ON THIS PAGE
Example: Configuring Behavior Aggregate Classifier in PMI for vSRX instances
Example: Configuring and Applying a Firewall Filter for a Multifield Classifier in PMI
Example: Configuring and Applying Rewrite Rules on a Security Device in PMI
Understanding the Loopback Interface for a High Availability VPN
VPN Session Affinity
The performance of IPsec VPN traffic to minimize packet forwarding overhead can be optimized by enabling VPN session affinity and performance acceleration.
Understanding VPN Session Affinity
VPN session affinity occurs when a cleartext session is located in a Services Processing Unit (SPU) that is different from the SPU where the IPsec tunnel session is located. The goal of VPN session affinity is to locate the cleartext and IPsec tunnel session in the same SPU. This feature is supported only on SRX5400, SRX5600, and SRX5800 devices.
Without VPN session affinity, a cleartext session created by a flow might be located in one SPU and the tunnel session created by IPsec might be located in another SPU. An SPU to SPU forward or hop is needed to route cleartext packets to the IPsec tunnel.
By default, VPN session affinity is disabled on SRX Series devices. When VPN session affinity is enabled, a new cleartext session is placed on the same SPU as the IPsec tunnel session. Existing cleartext sessions are not affected.
Junos OS Release 15.1X49-D10 introduces the SRX5K-MPC3-100G10G (IOC3) and the SRX5K-MPC3-40G10G (IOC3) for SRX5400, SRX5600, and SRX5800 devices.
The SRX5K-MPC (IOC2) and the IOC3 support VPN session affinity through improved flow module and session cache. With IOCs, the flow module creates sessions for IPsec tunnel-based traffic before encryption and after decryption on its tunnel-anchored SPU and installs the session cache for the sessions so that the IOC can redirect the packets to the same SPU to minimize packet forwarding overhead. Express Path (previously known as services offloading) traffic and NP cache traffic share the same session cache table on the IOCs.
To display active tunnel sessions on SPUs, use the show
security ipsec security-association command and specify the
Flexible PIC Concentrator (FPC) and Physical Interface
Card (PIC) slots that contain the SPU. For example:
user@host> show security ipsec security-association fpc 3 pic 0 Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway <131073 ESP:aes-128/sha1 18c4fd00 491/ 128000 - root 500 203.0.113.11 >131073 ESP:aes-128/sha1 188c0750 491/ 128000 - root 500 203.0.113.11
You need to evaluate the tunnel distribution and traffic patterns in your network to determine if VPN session affinity should be enabled.
Starting with Junos OS Release 12.3X48-D50, Junos OS Release 15.1X49-D90, and Junos OS Release 17.3R1, if VPN session affinity is enabled on SRX5400, SRX5600, and SRX5800 devices, the tunnel overhead is calculated according to the negotiated encryption and authentication algorithms on the anchor Services Processing Unit (SPU). If the configured encryption or authentication changes, the tunnel overhead is updated on the anchor SPU when a new IPsec security association is established.
The VPN session affinity limitations are as follows:
Traffic across logical systems is not supported.
If there is a route change, established cleartext sessions remain on an SPU and traffic is rerouted if possible. Sessions created after the route change can be set up on a different SPU.
VPN session affinity only affects self traffic that terminates on the device (also known as host-inbound traffic); self traffic that originates from the device (also known as host-outbound traffic) is not affected.
Multicast replication and forwarding performance is not affected.
See Also
Enabling VPN Session Affinity
By default, VPN session affinity is disabled on SRX Series devices. Enabling VPN session affinity can improve VPN throughput under certain conditions. This feature is supported only on SRX5400, SRX5600, and SRX5800 devices. This section describes how to use the CLI to enable VPN session affinity.
Determine if clear-text sessions are being forwarded to IPsec
tunnel sessions on a different SPU. Use the show security flow
session command to display session information about clear-text
sessions.
user@host> show security flow session Flow Sessions on FPC3 PIC0: Session ID: 60000001, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/6204 --> 203.0.113.6/41264;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 60000002, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/0 --> 203.0.113.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 60000003, Policy name: self-traffic-policy/1, Timeout: 58, Valid In: 203.0.113.6/500 --> 203.0.113.11/500;udp, If: .local..0, Pkts: 105386, Bytes: 12026528 Out: 203.0.113.11/500 --> 203.0.113.6/500;udp, If: ge-0/0/2.0, Pkts: 106462, Bytes: 12105912 Session ID: 60017354, Policy name: N/A, Timeout: 1784, Valid In: 0.0.0.0/0 --> 0.0.0.0/0;0, If: N/A, Pkts: 0, Bytes: 0 Out: 198.51.100.156/23 --> 192.0.2.155/53051;tcp, If: N/A, Pkts: 0, Bytes: 0 Total sessions: 4 Flow Sessions on FPC6 PIC0: Session ID: 120000001, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/0 --> 203.0.113.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 120000002, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/0 --> 203.0.113.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 120031730, Policy name: default-policy-00/2, Timeout: 1764, Valid In: 192.0.2.155/53051 --> 198.51.100.156/23;tcp, If: ge-0/0/1.0, Pkts: 44, Bytes: 2399 Out: 198.51.100.156/23 --> 192.0.2.155/53051;tcp, If: st0.0, Pkts: 35, Bytes: 2449 Total sessions: 3
In the example, there is a tunnel session on FPC 3, PIC 0 and a clear-text session on FPC 6, PIC 0. A forwarding session (session ID 60017354) is set up on FPC 3, PIC 0.
