Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

PowerMode IPSec

Example: Configuring Behavior Aggregate Classifier in PMI

This example shows how to configure behavior aggregate(BA) classifiers for a SRX device to determine forwarding treatment of packets in PowerMode IPsec (PMI).

Requirements

This example uses the following hardware and software components:

  • SRX Series device.

  • Junos OS Release 19.1R1 and later releases.

Before you begin:

  • Determine the forwarding class and PLP that are assigned by default to each well-known DSCP that you want to configure for the behavior aggregate classifier.

Overview

Configure behavior aggregate classifiers to classify the packets that contain valid DSCPs to appropriate queues. Once configured, you apply the behavior aggregate classifier to the correct interfaces. You override the default IP precedence classifier by defining a classifier and applying it to a logical interface. To define new classifiers for all code point types, include the classifiers statement at the [edit class-of-service] hierarchy level.

In this example, set the DSCP behavior aggregate classifier to ba-classifier as the default DSCP map. Set a best-effort forwarding class as be-class, an expedited forwarding class as ef-class, an assured forwarding class as af-class, and a network control forwarding class as nc-class. Finally, apply the behavior aggregate classifier to the interface ge-0/0/0.

Table 2 shows how the behavior aggregate classifier assigns loss priorities, to incoming packets in the four forwarding classes.

Table 1: Sample ba-classifier Loss Priority Assignments

mf-classifier Forwarding Class

For CoS Traffic Type

ba-classifier Assignments

be-class

Best-effort traffic

High-priority code point: 000001

ef-class

Expedited forwarding traffic

High-priority code point: 101111

af-class

Assured forwarding traffic

High-priority code point: 001100

nc-class

Network control traffic

High-priority code point: 110001

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from the configuration mode.

Procedure

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure Behavior Aggregate Classifiers for a device in PMI:

  1. Configure the class of service.

  2. Configure behavior aggregate classifiers for Differentiated Services (DiffServ) CoS.

  3. Configure a best-effort forwarding class classifier.

  4. Configure an expedited forwarding class classifier.

  5. Configure an assured forwarding class classifier.

  6. Configure a network control forwarding class classifier.

  7. Apply the behavior aggregate classifier to an interface.

Results

From configuration mode, confirm your configuration by entering the show class-of-service command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the Classifier is applied to the Interfaces

Purpose

Make sure that the classifier is applied to the correct interfaces.

Action

From the operational mode, enter the show class-of-service interface ge-0/0/0 command.

Meaning

The interfaces are configured as expected.

Example: Configuring Behavior Aggregate Classifier in PMI for vSRX instances

This example shows how to configure behavior aggregate (BA) classifiers for a vSRX instance to determine forwarding treatment of packets in PowerMode IPsec (PMI).

Requirements

This example uses the following hardware and software components:

  • A vSRX instance.

  • Junos OS Release 19.4R1 and later releases.

Before you begin:

  • Determine the forwarding class and Packet loss priorities(PLP) that are assigned by default to each well-known DSCP that you want to configure for the behavior aggregate classifier.

Overview

Configure behavior aggregate classifiers to classify the packets that contain valid DSCPs to appropriate queues. Once configured, you apply the behavior aggregate classifier to the correct interfaces. You override the default IP precedence classifier by defining a classifier and applying it to a logical interface. To define new classifiers for all code point types, include the classifiers statement at the [edit class-of-service] hierarchy level.

In this example, set the DSCP behavior aggregate classifier to ba-classifier as the default DSCP map. Set a best-effort forwarding class as be-class, an expedited forwarding class as ef-class, an assured forwarding class as af-class, and a network control forwarding class as nc-class. Finally, apply the behavior aggregate classifier to the interface ge-0/0/0.

Table 2 shows how the behavior aggregate classifier assigns loss priorities, to incoming packets in the four forwarding classes.

Table 2: Sample ba-classifier Loss Priority Assignments

mf-classifier Forwarding Class

For CoS Traffic Type

ba-classifier Assignments

be-class

Best-effort traffic

High-priority code point: 000001

ef-class

Expedited forwarding traffic

High-priority code point: 101111

af-class

Assured forwarding traffic

High-priority code point: 001100

nc-class

Network control traffic

High-priority code point: 110001

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from the configuration mode.

Procedure

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure Behavior Aggregate Classifiers for a device in PMI:

  1. Configure the class of service.

  2. Configure behavior aggregate classifiers for Differentiated Services (DiffServ) CoS.

  3. Configure a best-effort forwarding class classifier.

  4. Configure an expedited forwarding class classifier.

  5. Configure drop profiles.

  6. Configure the forwarding classes queues.

  7. Apply the classifier to the interfaces.

  8. Configure the schedulers.

Results

From configuration mode, confirm your configuration by entering the show class-of-service command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the Classifier is applied to the Interfaces

Purpose

Verify that the classifier is configured properly and confirm that the forwarding classes are configured correctly.

Action

From the operational mode, enter the show class-of-service forwarding-class command.

Meaning

The output shows the configured custom classifier settings.

Example: Configuring and Applying a Firewall Filter for a Multifield Classifier in PMI

This example shows how to configure a firewall filter to classify traffic to different forwarding class by using DSCP value and multifield (MF) classifier in PowerMode IPsec (PMI).

The classifier detects packets of interest to class of service (CoS) as they arrive on an interface. MF classifiers are used when a simple behavior aggregate (BA) classifier is insufficient to classify a packet, when peering routers do not have CoS bits marked, or the peering router’s marking is untrusted.

Requirements

This example uses the following hardware and software components:

  • SRX Series device.

  • Junos OS Release 19.1R1 and later releases.

