advance-policy-based-routing profile apbr1 rule rule1 match dynamic-application-group junos:webuser@host#set security advance-policy-based-routing profile apbr1 rule rule1 then routing-instance TC1_VPNuser@host#set security advance-policy-based-routing profile apbr1 rule rule1 then sla-rule sla1 -
Configure active probe parameters.
user@host#set security advance-policy-based-routing active-probe-params probe1 settings data-fill juniperuser@host#set security advance-policy-based-routing active-probe-params probe1 settings data-size 100user@host#set security advance-policy-based-routing active-probe-params probe1 settings probe-interval 30user@host#set security advance-policy-based-routing active-probe-params probe1 settings probe-count 30user@host#set security advance-policy-based-routing active-probe-params probe1 settings burst-size 1user@host#set security advance-policy-based-routing active-probe-params probe1 settings sla-export-interval 60user@host#set security advance-policy-based-routing active-probe-params probe1 settings dscp-code-points 000110 -
Configure metrics profile.
user@host#set security advance-policy-based-routing metrics-profile metric1 sla-threshold delay-round-trip 120000user@host#set security advance-policy-based-routing metrics-profile metric1 sla-threshold jitter 21000user@host#set security advance-policy-based-routing metrics-profile metric1 sla-threshold jitter-type egress-jitteruser@host#set security advance-policy-based-routing metrics-profile metric1 sla-threshold packet-loss 2 -
Configure underlay interfaces.
if link-type is not configured under the underlay interfaces option, the default link-type IP is used and default link-speed of 1000 Mbps is considered.
user@host#set security advance-policy-based-routing underlay-interface ge-0/0/2 unit 0 link-type MPLSuser@host#set security advance-policy-based-routing underlay-interface ge-0/0/2 unit 0 speed 800user@host#set security advance-policy-based-routing underlay-interface ge-0/0/3 unit 0 link-type MPLSuser@host#set security advance-policy-based-routing underlay-interface ge-0/0/3 unit 0 speed 500 -
Configure overlay paths.
user@host#set security advance-policy-based-routing overlay-path overlay-path1 tunnel-path local ip-address 10.40.1.2user@host#set security advance-policy-based-routing overlay-path overlay-path1 tunnel-path remote ip-address 10.40.1.1user@host#set security advance-policy-based-routing overlay-path overlay-path1 probe-path local ip-address 10.40.1.2user@host#set security advance-policy-based-routing overlay-path overlay-path1 probe-path remote ip-address 10.40.1.1user@host#set security advance-policy-based-routing overlay-path overlay-path2 tunnel-path local ip-address 10.41.1.2user@host#set security advance-policy-based-routing overlay-path overlay-path2 tunnel-path remote ip-address 10.41.1.1user@host#set security advance-policy-based-routing overlay-path overlay-path2 probe-path local ip-address 10.41.1.2user@host#set security advance-policy-based-routing overlay-path overlay-path2 probe-path remote ip-address 10.41.1.1user@host#set security advance-policy-based-routing overlay-path overlay-path3 tunnel-path local ip-address 10.42.1.2user@host#set security advance-policy-based-routing overlay-path overlay-path3 tunnel-path remote ip-address 10.42.1.1user@host#set security advance-policy-based-routing overlay-path overlay-path3 probe-path local ip-address 10.42.1.2user@host#set security advance-policy-based-routing overlay-path overlay-path3 probe-path remote ip-address 10.42.1.1 -
Configure destination path groups.
user@host#set security advance-policy-based-routing destination-path-group site1 probe-routing-instance transituser@host#set security advance-policy-based-routing destination-path-group site1 overlay-path overlay-path1user@host#set security advance-policy-based-routing destination-path-group site1 overlay-path overlay-path2user@host#set security advance-policy-based-routing destination-path-group site1 overlay-path overlay-path3 -
Configure multipath rule.
user@host#set security advance-policy-based-routing multipath-rule multi1 bandwidth-limit 60user@host#set security advance-policy-based-routing multipath-rule multi1 application junos:YAHOOuser@host#set security advance-policy-based-routing multipath-rule multi1 application junos:GOOGLEuser@host#set security advance-policy-based-routing multipath-rule multi1 application-group junos:webuser@host#set security advance-policy-based-routing multipath-rule multi1 link-type MPLSuser@host#set security advance-policy-based-routing multipath-rule multi1 link-type IPuser@host#set security advance-policy-based-routing multipath-rule multi1 max-time-to-wait 30user@host#set security advance-policy-based-routing multipath-rule multi1 number-of-paths 2 -
Configure SLA rule.