Junos OS Release 15.1X49-D10 introduces session affinity support
on IOCs (SRX5K-MPC [IOC2], SRX5K-MPC3-100G10G [IOC3], and SRX5K-MPC3-40G10G
[IOC3]) and Junos OS Release 12.3X48-D30 introduces session affinity
support on IOC2. You can enable session affinity for the IPsec tunnel
session on the IOC FPCs. To enable IPsec VPN affinity, you must also
enable the session cache on IOCs by using the set chassis fpc fpc-slot np-cache command.
To enable VPN session affinity:
After enabling VPN session affinity, use the show security
flow session command to display session information about clear-text
sessions.
user@host> show security flow session Flow Sessions on FPC3 PIC0: Session ID: 60000001, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/6352 --> 203.0.113.6/7927;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 60000002, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/0 --> 203.0.113.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 60000003, Policy name: self-traffic-policy/1, Timeout: 56, Valid In: 203.0.113.6/500 --> 203.0.113.11/500;udp, If: .local..0, Pkts: 105425, Bytes: 12031144 Out: 203.0.113.11/500 --> 203.0.113.6/500;udp, If: ge-0/0/2.0, Pkts: 106503, Bytes: 12110680 Session ID: 60017387, Policy name: default-policy-00/2, Timeout: 1796, Valid In: 192.0.2.155/53053 --> 198.51.100.156/23;tcp, If: ge-0/0/1.0, Pkts: 10, Bytes: 610 Out: 198.51.100.156/23 --> 192.0.2.155/53053;tcp, If: st0.0, Pkts: 9, Bytes: 602 Total sessions: 4 Flow Sessions on FPC6 PIC0: Session ID: 120000001, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/0 --> 203.0.113.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 120000002, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/0 --> 203.0.113.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Total sessions: 2
After VPN session affinity is enabled, the clear-text session is always located on FPC 3, PIC 0.
See Also
Accelerating the IPsec VPN Traffic Performance
You can accelerate IPsec VPN performance by configuring the performance acceleration parameter. By default, VPN performance acceleration is disabled on SRX Series devices. Enabling the VPN performance acceleration can improve the VPN throughput with VPN session affinity enabled. This feature is only supported on SRX5400, SRX5600, and SRX5800 devices.
This topic describes how to use the CLI to enable VPN performance acceleration.
To enable performance acceleration, you must ensure that cleartext sessions and IPsec tunnel sessions are established on the same Services Processing Unit (SPU). Starting with Junos OS Release 17.4R1, IPsec VPN performance is optimized when the VPN session affinity and performance acceleration features are enabled. For more information on enabling session affinity, see Understanding VPN Session Affinity.
To enable IPsec VPN performance acceleration:
After enabling VPN performance acceleration, use the show
security flow status command to display flow status.
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: Hash-based
Flow packet ordering
Ordering mode: Hardware
Flow ipsec performance acceleration: on
See Also
IPsec Distribution Profile
Starting with Junos OS Release 19.2R1, you can configure one
or more IPsec distribution profiles for IPsec security associations
(SAs). Tunnels are distributed evenly across all resources (SPCs)
specified in the configured distribution profile. It is supported
in SPC3 only and mixed-mode (SPC3 + SPC2), it is not supported on
SPC1 and SPC2 systems. With the IPsec distribution profile, use the set security ipsec vpn vpn-name distribution-profile distribution-profile-name command to associate tunnels
to a specified:
Slot
PIC
Alternatively, you can use the default IPsec distribution profiles:
default-spc2-profile—Use this predefined default profile to associate IPsec tunnels to all available SPC2 cards.default-spc3-profile—Use this predefined default profile to associate IPsec tunnels to all available SPC3 cards.
You can now assign a profile to a specific VPN object, where all associated tunnels will be distributed based on this profile. If no profile is assigned to the VPN object, the SRX Series device automatically distributes these tunnels evenly across all resources.
You can associate a VPN object with either a user-defined profile or a predefined (default) profile.
Starting in Junos OS Release 20.2R2, the invalid thread IDs configured to the distribution profile are ignored with no commit-check error message. The IPsec tunnel gets anchored as per the configured distribution profile ignoring invalid thread IDs if any for that profile.
In the following example, all tunnels associated with profile ABC will be distributed on FPC 0, PIC 0.
userhost# show security {
distribution-profile ABC {
fpc 0 {
pic 0;
}
}
}
Improving IPsec Performance with PowerMode IPsec
PowerMode IPsec (PMI) is a new mode of operation that provides IPsec performance improvements using Vector Packet Processing and Intel AES-NI instructions. PMI utilizes a small software block inside the Packet Forwarding Engine that bypasses flow processing and utilizes the AES-NI instruction set for optimized performance of IPsec processing and is activated when PMI is enabled.
