Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Example: Configuring and Applying a Firewall Filter for a Multifield Classifier

This example shows how to configure a firewall filter to classify traffic using a multifield classifier. The classifier detects packets of interest to class of service (CoS) as they arrive on an interface. Multifield classifiers are used when a simple behavior aggregate (BA) classifier is insufficient to classify a packet, when peering routers do not have CoS bits marked, or the peering router’s marking is untrusted.


To verify this procedure, this example uses a traffic generator. The traffic generator can be hardware-based or it can be software running on a server or host machine.

The functionality in this procedure is widely supported on devices that run Junos OS. The example shown here was tested and verified on MX Series routers running Junos OS Release 10.4.


A classifier is a software operation that inspects a packet as it enters the router or switch. The packet header contents are examined, and this examination determines how the packet is treated when the network becomes too busy to handle all of the packets and you want your devices to drop packets intelligently, instead of dropping packets indiscriminately. One common way to detect packets of interest is by source port number. The TCP port numbers 80 and 12345 are used in this example, but many other matching criteria for packet detection are available to multifield classifiers, using firewall filter match conditions. The configuration in this example specifies that TCP packets with source port 80 are classified into the BE-data forwarding class and queue number 0. TCP packets with source port 12345 are classified into the Premium-data forwarding class and queue number 1.

Multifield classifiers are typically used at the network edge as packets enter an autonomous system (AS).

In this example, you configure the firewall filter mf-classifier and specify some custom forwarding classes on Device R1. In specifying the custom forwarding classes, you also associate each class with a queue.

The classifier operation is shown in Figure 1.

Figure 1: Multifield Classifier Based on TCP Source PortsMultifield Classifier Based on TCP Source Ports

You apply the multifield classifier’s firewall filter as an input filter on each customer-facing or host-facing interface that needs the filter. The incoming interface is ge-1/0/1 on Device R1. The classification and queue assignment is verified on the outgoing interface. The outgoing interface is Device R1’s ge-1/0/9 interface.


Figure 2 shows the sample network.

Figure 2: Multifield Classifier ScenarioMultifield Classifier Scenario

CLI Quick Configuration shows the configuration for all of the Juniper Networks devices in Figure 2.

Step-by-Step Procedure describes the steps on Device R1.

Classifiers are described in more detail in the following Juniper Networks Learning Byte video.



CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from the configuration mode.

Device R1

Device R2

Step-by-Step Procedure

The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure Device R1:

  1. Configure the device interfaces.

  2. Configure the custom forwarding classes and associated queue numbers.

  3. Configure the firewall filter term that places TCP traffic with a source port of 80 (HTTP traffic) into the BE-data forwarding class, associated with queue 0.

  4. Configure the firewall filter term that places TCP traffic with a source port of 12345 into the Premium-data forwarding class, associated with queue 1.

  5. At the end of your firewall filter, configure a default term that accepts all other traffic.

    Otherwise, all traffic that arrives on the interface and is not explicitly accepted by the firewall filter is discarded.

  6. Apply the firewall filter to the ge-1/0/1 interface as an input filter.


From configuration mode, confirm your configuration by entering the show interfaces, show class-of-service, show firewall commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.


Confirm that the configuration is working properly.

Checking the CoS Settings


Confirm that the forwarding classes are configured correctly.


From Device R1, run the show class-of-service forwardng-classes command.


The output shows the configured custom classifier settings.

Sending TCP Traffic into the Network and Monitoring the Queue Placement


Make sure that the traffic of interest is sent out the expected queue.


  1. Clear the interface statistics on Device R1’s outgoing interface.

  2. Use a traffic generator to send 50 TCP port 80 packets to Device R2 or to some other downstream device.

  3. On Device R1, check the queue counters.

    Notice that you check the queue counters on the downstream output interface, not on the incoming interface.

  4. Use a traffic generator to send 50 TCP port 12345 packets to Device R2 or to some other downstream device.

  5. On Device R1, check the queue counters.


The output shows that the packets are classified correctly. When port 80 is used in the TCP packets, queue 0 is incremented. When port 12345 is used, queue 1 is incremented.