close

keyboard_arrow_left

Table of Contents Expand all

play_arrow Overview
- play_arrow Next Gen Services Overview
  - Next Gen Services Overview
- play_arrow Configuration Overview
- play_arrow Global System Logging Overview and Configuration
- play_arrow Next Gen Services SNMP MIBS and Traps
  - Next Gen Services SNMP MIBs and Traps
play_arrow Carrier Grade NAT (CGNAT)
- play_arrow Deterministic NAT Overview and Configuration
  - Deterministic NAPT Overview for Next Gen Services
  - Configuring Deterministic NAPT for Next Gen Services
- play_arrow Dynamic Address-Only Source NAT Overview and Configuration
  - Dynamic Address-Only Source Translation Overview
  - Configuring Dynamic Address-Only Source NAT for Next Gen Services
- play_arrow Network Address Port Translation Overview and Configuration
  - Network Address Port Translation (NAPT) Overview
  - Configuring Network Address Port Translation for Next Gen Services
  - Configuring Syslog Events for NAT Rule Conditions with Next Gen Services
- play_arrow NAT46
  - NAT46 Next Gen Services Configuration Examples
- play_arrow Stateful NAT64 Overview and Configuration
  - Stateful NAT64 Overview
  - IPv4 Addresses Embedded in IPv6 Addresses
  - Configuring Next Gen Services Stateful NAT64
- play_arrow IPv4 Connectivity Across IPv6-Only Network Using 464XLAT Overview and Configuration
  - 464XLAT Overview
  - IPv4 Addresses Embedded in IPv6 Addresses
  - Configuring 464XLAT Provider-Side Translator for IPv4 Connectivity Across IPv6-Only Network for Next Gen Services
- play_arrow IPv6 NAT Protocol Translation (NAT PT)
  - IPv6 NAT PT Overview
  - IPv6 NAT-PT Communication Overview
- play_arrow Stateless Source Network Prefix Translation for IPv6 Overview and Configuration
  - Stateless Source Network Prefix Translation for IPv6
- play_arrow Transitioning to IPv6 Using Softwires
  - 6rd Softwires in Next Gen Services
- play_arrow Transitioning to IPv6 Using DS-Lite Softwires
  - DS-Lite Softwires—IPv4 over IPv6 for Next Gen Services
  - Configuring Next Gen Services DS-Lite Softwires
  - DS-Lite Subnet Limitation
  - Protecting CGN Devices Against Denial of Service (DOS) Attacks
- play_arrow Reducing Traffic and Bandwidth Requirements Using Port Control Protocol
  - Port Control Protocol Overview
  - Configuring Port Control Protocol
- play_arrow Transitioning to IPv6 Using Mapping of Address and Port with Encapsulation (MAP-E)
  - Mapping of Address and Port with Encapsulation (MAP-E) for Next Gen Services
  - Equal Cost Multiple Path (ECMP) support for Mapping of Address and Port with Encapsulation (MAP-E)
- play_arrow Monitoring and Troubleshooting Softwires
  - Ping and Traceroute for DS-Lite
  - Monitoring Softwire Statistics
  - Monitoring CGN, Stateful Firewall, and Softwire Flows
- play_arrow Port Forwarding Overview and Configuration
  - Port Forwarding for Next Gen Services
- play_arrow Port Translation Features Overview and Configuration
  - Address Pooling and Endpoint Independent Mapping for Port Translation
  - Round-Robin Port Allocation
  - Secured Port Block Allocation for Port Translation
- play_arrow Static Source NAT Overview and Configuration
  - Static Source NAT Overview
  - Configuring Static Source NAT44 or NAT66 for Next Gen Services
- play_arrow Static Destination NAT Overview and Configuration
  - Static Destination NAT Overview
  - Configuring Static Destination NAT for Next Gen Services
- play_arrow Twice NAPT Overview and Configuration
  - Twice NAPT Overview
  - Configuring Twice NAPT for Next Gen Services
- play_arrow Twice NAT Overview and Configuration
  - Twice Static NAT Overview
  - Configuring Twice Static NAT44 for Next Gen Services
  - Twice Dynamic NAT Overview
  - Configuring Twice Dynamic NAT for Next Gen Services
- play_arrow Class of Service Overview and Configuration
  - Class of Service for Services PICs (Next Gen Services)
play_arrow Stateful Firewall Services
- play_arrow Stateful Firewall Services Overview and Configuration
  - Stateful Firewall Overview for Next Gen Services
  - Configuring Stateful Firewalls for Next Gen Services
play_arrow Intrusion Detection Services
- play_arrow IDS Screens for Network Attack Protection Overview and Configuration
play_arrow Traffic Load Balancing
- play_arrow Traffic Load Balancing Overview and Configuration
  - Traffic Load Balancer Overview
  - Configuring TLB
play_arrow DNS Request Filtering
- play_arrow DNS Request Filtering Overview and Configuration
  - DNS Request Filtering for Disallowed Website Domains
  - DNS Request Filtering System Logging Error Messages
play_arrow URL Filtering
- play_arrow URL Filtering
  - URL Filtering Overview
  - Configuring URL Filtering
play_arrow Integration of Juniper ATP Cloud and Web filtering on MX Routers
- play_arrow Integration of Juniper ATP Cloud and Web filtering on MX Routers
  - Integration of Juniper ATP Cloud and Web Filtering on MX Series Routers
play_arrow Aggregated Multiservices Interfaces
- play_arrow Enabling Load Balancing and High Availability Using Multiservices Interfaces
play_arrow Inter-Chassis Services PIC High Availability
- play_arrow Inter-Chassis Services PIC High Availability Overview and Configuration
play_arrow Application Layer Gateways
- play_arrow Enabling Traffic to Pass Securely Using Application Layer Gateways
play_arrow NAT, Stateful Firewall, and IDS Flows
- play_arrow Inline NAT Services Overview and Configuration
play_arrow Configuration Statements