You enable PMI processing by using the set security flow
power-mode-ipsec configuration mode command.
To disable PMI processing, use the delete security flow power-mode-ipsec
configuration mode command to delete the statement from the
configuration.
For SRX4100, SRX4200 devices running Junos OS Release 18.4R1, SRX4600 devices running Junos OS Release 20.4R1, and vSRX running Junos OS Release 18.3R1 after you enable or disable the PMI, you must reboot the device for the configuration to take effect. However, for SRX5000 line devices and vSRX instances running Junos OS Release 19.2R1, reboot is not required.
MX-SPC3 services card does not support np-cache and IPsec session-affinity.
You can verify the PMI
and fat tunnel
status by using the show security flow status
operational mode command.
You can verify the PMI statistics by using the show security flow pmi statistics
operational mode command.
A tunnel session can either be PMI or non-PMI. If a session is configured with any of the non-supported features listed in Table 1 and Table 2, the session is marked as non-PMI and the tunnel will go into non-PMI mode. Once the tunnel goes into the non-PMI mode, it will not go back to the PMI mode.
Table 1 summarizes the supported and non-supported PMI features on SRX Series Devices.
|
Supported Features in PowerMode IPsec |
Non-Supported Features in PowerMode IPsec |
|---|---|
|
Internet Key Exchange (IKE) functionality |
IPsec-in-IPsec tunnels |
|
AutoVPN with traffic selectors |
Layer 4 - 7 applications: application firewall and AppSecure |
|
High availability |
GPRS tunneling protocol (GTP) and Stream Control Transmission Protocol (SCTP) firewalls |
|
IPv6 |
Host traffic |
|
Stateful firewall |
Multicast |
|
st0 interface |
Nested tunnels |
|
Traffic selectors |
Screen options |
|
NAT-T |
DES-CBC encryption algorithm |
|
GTP-U scenario with TEID distribution and asymmetric fat tunnel solution |
3DES-CBC encryption algorithm |
|
Quality of Service (QoS) |
Application Layer Gateway (ALG) |
|
First path and fast path processing for fragment handling and unified encryption. |
|
|
NAT |
|
|
AES-GCM-128 and AES-GCM-256 encryption algorithm. We recommend you to use AES-GSM encryption algorithm for optimal performance. |
|
|
AES-CBC-128, AES-CBC-192, and AES-CBC-256 with SHA1 encryption algorithm |
|
|
AES-CBC-128, AES-CBC-192, and AES-CBC-256 with SHA2 encryption algorithm |
|
|
NULL encryption algorithm |
|
Table 2 summarizes the supported and non-supported PMI features on MX-SPC3 services card.
|
Supported Features in PowerMode IPsec |
Non-Supported Features in PowerMode IPsec |
|---|---|
|
Internet Key Exchange (IKE) functionality |
Layer 4 - 7 applications: application firewall, AppSecure, and ALGs |
|
AutoVPN with traffic selectors, ADVPN |
Multicast |
|
High availability |
Nested tunnels |
|
IPv6 |
Screen options |
|
Stateful firewall |
Application Layer Gateway (ALG) |
|
st0 interface |
|
|
Traffic selectors |
|
|
Dead Peer Detection (DPD) |
|
|
Anti-Replay check |
|
|
NAT |
|
|
Post/Pre-Fragment |
|
|
incoming clear-text fragments and ESP fragment |
|
|
AES-GCM-128 and AES-GCM-256 encryption algorithm. We recommend you to use AES-GSM encryption algorithm for optimal performance. |
|
|
AES-CBC-128, AES-CBC-192, and AES-CBC-256 with SHA1 encryption algorithm |
|
|
AES-CBC-128, AES-CBC-192, and AES-CBC-256 with SHA2 encryption algorithm |
|
|
NULL encryption algorithm |
Note the following usage considerations with PMI:
-
Antireplay window size is 64 packets by default. If you configure fat-tunnel, then it is recommended to increase the Antireplay window size to greater than or equal to 512 packets.
-
PMI does a pre-fragmentation and post-fragmentation check. If the PMI detects pre-fragmentation and post-fragmentation packets, packets are not allowed through the PMI mode. The packets will return to non-PMI mode.
-
Any fragments received on an interface will not go through PMI.
-
PMI is supported on link aggregation group (LAG) and redundant Ethernet (reth) interfaces.
-
PMI for NAT-T is supported only on SRX5400, SRX5600, SRX5800 devices equipped with SRX5K-SPC3 Services Processing Card (SPC), or with vSRX.
Starting in Junos OS Release 19.1R1, Class of Service(CoS) supports configuration of behavior aggregate (BA) classifier, multifield (MF) classifier, and rewrite-rule functions in PMI on SRX5K-SPC3 Services Processing Card (SPC) cards.
Starting in Junos OS Release 19.2R1, PowerMode IPsec (PMI) supports GTP-U scenario with TEID distribution and asymmetric fat tunnel solution.
Starting in Junos OS Release 19.3R1, GTP-U scenario with TEID distribution and asymmetric fat tunnel solution and Software Recieve Side Scaling feature on vSRX and vSRX 3.0.
