Configuring Multifield Classifiers
This topic describes how you configure multifield classifiers.
Multifield classifiers classify packets to a forwarding class and loss priority based on the filter match criteria. Multifield classification is usually done at the edge of the network for packets that do not have valid or trusted behavior aggregate code points.
If you configure both a behavior aggregate (BA) classifier and a multifield classifier, BA classification is performed first; then multifield classification is performed. If they conflict, any BA classification result is overridden by the multifield classifier.
For a specified interface, you can configure both a multifield classifier and a BA classifier without conflicts. Because the classifiers are always applied in sequential order, the BA classifier followed by the multifield classifier, any BA classification result is overridden by a multifield classifier if they conflict.
To activate (apply) a multifield classifier, you must configure it on a logical interface. There is no restriction on the number of multifield classifiers you can configure.
For MX Series routers and EX Series switches, if you configure a firewall filter with a DSCP action or traffic-class action on a DPC, the commit does not fail, but a warning displays and an entry is made in the syslog.
For an L2TP LNS on MX Series routers, you can attach firewall
for static LNS sessions by configuring these at logical interfaces
directly on the inline services device (si-fpc/pic/port
). RADIUS-configured firewall attachments are not supported.
You configure multifield classifiers by:
Defining the filter—Configure either a firewall filter or a simple filter. Simple filters filter IPv4 traffic (family inet) only. Firewall filters enable you to filter additional protocol families and more complex filters. The following sections describe both procedures.
Applying the filter—Activate the filter by configuring on a logical interface as an input filter.
To configure a firewall filter:
To configure a simple filter:
Specify a name for the simple filter.
[edit firewall family family-name] user@host# edit simple-filter filter-name
Specify the term name and match criteria you want to look for in incoming packets.
[edit firewall family family-name simple-filter filter-name] user@host# set term term-name from match-conditions
Specify the action you want to take when a packet matches the conditions.
[edit firewall family family-name simple-filter filter-name] user@host# set term term-name then actions
For multifield classifiers, you can perform the following actions for a simple filter:
Set the forwarding-class of incoming packets.
Set theloss-priority of incoming packets.
To apply the firewall filter to the appropriate logical interfaces as an input filter.
Specify the physical and logical interface on which you want to apply the firewall filter.
edit user@host# edit interfaces interface-name unit unit-number
Specify the protocol family for the firewall filter.
[edit interfaces interface-name unit unit-number] user@host# set family family-name
Specify the names of the firewall filters to apply to received packets.
[edit interfaces interface-name unit unit-number] user@host# set filter input filter-name
Repeat this step for the family protocol filter and the simple filter.
Save your configuration.
[edit] user@host# commit