user@host#set security advance-policy-based-routing sla-rule sla1 switch-idle-time 40user@host#set security advance-policy-based-routing sla-rule sla1 metrics-profile metric1user@host#set security advance-policy-based-routing sla-rule sla1 active-probe-params probe1user@host#set security advance-policy-based-routing sla-rule sla1 passive-probe-params sampling-percentage 25user@host#set security advance-policy-based-routing sla-rule sla1 passive-probe-params violation-count 2user@host#set security advance-policy-based-routing sla-rule sla1 passive-probe-params sampling-period 60000user@host#set security advance-policy-based-routing sla-rule sla1 passive-probe-params type book-ended -
Associate an SLA rule to multipath rule.
user@host#set security advance-policy-based-routing sla-rule sla1 multipath-rule multi1
Configure Multipath Rules for Application Traffic (Device Configured to Receive Traffic))
Step-by-Step Procedure
The variables configured in this step are the same for both the sending and receiving device.
-
Configure multipath rule on the receiving device.
user@host#set security advance-policy-based-routing multipath-rule multi1 bandwidth-limit 60user@host#set security advance-policy-based-routing multipath-rule multi1 application junos:YAHOOuser@host#set security advance-policy-based-routing multipath-rule multi1 application junos:GOOGLEuser@host#set security advance-policy-based-routing multipath-rule multi1 application-group junos:webuser@host#set security advance-policy-based-routing multipath-rule multi1 link-type MPLSuser@host#set security advance-policy-based-routing multipath-rule multi1 link-type IP
Results
From configuration mode, confirm your configuration by entering the
show commands. If the output does not display the
intended configuration, repeat the configuration instructions in this
example to correct it.
Hub-side device multipath rule configuration
[edit security]user@host#show advance-policy-based-routing multipath-rule multi1 multipath-rule multi1 { bandwidth-limit 60; application [ junos:YAHOO junos:GOOGLE ]; application-group junos:web; link-type [ MPLS IP ]; number-of-paths 2; }
[edit security]user@host#show advance-policy-based-routing profile apbr1 { rule rule1 { match { dynamic-application [ junos:GOOGLE, junos:YAHOO ]; dynamic-application-group [ junos:web ]; } then { routing-instance TC1_VPN; sla-rule { sla1; } } } } active-probe-params probe1 { settings { data-fill { juniper; } data-size { 100; } probe-interval { 30; } probe-count { 30; } burst-size { 1; } sla-export-interval { 60; } dscp-code-points { 000110; } } } metrics-profile metric1 { sla-threshold { delay-round-trip { 120000; } jitter { 21000; } jitter-type { egress-jitter; } packet-loss { 2; } } } underlay-interface ge-0/0/2 { unit 0 { link-type MPLS; speed 800; } } underlay-interface ge-0/0/3 { unit 0 { link-type MPLS; speed 500; } } overlay-path overlay-path1 { tunnel-path { local { ip-address { 10.40.1.2; } } remote { ip-address { 10.40.1.1; } } } probe-path { local { ip-address { 10.40.1.2; } } remote { ip-address { 10.40.1.1; } } } } overlay-path overlay-path2 { tunnel-path { local { ip-address { 10.41.1.2; } } remote { ip-address { 10.41.1.1; } } } probe-path { local { ip-address { 10.41.1.2; } } remote { ip-address { 10.41.1.1; } } } } overlay-path overlay-path3 { tunnel-path { local { ip-address { 10.42.1.2; } } remote { ip-address { 10.42.1.1; } } } probe-path { local { ip-address { 10.42.1.2; } } remote { ip-address { 10.42.1.1; } } } } destination-path-group site1 { probe-routing-instance { transit; } overlay-path overlay-path1; overlay-path overlay-path2; overlay-path overlay-path3; } sla-rule sla1 { switch-idle-time { 40; } metrics-profile { metric1; } active-probe-params { probe1; } passive-probe-params { sampling-percentage { 25; } violation-count { 2; } sampling-period { 60000; } type { book-ended; } } multipath-rule { multi1; } } multipath-rule multi1 { bandwidth-limit 60; application [ junos:YAHOO junos:GOOGLE ]; application-group junos:web; link-type [ MPLS IP ]; number-of-paths 2; }
If you are done configuring the device, enter commit
from configuration mode.
Verification
- Displaying Multipath Rule Status
- Display Multipath Rule Statistics for An Application
- Displaying Multipath Rule Policies
- Displaying Multipath Rule Status
Displaying Multipath Rule Status
Purpose
Display the details of the multipath rule on the device configured to send traffic.