Junos OS Release 19.3R1 supports options aes-128-cbc, aes-192-cbc, and aes-256-cbc on SRX4100, SRX4200, and vSRX in Power Mode IPsec mode to improve IPsec performance, along with the existing support in normal mode.
Starting in Junos OS Release 19.4R1, vSRX instances support-
-
Per-flow CoS functions for GTP-U traffic in PowerMode IPsec (PMI) mode.
-
Class of Service (CoS) features in PowerMode IPsec (PMI) mode. The following CoS features are supported in PMI mode:
-
Classifier
-
Rewrite-rule functions
-
Queuing
-
Shaping
-
Scheduling
-
Benefits of PowerMode IPsec
-
Enhances the performance of IPsec.
Configuring Security Flow PMI
The below section describes you how to configure security flow PMI.
To configure security flow PowerMode IPsec, you much enable session cache on IOCs and session affinity:
-
Enable the session cache on IOCs (IOC2 and IOC3)
user@host# set chassis fpc <fpc-slot> np-cache
-
Enable VPN session affinity
user@host# set security flow load-distribution session-affinity ipsec
-
Create security flow in PMI.
user@host#set security flow power-mode-ipsec
-
Confirm your configuration by entering the
show securitycommand.user@host# show security flow { power-mode-ipsec; }
See Also
Example: Configuring Behavior Aggregate Classifier in PMI
This example shows how to configure behavior aggregate(BA) classifiers for a SRX device to determine forwarding treatment of packets in PowerMode IPsec (PMI).
Requirements
This example uses the following hardware and software components:
SRX Series device.
Junos OS Release 19.1R1 and later releases.
Before you begin:
Determine the forwarding class and PLP that are assigned by default to each well-known DSCP that you want to configure for the behavior aggregate classifier.
Overview
Configure behavior aggregate classifiers to classify the packets
that contain valid DSCPs to appropriate queues. Once configured, you
apply the behavior aggregate classifier to the correct interfaces.
You override the default IP precedence classifier by defining a classifier
and applying it to a logical interface. To define new classifiers
for all code point types, include the classifiers statement
at the [edit class-of-service] hierarchy level.
In this example, set the DSCP behavior aggregate classifier
to ba-classifier as the default DSCP map. Set a best-effort
forwarding class as be-class, an expedited forwarding class
as ef-class, an assured forwarding class as af-class, and a network control forwarding class as nc-class.
Finally, apply the behavior aggregate classifier to the interface
ge-0/0/0.
Table 2 shows how the behavior aggregate classifier assigns loss priorities, to incoming packets in the four forwarding classes.
mf-classifier Forwarding Class |
For CoS Traffic Type |
ba-classifier Assignments |
|---|---|---|
|
Best-effort traffic |
High-priority code point: 000001 |
|
Expedited forwarding traffic |
High-priority code point: 101111 |
|
Assured forwarding traffic |
High-priority code point: 001100 |
|
Network control traffic |
High-priority code point: 110001 |
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from the configuration mode.
set class-of-service classifiers dscp ba-classifier import default set class-of-service classifiers dscp ba-classifier forwarding-class be-class loss-priority high code-points 000001 set class-of-service classifiers dscp ba-classifier forwarding-class ef-class loss-priority high code-points 101111 set class-of-service classifiers dscp ba-classifier forwarding-class af-class loss-priority high code-points 001100 set class-of-service classifiers dscp ba-classifier forwarding-class nc-class loss-priority high code-points 110001 set class-of-service interfaces ge-0/0/0 unit 0 classifiers dscp ba-classifier
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure Behavior Aggregate Classifiers for a device in PMI:
Configure the class of service.
[edit] user@host# edit class-of-service
Configure behavior aggregate classifiers for Differentiated Services (DiffServ) CoS.
[edit class-of-service] user@host# edit classifiers dscp ba-classifier user@host# set import default
Configure a best-effort forwarding class classifier.
[edit class-of-service classifiers dscp ba-classifier] user@host# set forwarding-class be-class loss-priority high code-points 000001
Configure an expedited forwarding class classifier.
[edit class-of-service classifiers dscp ba-classifier] user@host# set forwarding-class ef-class loss-priority high code-points 101111
Configure an assured forwarding class classifier.
[edit class-of-service classifiers dscp ba-classifier] user@host# set forwarding-class af-class loss-priority high code-points 001100
Configure a network control forwarding class classifier.
[edit class-of-service classifiers dscp ba-classifier] user@host# set forwarding-class nc-class loss-priority high code-points 110001
Apply the behavior aggregate classifier to an interface.
[edit] user@host# set class-of-service interfaces ge-0/0/0 unit 0 classifiers dscp ba-classifier
Results
From configuration mode, confirm your configuration
by entering the show class-of-service command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show class-of-service
classifiers {
dscp ba-classifier {
import default;
forwarding-class be-class {
loss-priority high code-points 000001;
}
forwarding-class ef-class {
loss-priority high code-points 101111;
}
forwarding-class af-class {
loss-priority high code-points 001100;
}
forwarding-class nc-class {
loss-priority high code-points 110001;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
classifiers {
dscp ba-classifier;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying the Classifier is applied to the Interfaces
Purpose
Make sure that the classifier is applied to the correct interfaces.
