Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Guidelines for Configuring SCU

When you enable SCU or DCU, keep the following information in mind:

  • In Junos OS Release 5.6 and later for M Series routers only, you can use a source class or a destination class as a match condition in a firewall filter. To configure, include the destination-class or source-class statement at the [edit firewall filter firewall-name term term-name from] hierarchy level. For more information about firewall filters, see the Junos Policy Framework Configuration Guide.

  • You can assign up to 126 source classes and 126 destination classes.

  • When configuring policy action statements, you can configure only one source class for each matching route. In other words, more than one source class cannot be applied to the same route.

  • A source or destination class is applied to a packet only once during the routing table lookup. When a network prefix matches a class-usage policy, SCU is assigned to packets first; DCU is assigned only if SCU has not been assigned. Be careful when using both class types, since misconfiguration can result in uncounted packets. The following example explores one potential mishap:

    A packet arrives on a router interface configured for both SCU and DCU. The packet's source address matches an SCU class, and its destination matches a DCU class. Consequently, the packet is subjected to a source lookup and is marked with the SCU class. The DCU class is ignored. As a result, the packet is forwarded to the outbound interface with only the SCU class still intact.

    However, the outbound interface lacks an SCU configuration. When the packet is ready to leave the router, the router detects that the output interface is not configured for SCU and the packet is not counted by SCU. Likewise, even though the prefix matched the DCU prefix, the DCU counters do not increment because DCU was superseded by SCU at the inbound interface.

To solve this problem, make sure you configure both the inbound and outbound interfaces completely or configure only one class type per interface per direction.

  • Classes cannot be mapped to directly connected prefixes configured on local interfaces. This is true for DCU and SCU classes.

  • If you use multiple terms within a single policy, you only need to configure the policy name and apply it to the forwarding table once. This makes it easier to change options within your terms without having to reconfigure the main policy.

  • Execute command line interface (CLI) show commands and accounting profiles at the desired outbound interface to track SCU traffic. SCU counters increment at the SCU output interface.

  • Apply your classes to the inbound and outbound interfaces by means of the input and output SCU interface parameters.

  • On M320 and T Series routers, the source and destination classes are not carried across the platform fabric. For these routers, SCU and DCU accounting is performed before the packet enters the fabric and DCU is performed before output filters are evaluated.

  • If an output filter drops traffic on M Series routers other than the M120 router and M320 router, the dropped packets are excluded from DCU statistics. If an output filter drops traffic on M320 and T Series routers, the dropped packets are included in DCU statistics.

Related Documentation