Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Supported Platforms

 

Related Documentation

 

Multifield Classification

Multifield Classification Overview

This topic covers the following information:

Forwarding Classes and PLP Levels

You can configure the Junos OS class of service (CoS) features to classify incoming traffic by associating each packet with a forwarding class, a packet loss priority (PLP) level, or both:

  • Based on the associated forwarding class, each packet is assigned to an output queue, and the router services the output queues according to the associated scheduling you configure.
  • Based on the associated PLP, each packet carries a lower or higher likelihood of being dropped if congestion occurs. The CoS random early detection (RED) process uses the drop probability configuration, output queue fullness percentage, and packet PLP to drop packet as needed to control congestion at the output stage.

Multifield Classification and BA Classification

The Junos OS supports two general types of packet classification: behavior aggregate (BA) classification and multifield classification:

  • BA classification, or CoS value traffic classification, refers to a method of packet classification that uses a CoS configuration to set the forwarding class or PLP of a packet based on the CoS value in the IP packet header. The CoS value examined for BA classification purposes can be the Differentiated Services code point (DSCP) value, DSCP IPv6 value, IP precedence value, MPLS EXP bits, and IEEE 802.1p value. The default classifier is based on the IP precedence value.
  • Multifield classification refers to a method of packet classification that uses a standard stateless firewall filter configuration to set the forwarding class or PLP for each packet entering or exiting the interface based on multiple fields in the IP packet header, including the DSCP value (for IPv4 only), the IP precedence value, the MPLS EXP bits, and the IEEE 802.1p bits. Multifield classification commonly matches on IP address fields, the IP protocol type field, or the port number in the UDP or TCP pseudoheader field. Multifield classification is used instead of BA classification when you need to classify packets based on information in the packet information other than the CoS values only.

    With multifield classification, a firewall filter term can specify the packet classification actions for matching packets though the use of the forwarding-class class-name or loss-priority (high | medium-high | medium-low | low) nonterminating actions in the term’s then clause. For more information about these actions, see .

Note: BA classification of a packet can be overridden by the stateless firewall filter actions forwarding-class and loss-priority.

Multifield Classification Used In Conjunction with Policers

To configure multifield classification in conjunction with rate limiting, a firewall filter term can specify the packet classification actions for matching packets through the use of a policer nonterminating action that references a single-rate two-color policer.

When multifield classification is configured to perform classification through a policer, the filter-matched packets in the traffic flow are rate-limited to the policer-specified traffic limits. Packets in a conforming flow of filter-matched packets are implicitly set to a low PLP. Packets in a nonconforming traffic flow can be discarded, or the packets can be set to a specified forwarding class, set to a specified PLP level, or both, depending on the type of policer and how the policer is configured to handle nonconforming traffic.

Note: Before you apply a firewall filter that performs multifield classification and also a policer to the same logical interface and for the same traffic direction, make sure that you consider the order of policer and firewall filter operations.

As an example, consider the following scenario:

  • You configure a firewall filter that performs multifield classification (acts on matched packets by setting the forwarding class, the PLP, or both) based on the packet's existing forwarding class or PLP. You apply the firewall filter at the input of a logical interface.
  • You also configure a single-rate two-color policer that acts on a red traffic flow by re-marking (setting the forwarding class, the PLP, or both) rather than discarding those packets. You apply the policer as an interface policer at the input of the same logical interface to which you apply the firewall filter.

Because of the order of policer and firewall operations, the input policer is executed before the input firewall filter. This means that the multifield classification specified by the firewall filter is performed on input packets that have already been re-marked once by policing actions. Consequently, any input packet that matches the conditions specified in a firewall filter term is then subject to a second re-marking according to the forwarding-class or loss-priority nonterminating actions also specified in that term.

Multifield Classification Requirements and Restrictions

This topic covers the following information:

Supported Platforms

The loss-priority firewall filter action is supported on the following routing and switching platforms only:

  • EX Series switches
  • M7i and M10i routers with the Enhanced CFEB (CFEB-E)
  • M120 and M320 routers
  • MX Series routers
  • T Series routers with Enhanced II Flexible PIC Concentrators (FPCs)

CoS Tricolor Marking Requirement

The loss-priority firewall filter action has platform-specific requirements dependencies on the CoS tricolor marking feature, as defined in RFC 2698:

  • On an M320 router, you cannot commit a configuration that includes the loss-priority firewall filter action unless you enable the CoS tricolor marking feature.
  • On all routing platforms that support the loss-priority firewall filter action, you cannot set the loss-priority firewall filter action to medium-low or medium-high unless you enable the CoS tricolor marking feature. .