Action
From the operational mode, enter the show class-of-service
interface ge-0/0/0 command.
user@host> show class-of-service interface ge-0/0/0 Physical interface: ge-0/0/0, Index: 144 Queues supported: 8, Queues in use: 4 Scheduled map: <default>, Index:2 Congestion-notification: Disabled LOgical interface: ge-1/0/3, Index: 333 Object Name Type Index Classifier v4-ba-classifier dscp 10755
Meaning
The interfaces are configured as expected.
Example: Configuring Behavior Aggregate Classifier in PMI for vSRX instances
This example shows how to configure behavior aggregate (BA) classifiers for a vSRX instance to determine forwarding treatment of packets in PowerMode IPsec (PMI).
Requirements
This example uses the following hardware and software components:
A vSRX instance.
Junos OS Release 19.4R1 and later releases.
Before you begin:
Determine the forwarding class and Packet loss priorities(PLP) that are assigned by default to each well-known DSCP that you want to configure for the behavior aggregate classifier.
Overview
Configure behavior aggregate classifiers to classify the packets
that contain valid DSCPs to appropriate queues. Once configured, you
apply the behavior aggregate classifier to the correct interfaces.
You override the default IP precedence classifier by defining a classifier
and applying it to a logical interface. To define new classifiers
for all code point types, include the classifiers statement
at the [edit class-of-service] hierarchy level.
In this example, set the DSCP behavior aggregate classifier
to ba-classifier as the default DSCP map. Set a best-effort
forwarding class as be-class, an expedited forwarding class
as ef-class, an assured forwarding class as af-class, and a network control forwarding class as nc-class.
Finally, apply the behavior aggregate classifier to the interface
ge-0/0/0.
Table 2 shows how the behavior aggregate classifier assigns loss priorities, to incoming packets in the four forwarding classes.
mf-classifier Forwarding Class |
For CoS Traffic Type |
ba-classifier Assignments |
|---|---|---|
|
Best-effort traffic |
High-priority code point: 000001 |
|
Expedited forwarding traffic |
High-priority code point: 101111 |
|
Assured forwarding traffic |
High-priority code point: 001100 |
|
Network control traffic |
High-priority code point: 110001 |
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from the configuration mode.
set class-of-service classifiers dscp ba-classifier forwarding-class be loss-priority low code-points be set class-of-service classifiers dscp ba-classifier forwarding-class ef loss-priority low code-points ef set class-of-service classifiers dscp ba-classifier forwarding-class ef loss-priority high code-points af41 set class-of-service classifiers dscp ba-classifier forwarding-class ef loss-priority high code-points af11 set class-of-service classifiers dscp ba-classifier forwarding-class ef loss-priority high code-points af31 set class-of-service classifiers dscp ba-classifier forwarding-class low_delay loss-priority low code-points af21 set class-of-service classifiers dscp ba-classifier forwarding-class low_loss loss-priority low code-points cs6 set class-of-service drop-profiles drop_profile fill-level 20 drop-probability 50 set class-of-service drop-profiles drop_profile fill-level 50 drop-probability 100 set class-of-service forwarding-classes queue 0 be set class-of-service forwarding-classes queue 1 ef set class-of-service forwarding-classes queue 2 low_delay set class-of-service forwarding-classes queue 3 low_loss set class-of-service interfaces ge-0/0/1 unit 0 classifiers dscp ba-classifier set class-of-service interfaces ge-0/0/3 unit 0 scheduler-map SCHEDULER-MAP set class-of-service interfaces ge-0/0/3 unit 0 shaping-rate 2k set class-of-service scheduler-maps SCHEDULER-MAP forwarding-class ef scheduler voice set class-of-service schedulers voice buffer-size temporal 5k set class-of-service schedulers voice drop-profile-map loss-priority any protocol any drop-profile drop_profile
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure Behavior Aggregate Classifiers for a device in PMI:
Configure the class of service.
[edit] user@host# edit class-of-service
Configure behavior aggregate classifiers for Differentiated Services (DiffServ) CoS.
[edit class-of-service] user@host# edit classifiers dscp ba-classifier
Configure a best-effort forwarding class classifier.
[edit class-of-service classifiers dscp ba-classifier] user@host# set forwarding-class be loss-priority low code-points be
Configure an expedited forwarding class classifier.
[edit class-of-service classifiers dscp ba-classifier] user@host# set forwarding-class ef-class loss-priority low code-points ef user@host# set forwarding-class ef-class loss-priority high code-points af41 user@host# set forwarding-class ef-class loss-priority high code-points af11 user@host# set forwarding-class ef-class loss-priority high code-points af31 user@host# set forwarding-class low_delay loss-priority low code-points af21 user@host# set forwarding-class low_loss loss-priority low code-points cs6
Configure drop profiles.
[edit class-of-service drop-profiles] user@host# set drop_profile fill-level 20 drop-probability 50 user@host# set drop_profile fill-level 50 drop-probability 100
Configure the forwarding classes queues.
