You can configure firewall filters to assign packet loss priority (PLP) and forwarding
classes so that if congestion occurs, the marked packets can be dropped according to the priority
you set. The valid match conditions are one or more of the six packet header fields: destination
address, source address, IP protocol, source port, destination port, and DSCP. In other words,
you can set the forwarding class and the PLP for each packet entering or an
interface with a specific destination address, source address, IP protocol, source port, destination
port, or DSCP.
Note: Junos OS assigns forwarding classes and PLP on ingress only. Do not use a filter
that assigns forwarding classes or PLP as an egress filter.
When tricolor marking is enabled, a switch supports four PLP designations: low, medium-low, medium-high, and high. You can also specify
any of the forwarding classes listed in Table 1
Table 1: Unicast Forwarding ClassesUnicast Forwarding Class
|
For CoS Traffic Type
|
be
|
Best-effort traffic
|
no-loss
|
Guaranteed delivery for TCP traffic
|
fcoe
|
Guaranteed delivery for Fibre Channel over Ethernet (FCoE) traffic
|
nc
|
Network-control traffic
|
To assign forwarding classes in firewall filters:
- Configure the family address type and filter name:
[edit]
user@switch# edit firewall family ethernet-switching filter ingress-filter
- Configure the terms of the filter as appropriate, including the forwarding-class and loss-priority action modifiers. For example, each of the following terms in
the filter examines various packet header fields and assigns the appropriate forwarding class
and packet loss priority:
The term corp-traffic matches all IPv4 packets with a 10.1.1.0/24 source address and assigns the packets to forwarding class no-loss with a loss
priority of low:
[edit firewall family ethernet-switching filter ingress-filter]
user@switch# set term corp-traffic from source-address 10.1.1.0/24;
user@switch# set term corp-traffic then forwarding-class no-loss
user@switch# set term corp-traffic then loss-priority low
The term data-traffic matches all IPv4 packets with a 10.1.2.0/24 source address and assigns the packets to forwarding class be (best effort) with
a loss priority of medium-high:
[edit firewall family ethernet-switching filter ingress-filter]
user@switch# set term data-traffic from source-address 10.1.2.0/24;
user@switch# set term data-traffic then forwarding-class be
user@switch# set term data-traffic then loss-priority medium-high
Because the loss of network-generated packets can jeopardize proper network operation,
the delay of these packets is preferable to discarding these packets. The term network-traffic assigns the packets with an IP precedence of net-control to forwarding class nc (network control) with a loss priority of low:
[edit firewall family ethernet-switching filter ingress-filter]
user@switch# set term network-traffic from precedence net-control
user@switch# set term network-traffic then forwarding-class nc
user@switch# set term network-traffic then loss-priority low
The last term accept-traffic matches any packets that did not match on
any of the preceding terms and assigns the packets to forwarding class be with a
loss priority of high:
[edit firewall family ethernet-switching filter ingress-filter]
user@switch# set term accept-traffic then forwarding-class be
user@switch# set term accept-traffic then loss-priority high
- Apply the filter ingress-filter to a port, VLAN, or Layer 3 interface.
For information about applying the filter, see Configuring Firewall
Filters. (Assigning forwarding classes and PLP is supported only on ingress filters.)