To enable the CoS tricolor marking feature, include the tri-color statement at the [edit class-of-service] hierarchy level.

Restrictions

You cannot configure the loss-priority and three-color-policer nonterminating actions for the same firewall filter term. These two nonterminating actions are mutually exclusive.

Multifield Classification Limitations on M Series Routers

This topic covers the following information:

Problem: Output-Filter Matching on Input-Filter Classification

On M Series routers (except M120 routers), you cannot classify packets with an output filter match based on the ingress classification that is set with an input filter applied to the same IPv4 logical interface.

For example, in the following configuration, the filter called ingress assigns all incoming IPv4 packets to the expedited-forwarding class. The filter called egress counts all packets that were assigned to the expedited-forwarding class in the ingress filter. This configuration does not work on most M Series routers. It works on all other routing platforms, including M120 routers, MX Series routers, and T Series routers, and EX Series switches.

[edit]user@host # show firewall
family inet {filter ingress {term 1 {then {forwarding-class expedited-forwarding;accept;}}term 2 {then accept;}}filter egress {term 1 {from {forwarding-class expedited-forwarding;}then count ef;}term 2 {then accept;}}}
 [edit]user@host# show interfaces
ge-1/2/0 {unit 0 {family inet {filter {input ingress;output egress;}}}}

Workaround: Configure All Actions in the Ingress Filter

As a workaround, you can configure all of the actions in the ingress filter.

user@host # show firewall
family inet {filter ingress {term 1 {then {forwarding-class expedited-forwarding;accept;count ef;}}term 2 {then accept;}}}
 [edit]user@host# show interfaces
ge-1/2/0 {unit 0 {family inet {filter {input ingress;}}}}

Example: Configuring Multifield Classification

This example shows how to configure multifield classification of IPv4 traffic by using firewall filter actions and two firewall filter policers.

Requirements

Before you begin, make sure that your environment supports the features shown in this example:

  1. The loss-priority firewall filter action must be supported on the router and configurable to all four values.

    1. To be able to set a loss-priority firewall filter action, configure this example on logical interface ge-1/2/0.0 on one of the following routing or switching platforms:

      • EX Series switch
      • MX Series router
      • M120 or M320 router
      • M7i or M10i router with the Enhanced CFEB (CFEB-E)
      • T Series router with Enhanced II Flexible PIC Concentrator (FPC)
    2. To be able to set a loss-priority firewall filter action to medium-low or medium-high, make sure that the CoS tricolor marking feature is enabled. To enable the CoS tricolor marking feature, include the tri-color statement at the [edit class-of-service] hierarchy level.

  2. The expedited-forwarding and assured-forwarding forwarding classes must be scheduled on the underlying physical interface ge-1/2/0.

    1. Make sure that the following forwarding classes are assigned to output queues:

      • expedited-forwarding
      • assured-forwarding
      Forwarding-class assignments are configured at the [edit class-of-service forwarding-classes queue queue-number] hierarchy level.

      Note: You cannot commit a configuration that assigns the same forwarding class to two different queues.

    2. Make sure that the output queues to which the forwarding classes are assigned are associated with schedulers. A scheduler defines the amount of interface bandwidth assigned to the queue, the size of the memory buffer allocated for storing packets, the priority of the queue, and the random early detection (RED) drop profiles associated with the queue.

      • You configure output queue schedulers at the [edit class-of-service schedulers] hierarchy level.
      • You associate output queue schedulers with forwarding classes by means of a scheduler map that you configure at the [edit class-of-service scheduler-maps map-name] hierarchy level.
    3. Make sure that output-queue scheduling is applied to the physical interface ge-1/2/0.

      You apply a scheduler map to a physical interface at the [edit class-of-service interfaces ge-1/2/0 scheduler-map map-name] hierarchy level.

Overview

In this example, you apply multifield classification to the input IPv4 traffic at a logical interface by using stateless firewall filter actions and two firewall filter policers that are referenced from the firewall filter. Based on the source address field, packets are either set to the low loss priority or else policed. Neither of the policers discards nonconforming traffic. Packets in nonconforming flows are marked for a specific forwarding class (expedited-forwarding or assured-forwarding), set to a specific loss priority, and then transmitted.