[edit class-of-service forwarding-classes ] user@host# set queue 0 be user@host# set queue 1 ef user@host# set queue 2 low_delay user@host# set 3 low_loss
Apply the classifier to the interfaces.
[edit class-of-service] user@host# set interfaces ge-0/0/1 unit 0 classifiers dscp ba-classifier user@host# set interfaces ge-0/0/3 unit 0 scheduler-map SCHEDULER-MAP user@host# set interfaces ge-0/0/3 unit 0 shaping-rate 2k
Configure the schedulers.
[edit class-of-service] user@host# set scheduler-maps SCHEDULER-MAP forwarding-class ef scheduler voice user@host# set schedulers voice buffer-size temporal 5k user@host# set schedulers voice drop-profile-map loss-priority any protocol any drop-profile drop_profile
Results
From configuration mode, confirm your configuration
by entering the show class-of-service command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show class-of-service
classifiers {
dscp ba-classifier {
forwarding-class be {
loss-priority low code-points be;
}
forwarding-class ef {
loss-priority low code-points ef;
loss-priority high code-points [ af41 af11 af31 ];
}
forwarding-class low_delay {
loss-priority low code-points af21;
}
forwarding-class low_loss {
loss-priority low code-points cs6;
}
}
}
drop-profiles {
drop_profile {
fill-level 20 drop-probability 50;
fill-level 50 drop-probability 100;
}
}
forwarding-classes {
queue 0 be;
queue 1 ef;
queue 2 low_delay;
queue 3 low_loss;
}
interfaces {
ge-0/0/1 {
unit 0 {
classifiers {
dscp ba-classifier;
}
}
}
ge-0/0/3 {
unit 0 {
scheduler-map SCHEDULER-MAP;
shaping-rate 2k;
}
}
}
scheduler-maps {
SCHEDULER-MAP {
forwarding-class ef scheduler voice;
}
}
schedulers {
voice {
buffer-size temporal 5k;
drop-profile-map loss-priority any protocol any drop-profile drop_profile;
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying the Classifier is applied to the Interfaces
Purpose
Verify that the classifier is configured properly and confirm that the forwarding classes are configured correctly.
Action
From the operational mode, enter the show class-of-service
forwarding-class command.
user@host> show class-of-service forwarding-class Forwarding class ID Queue Restricted queue Fabric priority Policing priority SPU priority be 0 0 0 low normal low ef 1 1 1 low normal low low_delay 2 2 2 low normal low low_loss 3 3 3 low normal low
Meaning
The output shows the configured custom classifier settings.
Example: Configuring and Applying a Firewall Filter for a Multifield Classifier in PMI
This example shows how to configure a firewall filter to classify traffic to different forwarding class by using DSCP value and multifield (MF) classifier in PowerMode IPsec (PMI).
The classifier detects packets of interest to class of service (CoS) as they arrive on an interface. MF classifiers are used when a simple behavior aggregate (BA) classifier is insufficient to classify a packet, when peering routers do not have CoS bits marked, or the peering router’s marking is untrusted.
Requirements
This example uses the following hardware and software components:
SRX Series device.
Junos OS Release 19.1R1 and later releases.
Before you begin:
Determine the forwarding class that are assigned by default to each well-known DSCP that you want to configure for the MF classifier. See Improving IPsec Performance with PowerMode IPsec.
Overview
This example explain how to configure the firewall filter mf-classifier. To configure the MF classifier, create and name
the assured forwarding traffic class, set the match condition, and
then specify the destination address as 192.168.44.55. Create the
forwarding class for assured forwarding DiffServ traffic as af-class and set the loss priority to low.
In this example, create and name the expedited forwarding traffic
class and set the match condition for the expedited forwarding traffic
class. Specify the destination address as 192.168.66.77. Create the
forwarding class for expedited forwarding DiffServ traffic as ef-class and set the policer to ef-policer. Create
and name the network-control traffic class and set the match condition.
In this example, create and name the forwarding class for the
network control traffic class as nc-class and name the
forwarding class for the best-effort traffic class as be-class. Finally, apply the multifield classifier firewall filter as an
input and output filter on each customer-facing or host-facing that
needs the filter. In this example, the interface for input filter
is ge-0/0/2 and interface for output filter is ge-0/0/4.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from the configuration mode.
set firewall filter mf-classifier interface-specific set firewall filter mf-classifier term assured-forwarding from destination-address 192.168.44.55 set firewall filter mf-classifier term assured-forwarding then forwarding-class af-class set firewall filter mf-classifier term assured-forwarding then loss-priority low set firewall filter mf-classifier term expedited-forwarding from destination-address 192.168.66.77 set firewall filter mf-classifier term expedited-forwarding then forwarding-class ef-class set firewall filter mf-classifier term expedited-forwarding then policer ef-policer set firewall filter mf-classifier term network-control from precedence net-control set firewall filter mf-classifier term network-control then forwarding-class nc-class set firewall filter mf-classifier term best-effort then forwarding-class be-class set interfaces ge-0/0/2 unit 0 family inet filter input mf-classifier set interfaces ge-0/0/4 unit 0 family inet filter output mf-classifier
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure a Firewall Filter for a Multifield Classifier for a device in PMI:
Create and name the multifield classifier filter.