Before you begin:

Overview

This example explain how to configure the firewall filter mf-classifier. To configure the MF classifier, create and name the assured forwarding traffic class, set the match condition, and then specify the destination address as 192.168.44.55. Create the forwarding class for assured forwarding DiffServ traffic as af-class and set the loss priority to low.

In this example, create and name the expedited forwarding traffic class and set the match condition for the expedited forwarding traffic class. Specify the destination address as 192.168.66.77. Create the forwarding class for expedited forwarding DiffServ traffic as ef-class and set the policer to ef-policer. Create and name the network-control traffic class and set the match condition.

In this example, create and name the forwarding class for the network control traffic class as nc-class and name the forwarding class for the best-effort traffic class as be-class. Finally, apply the multifield classifier firewall filter as an input and output filter on each customer-facing or host-facing that needs the filter. In this example, the interface for input filter is ge-0/0/2 and interface for output filter is ge-0/0/4.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from the configuration mode.

Procedure

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a Firewall Filter for a Multifield Classifier for a device in PMI:

  1. Create and name the multifield classifier filter.

  2. Create and name the term for the assured forwarding traffic class.

  3. Specify the destination address for assured forwarding traffic.

  4. Create the forwarding class and set the loss priority for the assured forwarding traffic class.

  5. Create and name the term for the expedited forwarding traffic class.

  6. Specify the destination address for the expedited forwarding traffic.

  7. Create the forwarding class and apply the policer for the expedited forwarding traffic class.

  8. Create and name the term for the network control traffic class.

  9. Create the match condition for the network control traffic class.

  10. Create and name the forwarding class for the network control traffic class.

  11. Create and name the term for the best-effort traffic class.

  12. Create and name the forwarding class for the best-effort traffic class.

  13. Apply the multifield classifier firewall filter as an input filter.

  14. Apply the multifield classifier firewall filter as an output filter.

Results

From configuration mode, confirm your configuration by entering the show firewall filter mf-classifier command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm your configuration by entering the show interfaces command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying a Firewall Filter for a Multifield Classifier Configuration

Purpose

Verify that a firewall filter for a multifield classifier is configured properly on a device and confirm that the forwarding classes are configured correctly.

Action

From configuration mode, enter the show class-of-service forwarding-class command.

Meaning

The output shows the configured custom classifier settings.

Example: Configuring and Applying Rewrite Rules on a Security Device in PMI

This example shows how to configure and apply rewrite rules for a device in PowerMode IPsec (PMI).

Requirements

This example uses the following hardware and software components:

  • SRX Series device.

  • Junos OS Release 19.1R1 and later releases.

Before you begin:

Overview

This example explains how to configure rewrite rules to replace CoS values on packets received from the customer or host with the values expected by other SRX devices. You do not have to configure rewrite rules if the received packets already contain valid CoS values. Rewrite rules apply the forwarding class information and packet loss priority used internally by the device to establish the CoS value on outbound packets. After you configure the rewrite rules, apply them to the correct interfaces.

In this example, configure the rewrite rule for DiffServ CoS as rewrite-dscps. Specify the best-effort forwarding class as be-class, expedited forwarding class as ef-class, an assured forwarding class as af-class, and a network control class as nc-class. Finally, apply the rewrite rule to the ge-0/0/0 interface.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from the configuration mode.

Procedure

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure and apply Rewrite Rules for a device in PMI:

  1. Configure rewrite rules for DiffServ CoS.

  2. Configure best-effort forwarding class rewrite rules.

  3. Configure expedited forwarding class rewrite rules.

  4. Configure an assured forwarding class rewrite rules.

  5. Configure a network control class rewrite rules.

  6. Apply rewrite rules to an interface.

Results

From configuration mode, confirm your configuration by entering the show class-of-service command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Rewrite Rules Configuration

Purpose

Verify that rewrite rules are configured properly.

Action

From the operational mode, enter the show class-of-service command.

Meaning

Rewrite rules are configured on ge-0/0/0 interface as expected.

Configure IPsec ESP Authentication-only Mode in PMI

The PowerMode IPsec (PMI) introduced a new data path for achieving a high IPsec throughput performance. Starting in Junos OS Release 19.4R1, on SRX5000 Series devices with SRX5K-SPC3 card, you can use Encapsulating Security Payload (ESP) authentication-only mode in PMI mode, which provides authentication, integrity checking, and replay protection without encrypting the data packets.

Before you begin:

To configure ESP authentication-only mode:

  1. Configure IPsec proposal and policy.
  2. Confirm your configuration by entering the show security ipsec command.

    If you are done configuring the device, enter commit from configuration mode.

Understanding the Loopback Interface for a High Availability VPN

In an IPsec VPN tunnel configuration, an external interface must be specified to communicate with the peer IKE gateway. Specifying a loopback interface for the external interface of a VPN is a good practice when there are multiple physical interfaces that can be used to reach a peer gateway. Anchoring a VPN tunnel on the loopback interface removes the dependency on a physical interface for successful routing.

Using a loopback interface for VPN tunnels is supported on standalone SRX Series devices as well as on SRX Series devices in chassis clusters. In a chassis cluster active-passive deployment, you can create a logical loopback interface and make it a member of a redundancy group so that it can be used to anchor VPN tunnels. The loopback interface can be configured in any redundancy group and is assigned as the external interface for the IKE gateway. VPN packets are processed on the node where the redundancy group is active.

On SRX5400, SRX5600, and SRX5800 devices, if the loopback interface is used as the IKE gateway external interface, it must be configured in a redundancy group other than RG0.

In a chassis cluster setup, the node on which the external interface is active selects an SPU to anchor the VPN tunnel. IKE and IPsec packets are processed on that SPU. Thus an active external interface determines the anchor SPU.

You can use the show chassis cluster interfaces command to view information on the redundant pseudointerface.