Note: Single-rate two-color policers always transmit packets in a conforming traffic flow after implicitly setting a low loss priority.

Topology

In this example, you apply multifield classification to the IPv4 traffic on logical interface ge-1/2/0.0. The classification rules are specified in the IPv4 stateless firewall filter mfc-filter and two single-rate two-color policers, ef-policer and af-policer.

The IPv4 standard stateless firewall filter mfc-filter defines three filter terms:

  • isp1-customers—The first filter term matches packets with the source address 10.1.1.0/24 or 10.1.2.0/24. Matched packets are assigned to the expedited-forwarding forwarding class and set to the low loss priority.
  • isp2-customers—The second filter term matches packets with the source address 10.1.3.0/24 or 10.1.4.0/24. Matched packets are passed to ef-policer, a policer that rate-limits traffic to a bandwidth limit of 300 Kbps with a burst-size limit of 50 KB. This policer specifies that packets in a nonconforming flow are marked for the expedited-forwarding forwarding class and set to the high loss priority.
  • other-customers—The third and final filter term passes all other packets to af-policer, a policer that rate-limits traffic to a bandwidth limit of 300 Kbps and a burst-size limit of 50 KB (the same traffic limits as defined by ef-policer). This policer specifies that packets in a nonconforming flow are marked for the assured-forwarding forwarding class and set to the medium-high loss priority.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

CLI Quick Configuration

To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

set firewall policer ef-policer if-exceeding bandwidth-limit 300kset firewall policer ef-policer if-exceeding burst-size-limit 50kset firewall policer ef-policer then loss-priority highset firewall policer ef-policer then forwarding-class expedited-forwardingset firewall policer af-policer if-exceeding bandwidth-limit 300kset firewall policer af-policer if-exceeding burst-size-limit 50kset firewall policer af-policer then loss-priority highset firewall policer af-policer then forwarding-class assured-forwardingset firewall family inet filter mfc-filter term isp1-customers from source-address 10.1.1.0/24set firewall family inet filter mfc-filter term isp1-customers from source-address 10.1.2.0/24set firewall family inet filter mfc-filter term isp1-customers then loss-priority lowset firewall family inet filter mfc-filter term isp1-customers then forwarding-class expedited-forwardingset firewall family inet filter mfc-filter term isp2-customers from source-address 10.1.3.0/24set firewall family inet filter mfc-filter term isp2-customers from source-address 10.1.4.0/24set firewall family inet filter mfc-filter term isp2-customers then policer ef-policerset firewall family inet filter mfc-filter term other-customers then policer af-policerset interfaces ge-1/2/0 unit 0 family inet address 192.168.1.1/24set interfaces ge-1/2/0 unit 0 family inet filter input mfc-filter

Configuring Policers to Rate-Limit Expedited-Forwarding and Assured-Forwarding Traffic

Step-by-Step Procedure

To configure policers to rate-limit expedited-forwarding and assured-forwarding traffic:

  1. Define traffic limits for expedited-forwarding traffic.

    [edit]user@host# edit firewall policer ef-policer[edit firewall policer ef-policer]user@host# set if-exceeding bandwidth-limit 300kuser@host# set if-exceeding burst-size-limit 50kuser@host# set then loss-priority highuser@host# set then forwarding-class expedited-forwarding

  2. Configure a policer for assured-forwarding traffic.

    [edit firewall policer ef-policer]user@host# up [edit firewall]user@host# edit policer af-policer [edit firewall policer af-policer]user@host# set if-exceeding bandwidth-limit 300kuser@host# set if-exceeding burst-size-limit 50kuser@host# set then loss-priority highuser@host# set then forwarding-class assured-forwarding

Results

Confirm the configuration of the policer by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

[edit]user@host# show firewall
policer af-policer {if-exceeding {bandwidth-limit 300k;burst-size-limit 50k;}then {loss-priority high;forwarding-class assured-forwarding;}}
policer ef-policer {if-exceeding {bandwidth-limit 300k;burst-size-limit 50k;}then {loss-priority high;forwarding-class expedited-forwarding;}}

Configuring a Multifield Classification Filter That Also Applies Policing

Step-by-Step Procedure

To configure a multifield classification filter that additionally applies policing:

  1. Enable configuration of a firewall filter term for IPv4 traffic.

    [edit]user@host# edit firewall family inet filter mfc-filter

  2. Configure the first term to match on source addresses and then classify the matched packets.

    [edit firewall family inet filter mfc-filter]user@host# set term isp1-customers from source-address 10.1.1.0/24user@host# set term isp1-customers from source-address 10.1.2.0/24user@host# set term isp1-customers then loss-priority lowuser@host# set term isp1-customers then forwarding-class expedited-forwarding

  3. Configure the second term to match on different source addresses and then police the matched packets.

    [edit firewall family inet filter mfc-filter]user@host# set term isp2-customers from source-address 10.1.3.0/24user@host# set term isp2-customers from source-address 10.1.4.0/24user@host# set term isp2-customers then policer ef-policer

  4. Configure the third term to police all other packets to a different set of traffic limits and actions.

    [edit firewall family inet filter mfc-filter]user@host# set term other-customers then policer af-policer

Results

Confirm the configuration of the filter by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

[edit]user@host# show firewall
family inet {filter mfc-filter {term isp1-customers {from {source-address 10.1.1.0/24;source-address 10.1.2.0/24;}then {loss-priority low;forwarding-class expedited-forwarding;}}term isp2-customers {from {source-address 10.1.3.0/24;source-address 10.1.4.0/24;}then {policer ef-policer;}}term other-customers {then {policer af-policer;}}}}
policer af-policer {if-exceeding {bandwidth-limit 300k;burst-size-limit 50k;}then discard;}
policer ef-policer {if-exceeding {bandwidth-limit 200k;burst-size-limit 50k;}then {loss-priority high;forwarding-class expedited-forwarding;}}

Applying Multifield Classification Filtering and Policing to the Logical Interface

Step-by-Step Procedure

To apply multifield classification filtering and policing to the logical interface:

  1. Enable configuration of IPv4 on the logical interface.

    [edit]user@host# edit interfaces ge-1/2/0 unit 0 family inet

  2. Configure an IP address for the logical interface.

    [edit interfaces ge-1/2/0 unit 0 family inet ]user@host# set address 192.168.1.1/24

  3. Apply the firewall filter to the logical interface input.

    [edit interfaces ge-1/2/0 unit 0 family inet ]user@host# set filter input mfc-filter

    Note: Because the policer is executed before the filter, if an input policer is also configured on the logical interface, it cannot use the forwarding class and PLP of a multifield classifier associated with the interface.

Results

Confirm the configuration of the interface by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

[edit]user@host# show interfaces
ge-1/2/0 {unit 0 {family inet {filter {input mfc-filter;}address 192.168.1.1/24;}}}

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Displaying the Number of Packets Processed by the Policer at the Logical Interface

Purpose

Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface.

Action

Use the show firewall operational mode command for the filter you applied to the logical interface.

user@host> show firewall filter rate-limit-in
Filter: rate-limit-in                                          
Policers:
Name                                              Packets 
ef-policer-isp2-customers                           32863
af-policer-other-customers                           3870

The command output lists the policers applied by the firewall filter rate-limit-in, and the number of packets that matched the filter term.

Note: The packet count includes the number of out-of-specification (out-of-spec) packet counts, not all packets policed by the policer.

The policer name is displayed concatenated with the name of the firewall filter term in which the policer is referenced as an action.

Example: Configuring and Applying a Firewall Filter for a Multifield Classifier

This example shows how to configure a firewall filter to classify traffic using a multifield classifier. The classifier detects packets of interest to CoS as they arrive on an interface.

Requirements

Before you begin, review how to create and configure a firewall. See Guidelines for Configuring Standard Firewall Filters.

Note: On T4000 Type 5 FPCs, a filter attached at the Layer 2 application point (that is, at the logical interface level) is unable to match with the forwarding class of a packet that is set by a Layer 3 classifier such as DSCP, DSCP V6, inet-precedence, and mpls-exp.

Overview

One common way to detect packets of CoS interest is by source or destination address. The destination address is used in this example, but many other matching criteria for packet detection are available to firewall filters.

In this example, you configure the firewall filter mf-classifier. You create and name the assured forwarding traffic class, set the match condition, and specify the destination address as 192.168.44.55. You create the forwarding class for assured forwarding DiffServ traffic as af-class and set the loss priority to low.