[edit] user@host# edit firewall filter mf-classifier user@host# set interface-specific
Create and name the term for the assured forwarding traffic class.
[edit firewall filter mf-classifier] user@host# edit term assured-forwarding
Specify the destination address for assured forwarding traffic.
[edit firewall filter mf-classifier term assured-forwarding] user@host# set from destination-address 192.168.44.55
Create the forwarding class and set the loss priority for the assured forwarding traffic class.
[edit firewall filter mf-classifier term assured-forwarding] user@host# set then forwarding-class af-class user@host# set then loss-priority low
Create and name the term for the expedited forwarding traffic class.
[edit] user@host# edit firewall filter mf-classifier user@host# edit term expedited-forwarding
Specify the destination address for the expedited forwarding traffic.
[edit firewall filter mf-classifier term expedited-forwarding] user@host# set from destination-address 192.168.66.77
Create the forwarding class and apply the policer for the expedited forwarding traffic class.
[edit firewall filter mf-classifier term expedited-forwarding] user@host# set then forwarding-class ef-class user@host# set then policer ef-policer
Create and name the term for the network control traffic class.
[edit] user@host# edit firewall filter mf-classifier user@host# edit term network-control
Create the match condition for the network control traffic class.
[edit firewall filter mf-classifier term network-control] user@host# set from precedence net-control
Create and name the forwarding class for the network control traffic class.
[edit firewall filter mf-classifier term network-control] user@host# set then forwarding-class nc-class
Create and name the term for the best-effort traffic class.
[edit] user@host# edit firewall filter mf-classifier user@host# edit term best-effort
Create and name the forwarding class for the best-effort traffic class.
[edit firewall filter mf-classifier term best-effort] user@host# set then forwarding-class be-class
Apply the multifield classifier firewall filter as an input filter.
[edit] user@host# set interfaces ge-0/0/2 unit 0 family inet filter input mf-classifier
Apply the multifield classifier firewall filter as an output filter.
[edit] user@host# set interfaces ge-0/0/4 unit 0 family inet filter output mf-classifier
Results
From configuration mode, confirm your configuration
by entering the show firewall filter mf-classifier command.
If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
[edit]
user@host# show firewall filter mf-classifier
interface-specific;
term assured-forwarding {
from {
destination-address {
192.168.44.55/32;
}
}
then {
loss-priority low;
forwarding-class af-class;
}
}
term expedited-forwarding {
from {
destination-address {
192.168.66.77/32;
}
}
then {
policer ef-policer;
forwarding-class ef-class;
}
}
term network-control {
from {
precedence net-control;
}
then forwarding-class nc-class;
}
term best-effort {
then forwarding-class be-class;
}
From configuration mode, confirm your configuration by entering
the show interfaces command. If the output does not display
the intended configuration, repeat the configuration instructions
in this example to correct it.
[edit]
user@host# show show interfaces
ge-0/0/2 {
unit 0 {
family inet {
filter {
input mf-classifier;
}
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
filter {
output mf-classifier;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying a Firewall Filter for a Multifield Classifier Configuration
Purpose
Verify that a firewall filter for a multifield classifier is configured properly on a device and confirm that the forwarding classes are configured correctly.
Action
From configuration mode, enter the show class-of-service
forwarding-class command.
user@host> show class-of-service forwarding-class Forwarding class ID Queue Restricted queue Fabric priority Policing priority SPU priority BE-data 0 0 0 low normal low Premium-data 1 1 1 low normal low Voice 2 2 2 low normal low NC 3 3 3 low normal low
Meaning
The output shows the configured custom classifier settings.
Example: Configuring and Applying Rewrite Rules on a Security Device in PMI
This example shows how to configure and apply rewrite rules for a device in PowerMode IPsec (PMI).
Requirements
This example uses the following hardware and software components:
SRX Series device.
Junos OS Release 19.1R1 and later releases.
Before you begin:
Create and configure the forwarding classes. See Improving IPsec Performance with PowerMode IPsec.
Overview
This example explains how to configure rewrite rules to replace CoS values on packets received from the customer or host with the values expected by other SRX devices. You do not have to configure rewrite rules if the received packets already contain valid CoS values. Rewrite rules apply the forwarding class information and packet loss priority used internally by the device to establish the CoS value on outbound packets. After you configure the rewrite rules, apply them to the correct interfaces.