Action
From operational mode, enter the show security
advance-policy-based-routing multipath rule command.
user@host> show security advance-policy-based-routing multipath rule multi1
Multipath Rule Status:
Multipath Rule Information:
Multipath rule name multi1
Multipath rule type Packet-Copy
Multipath rule state Active
Configured number of paths 2
Configured application groups junos:web
Configured applications junos:GOOGLE, junos:YAHOO
Path Group Information:
Total path groups : 1
Path-Group-Id State Avl-Num-Paths
1 Active 3
Receiver Information:
Path Groups Information:
Total receiver path groups : 1
Path-Group-Id : 1, Avg-Pkt-Loss(%) : 0, Avg-Ingress-Jitter(us) : 171
Path Information:
Dst-IP Pkts-Rcvd Pkt-Loss(%) Ingress-Jitter(us) Reduction-Pkt-Loss(%) Reduction-Ingress-Jitter(us)
10.40.1.2 2442 0 165 0 -6
10.41.1.2 2442 0 158 0 -13
Cos Q Statistics:
Total receiver cos queues: 8
COS-Q-Id Pkts-Rcvd Out-Of-Seq-Drop
0 4884 2442
1 0 0
2 0 0
3 0 0
4 0 0
5 0 0
6 0 0
7 0 0
Meaning
The command output displays the multipath rule details.
Display Multipath Rule Statistics for An Application
Purpose
Display the details of the application traffic on the device configured to receive traffic
Action
From operational mode, enter the show security
advance-policy-based-routing multipath rule
rule-name application
application-name command.
user@host> show security advance-policy-based-routing multipath rule multi1 application junos:YAHOO
Multipath Rule Status:
Multipath Rule Information:
Multipath rule name multi1
Multipath rule type Packet-Copy
Multipath rule state Active
Configured number of paths 2
Configured applications junos:YAHOO
Sender Information:
Statistics:
Current Sessions 0
Ignored Sessions 1
Applications Matched 1
Applications Switched 0
Stopped due to Bandwidth Limit 0
Packets in path inactive state 0
Packets in path active state 627
Midstream Packets Ignored 0
Total Packets Processed 627
Total Packets Copied 627
Meaning
The command output displays the multipath rule for the application.
Displaying Multipath Rule Policies
Purpose
Display the details of the multipath rule on the device configured to send traffic.
Action
From operational mode, enter the show security
advance-policy-based-routing multipath rule command.
user@host> show security advance-policy-based-routing multipath policy statistics application junos:YAHOO multipath-name multi1 profile apbr1 rule rule1 zone trust
Sender Information:
Statistics:
Current Sessions 0
Ignored Sessions 0
Applications Matched 1
Applications Switched 0
Stopped due to Bandwidth Limit 0
Packets in path inactive state 26
Packets in path active state 2416
Less than Configured Paths 0
Midstream Packets Ignored 0
Total Packets Processed 2442
Total Packets Copied 2442
Meaning
The command output displays the details on the traffic handled with multipath rule applied.
Displaying Multipath Rule Status
Purpose
Display the details of the multipath rule on the device configured to receive traffic
Action
From operational mode, enter the show security
advance-policy-based-routing multipath rule command.
user@host> show security advance-policy-based-routing multipath rule multi1
Multipath Rule Status:
Multipath Rule Information:
Multipath rule name multi1
Multipath rule type Packet-Copy
Multipath rule state Active
Configured number of paths 2
Configured application groups junos:web
Configured applications junos:GOOGLE, junos:YAHOO
Path Group Information:
Total path groups : 1
Path-Group-Id State Avl-Num-Paths
1 Active 3
Receiver Information:
Path Groups Information:
Total receiver path groups : 1
Path-Group-Id : 1, Avg-Pkt-Loss(%) : 0, Avg-Ingress-Jitter(us) : 171
Path Information:
Dst-IP Pkts-Rcvd Pkt-Loss(%) Ingress-Jitter(us) Reduction-Pkt-Loss(%) Reduction-Ingress-Jitter(us)
10.40.1.1 2442 0 165 0 -6
10.41.1.1 2442 0 158 0 -13
Cos Q Statistics:
Total receiver cos queues: 8
COS-Q-Id Pkts-Rcvd Out-Of-Seq-Drop
0 4884 2442
1 0 0
2 0 0
3 0 0
4 0 0
5 0 0
6 0 0
7 0 0
Meaning
Output displays details related to multipath rule.