list Table of Contents

English

Class of Service for Services PICs (Next Gen Services)

date_range 06-Dec-23

arrow_backward

arrow_forward

Class of Service Overview for Services PICs (Next Gen Services)

You can configure CoS Differentiated Services (DiffServ) code point (DSCP) marking and forwarding-class assignment for packets transiting a services PIC while being processed by a service set.

Configure services CoS rules, which identify the matching conditions for packet source and destination addresses and for packet applications, and the actions to take on those packets. You must apply CoS rules to a service set before the rules can be applied to traffic. Only stateful firewall and NAT rules can be used with CoS rules in a service set.

You can also configure specific CoS actions for FTP and for SIP traffic by creating an application profile. The application profile can then be referenced in the CoS rule actions.

The services CoS rules do not support scheduling. You must configure scheduling at the [edit class-of-service] hierarchy level on the output interface or fabric.

Note:

When configuring Next Gen Services with the MX-SPC3 services card, the service set must include at least one stateful firewall (SFW) rule or NAT rule, or services CoS does not work. Only stateful firewall and NAT rules can be used with CoS rules in a service set. CoS works without NAT and SFW rules also.

Benefits

CoS for traffic on a services PIC lets you classify traffic flows based on stateful firewall and NAT configurations.

Configuring CoS for Traffic Processed by a Services PIC (Next Gen Services)

Configuring CoS Rules
Configuring Application Profiles for CoS Rules
Configuring CoS Rule Sets
Configuring the Service Set for CoS

Configuring CoS Rules

Configure a name for the CoS rule.
```
user@host# edit services cos rule rule-name
```
Specify the traffic flow direction for the CoS rule.
```
[edit services cos rule rule-name]
user@host# set match-direction (input | input-output | output)
```
If this CoS rule is applied to an interface-type service set, the direction is determined by whether a packet is entering or leaving the interface on which the service set is applied. If this CoS rule is applied to a next-hop service set, the direction is input if the inside interface is used to route the packet, and the direction is output if the outside interface is used to route the package.

If you configure input-output, the rule is applied to sessions initiated from either direction.
Configure a name for a CoS rule policy.
```
[edit services cos rule rule-name]
user@host# set policy policy-name
```
You can configure multiple policies for a CoS rule. Each policy identifies the matching conditions for packet source and destination addresses and for packet applications, and the CoS actions to take on those packets. Once a policy in the rule matches a packet, that policy is applied and no other policies in the rule are processed.

Specify one or more port-based applications that match the policy.

content_copy zoom_out_map
[edit services cos rule rule-name policy policy-name]
user@host# set match application [application-names]

Specify the destination address that matches the policy.

content_copy zoom_out_map
[edit services cos rule rule-name policy policy-name]
user@host# set match destination-address address

Specify a range of destination addresses that match the policy.

content_copy zoom_out_map
[edit services cos rule rule-name policy policy-name]
user@host# set match destination-address-range low minimum-value high maximum-value

Specify the destination port number that matches the policy.

content_copy zoom_out_map
[edit services cos rule rule-name policy policy-name]
user@host# set match destination-port port-number

Specify the source address that matches the policy.

content_copy zoom_out_map
[edit services cos rule rule-name policy policy-name]
user@host# set match source-address address

Specify a range of source addresses that match the policy.

content_copy zoom_out_map
[edit services cos rule rule-name policy policy-name]
user@host# set match source-address-range low minimum-value high maximum-value

Specify a prefix list of source address prefixes that match the policy.
```
[edit services cos rule rule-name policy policy-name]
user@host# set match source-prefix-list list-name
```
You configure a prefix list by using the prefix-list statement at the [edit policy-options] hierarchy level.
Specify the application profile that defines the CoS policy actions for FTP and SIP traffic.
```
[edit services cos rule rule-name policy policy-name]
user@host# set then application-profile profile-name
```
Specify the DSCP value to apply to the packet.
```
[edit services cos rule rule-name policy policy-name]
user@host# set then dscp (alias | bits)
```
The DSCP can be either a code point alias or a DSCP bit value.
Specify the forwarding class name to apply to the packet.
```
[edit services cos rule rule-name policy policy-name]
user@host# set then forwarding-class class-name
```
The choices are:
- assured-forwarding
- best-effort
- expedited-forwarding
- network-control
- user-defined classifiers.
  