In this example, configure the rewrite rule for DiffServ CoS
as rewrite-dscps. Specify the best-effort forwarding class
as be-class, expedited forwarding class as ef-class, an assured forwarding class as af-class, and a network
control class as nc-class. Finally, apply the rewrite rule
to the ge-0/0/0 interface.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from the configuration mode.
set class-of-service rewrite-rules dscp rewrite-dscps forwarding-class be-class loss-priority low code-point 000000 set class-of-service rewrite-rules dscp rewrite-dscps forwarding-class be-class loss-priority high code-point 000001 set class-of-service rewrite-rules dscp rewrite-dscps forwarding-class ef-class loss-priority low code-point 101110 set class-of-service rewrite-rules dscp rewrite-dscps forwarding-class ef-class loss-priority high code-point 101111 set class-of-service rewrite-rules dscp rewrite-dscps forwarding-class af-class loss-priority low code-point 001010 set class-of-service rewrite-rules dscp rewrite-dscps forwarding-class af-class loss-priority high code-point 001100 set class-of-service rewrite-rules dscp rewrite-dscps forwarding-class nc-class loss-priority low code-point 110000 set class-of-service rewrite-rules dscp rewrite-dscps forwarding-class nc-class loss-priority high code-point 110001 set class-of-service interfaces ge-0/0/0 unit 0 rewrite-rules dscp rewrite-dscps
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure and apply Rewrite Rules for a device in PMI:
Configure rewrite rules for DiffServ CoS.
[edit] user@host# edit class-of-service user@host# edit rewrite-rules dscp rewrite-dscps
Configure best-effort forwarding class rewrite rules.
[edit class-of-service rewrite-rules dscp rewrite-dscps] user@host# set forwarding-class be-class loss-priority low code-point 000000 user@host# set forwarding-class be-class loss-priority high code-point 000001
Configure expedited forwarding class rewrite rules.
[edit class-of-service rewrite-rules dscp rewrite-dscps] user@host# set forwarding-class ef-class loss-priority low code-point 101110 user@host# set forwarding-class ef-class loss-priority high code-point 101111
Configure an assured forwarding class rewrite rules.
[edit class-of-service rewrite-rules dscp rewrite-dscps] user@host# set forwarding-class af-class loss-priority low code-point 001010 user@host# set forwarding-class af-class loss-priority high code-point 001100
Configure a network control class rewrite rules.
[edit class-of-service rewrite-rules dscp rewrite-dscps] user@host# set forwarding-class nc-class loss-priority low code-point 110000 user@host# set forwarding-class nc-class loss-priority high code-point 110001
Apply rewrite rules to an interface.
[edit class-of-service] user@host# set interfaces ge-0/0/0 unit 0 rewrite-rules dscp rewrite-dscps
Results
From configuration mode, confirm your configuration
by entering the show class-of-service command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show class-of-service
interfaces {
ge-0/0/0 {
unit 0 {
rewrite-rules {
dscp rewrite-dscps;
}
}
}
}
rewrite-rules {
dscp rewrite-dscps {
forwarding-class be-class {
loss-priority low code-point 000000;
loss-priority high code-point 000001;
}
forwarding-class ef-class {
loss-priority low code-point 101110;
loss-priority high code-point 101111;
}
forwarding-class af-class {
loss-priority low code-point 001010;
loss-priority high code-point 001100;
}
forwarding-class nc-class {
loss-priority low code-point 110000;
loss-priority high code-point 110001;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying Rewrite Rules Configuration
Purpose
Verify that rewrite rules are configured properly.
Action
From the operational mode, enter the show class-of-service command.
user@host> show class-of-service Physical interface: ge-0/0/0, Index: 130 Maximum usable queues: 8, Queues in use: 4 Scheduled map: <default>, Index:2 Congestion-notification: Disabled LOgical interface: ge0/0/0, Index: 71 Object Name Type Index Classifier ipprec-compatibility ip 13
Meaning
Rewrite rules are configured on ge-0/0/0 interface as expected.
Configure IPsec ESP Authentication-only Mode in PMI
The PowerMode IPsec (PMI) introduced a new data path for achieving a high IPsec throughput performance. Starting in Junos OS Release 19.4R1, on SRX5000 Series devices with SRX5K-SPC3 card, you can use Encapsulating Security Payload (ESP) authentication-only mode in PMI mode, which provides authentication, integrity checking, and replay protection without encrypting the data packets.
Before you begin:
Make sure that the session is PMI capable. See VPN Session Affinity.
To configure ESP authentication-only mode:
See Also
Understanding the Loopback Interface for a High Availability VPN
In an IPsec VPN tunnel configuration, an external interface must be specified to communicate with the peer IKE gateway. Specifying a loopback interface for the external interface of a VPN is a good practice when there are multiple physical interfaces that can be used to reach a peer gateway. Anchoring a VPN tunnel on the loopback interface removes the dependency on a physical interface for successful routing.
Using a loopback interface for VPN tunnels is supported on standalone SRX Series devices as well as on SRX Series devices in chassis clusters. In a chassis cluster active-passive deployment, you can create a logical loopback interface and make it a member of a redundancy group so that it can be used to anchor VPN tunnels. The loopback interface can be configured in any redundancy group and is assigned as the external interface for the IKE gateway. VPN packets are processed on the node where the redundancy group is active.
On SRX5400, SRX5600, and SRX5800 devices, if the loopback interface is used as the IKE gateway external interface, it must be configured in a redundancy group other than RG0.
In a chassis cluster setup, the node on which the external interface is active selects an SPU to anchor the VPN tunnel. IKE and IPsec packets are processed on that SPU. Thus an active external interface determines the anchor SPU.
You can use the show chassis cluster interfaces command
to view information on the redundant pseudointerface.