Then you create and name the expedited forwarding traffic class, set the match condition, for the expedited forwarding traffic class, and specify the destination address as 192.168.66.77. You then create the forwarding class for expedited forwarding DiffServ traffic as ef-class and set the policer to ef-policer. Then you create and name the network-control traffic class and set the match condition.

You then create and name the forwarding class for the network control traffic class as nc-class. You create and name the forwarding class for the best-effort traffic class as be-class. Finally, you apply the multifield classifier firewall filter as an input filter on each customer-facing or host-facing that needs the filter. In this example, the interface is ge-0/0/0.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

set firewall filter mf-classifier interface-specificset firewall filter mf-classifier term assured-forwarding from destination-address 192.168.44.55 set firewall filter mf-classifier term assured-forwarding then forwarding-class af-class set firewall filter mf-classifier term assured-forwarding then loss-priority lowset firewall filter mf-classifier term expedited-forwarding from destination-address 192.168.66.77 set firewall filter mf-classifier term expedited-forwarding then forwarding-class ef-class set firewall filter mf-classifier term expedited-forwarding then policer ef-policerset firewall filter mf-classifier term network-control from precedence net-control set firewall filter mf-classifier term network-control then forwarding-class nc-class set firewall filter mf-classifier term best-effort then forwarding-class be-class set interfaces ge-0/0/0 unit 0 family inet filter input mf-classifier

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a firewall filter for a multifield classifier for a device:

  1. Create and name the multifield classifier filter.
    [edit]user@host# edit firewall filter mf-classifieruser@host# set interface-specific
  2. Create and name the term for the assured forwarding traffic class.
    [edit firewall filter mf-classifier]user@host# edit term assured-forwarding
  3. Specify the destination address for assured forwarding traffic.
    [edit firewall filter mf-classifier term assured-forwarding]user@host# set from destination-address 192.168.44.55
  4. Create the forwarding class and set the loss priority for the assured forwarding traffic class.
    [edit firewall filter mf-classifier term assured-forwarding]user@host# set then forwarding-class af-classuser@host# set then loss-priority low
  5. Create and name the term for the expedited forwarding traffic class.
    [edit]user@host# edit firewall filter mf-classifieruser@host# edit term expedited-forwarding
  6. Specify the destination address for the expedited forwarding traffic.
    [edit firewall filter mf-classifier term expedited-forwarding]user@host# set from destination-address 192.168.66.77
  7. Create the forwarding class and apply the policer for the expedited forwarding traffic class.
    [edit firewall filter mf-classifier term expedited-forwarding]user@host# set then forwarding-class ef-classuser@host# set then policer ef-policer
  8. Create and name the term for the network control traffic class.
    [edit]user@host# edit firewall filter mf-classifieruser@host# edit term network-control
  9. Create the match condition for the network control traffic class.
    [edit firewall filter mf-classifier term network-control]user@host# set from precedence net-control
  10. Create and name the forwarding class for the network control traffic class.
    [edit firewall filter mf-classifier term network-control]user@host# set then forwarding-class nc-class
  11. Create and name the term for the best-effort traffic class.
    [edit]user@host# edit firewall filter mf-classifieruser@host# edit term best-effort
  12. Create and name the forwarding class for the best-effort traffic class.
    [edit firewall filter mf-classifier term best-effort]user@host# set then forwarding-class be-class

    Note: Because this is the last term in the filter, it has no match condition.

  13. Apply the multifield classifier firewall filter as an input filter.
    [edit]user@host# set interfaces ge-0/0/0 unit 0 family inet filter input mf-classifier

Results

From configuration mode, confirm your configuration by entering the show firewall filter mf-classifier command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]user@host# show firewall filter mf-classifierinterface-specific;term assured-forwarding {from {destination-address {192.168.44.55/32;}}then {loss-priority low;forwarding-class af-class;}}term expedited-forwarding {from {destination-address {192.168.66.77/32;}}then {policer ef-policer;forwarding-class ef-class;}}term network-control {from {precedence net-control;}then forwarding-class nc-class;}term best-effort {then forwarding-class be-class;}

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying a Firewall Filter for a Multifield Classifier Configuration

Purpose

Verify that a firewall filter for a multifield classifier is configured properly on a device.

Action

From configuration mode, enter the show firewall filter mf-classifier command.

 

Related Documentation

 

Published: 2013-04-10

Supported Platforms

 

Related Documentation

 

Published: 2013-04-10

Previous Page Next Page