  You can define classifiers under [edit class-of-service classifiers dscp] hierarchy.
Configure system logging for the CoS rule policy.
Specify the treatment of flows in the reverse direction of the matching direction. Perform only one of the following:
1. Configure unique values for the reverse direction:
  [edit services cos rule rule-name policy policy-name] user@host# set then reverse application-profile profile-name user@host# set then reverse dscp (alias | bits) user@host# set then reverse forwarding-class class-name
2. Apply the CoS rule policy actions to flows in the reverse direction as well as to flows in the matching direction.
  [edit services cos rule rule-name policy policy-name] user@host# set then reflexive
3. Store the DSCP and forwarding class of a packet that is received in the match direction of the rule and then apply that DSCP and forwarding class to packets that are received in the reverse direction of the same session.
  [edit services cos rule rule-name policy policy-name] user@host# set then revert

Configuring Application Profiles for CoS Rules

Configure CoS actions for FTP and SIP traffic. The application profile can then be used in CoS rule actions.

Configure a name for the application profile.
```
user@host# edit services cos application-profile profile-name
```

Specify the DSCP value to apply to the FTP or SIP (voice or video) packets.

For FTP traffic:

content_copy zoom_out_map
[edit services cos application-profile profile-name]
user@host# set ftp data dscp (alias | bits)

For SIP voice or video traffic:

[edit services cos application-profile profile-name]
user@host# set sip video | voice dscp                       dscp

The DSCP can be either a code point alias or a DSCP bit value.

Specify the forwarding class to apply to FTP or SIP packets.

For FTP traffic:

content_copy zoom_out_map
[edit services cos application-profile profile-name]
user@host# set ftp data forwarding-class class-name

For SIP voice or video traffic:

[edit services cos application-profile profile-name]
user@host# set sip video | voice forwarding-class forwarding-class dscp

The choices are:

assured-forwarding
best-effort
expedited-forwarding
network-control

Configuring CoS Rule Sets

A CoS rule set lets you specify a set of services CoS rules. You can then assign the rule set to a service set, which processes the rules in the order they appear. Once a rule matches the packet, the router performs the corresponding action, and no further rules in the rule set are applied.

Configure a name for the CoS rule set.
```
user@host# edit services cos rule-set rule-set-name
```

Specify the CoS rules that belong to the rule set.

content_copy zoom_out_map
[edit services cos rule-set rule-set-name]
user@host# set rule [rule-name]

Configuring the Service Set for CoS

You must apply CoS rules to a service set before the rules can be applied to traffic. Only stateful firewall and NAT rules can be used with CoS rules in a service set.

To configure a service set with CoS rules:

Define the service set.

content_copy zoom_out_map
 [edit services]
user@host# edit service-set service-set-name

Configure either an interface service set, which requires a single service interface, or a next-hop service set, which requires an inside and outside service interface.

content_copy zoom_out_map
 [edit services service-set service-set-name]
user@host# set interface-service service-interface interface-name

content_copy zoom_out_map
 [edit services service-set service-set-name]
user@host# set next-hop-service inside-service-interface interface-name outside-service-interface interface-name

Specify the CoS rules to be used with the service set. You can either specify individual rules or rule sets.
To apply individual CoS rules:
```
 [edit services service-set service-set-name]
user@host# set cos-rules [cos-rule-name]
```
To apply CoS rule sets:
```
 [edit services service-set service-set-name]
user@host# set cos-rule-sets [cos-rule-set-name]
```
The service set processes the CoS rules or rule sets in the order in which they appear in the service set configuration.
(Optional) Assign at least one stateful firewall rule or NAT rule to the service set.
(Optional) Configure the service set to create a CoS session even if a packet is first received in the reverse direction of the matching direction of the CoS rule. The CoS rule values are then applied as soon as a packet in the correct match direction is received.
```
 [edit services service-set service-set-name]
user@host# set cos-options match-rules-on-reverse-flow
```

arrow_backward PREVIOUS Configuring Twice Dynamic NAT for Next Gen Services

NEXT arrow_forward Stateful Firewall Overview for Next Gen Services

Next Gen Services Interfaces User Guide for Routing Devices

ON THIS PAGE

Class of Service for Services PICs (Next Gen Services)

Class of Service Overview for Services PICs (Next Gen Services)

Benefits

Configuring CoS for Traffic Processed by a Services PIC (Next Gen Services)

Configuring CoS Rules

Configuring Application Profiles for CoS Rules

Configuring CoS Rule Sets

Configuring the Service Set for CoS

Stay in touch

Helped me install or use the product
Accelerated my deployment

Discuss the product with a co-worker
Make a purchase inquiry

Next Gen Services Interfaces User Guide for Routing Devices

ON THIS PAGE

Class of Service for Services PICs (Next Gen Services)

Class of Service Overview for Services PICs (Next Gen Services)

Benefits

See Also

Configuring CoS for Traffic Processed by a Services PIC (Next Gen Services)

Configuring CoS Rules

Configuring Application Profiles for CoS Rules

Configuring CoS Rule Sets

Configuring the Service Set for CoS

See Also

Stay in touch