PowerMode IPsec
Improving IPsec Performance with PowerMode IPsec
PowerMode IPsec (PMI) is a mode of operation that provides IPsec performance improvements using Vector Packet Processing and Intel Advanced Encryption Standard New Instructions (AES-NI). PMI utilizes a small software block inside the Packet Forwarding Engine that bypasses flow processing and utilizes the AES-NI instruction set for optimized performance of IPsec processing that gets activated when PMI is enabled.
- PMI Processing
- PMI Statistics
- Advanced Encryption Standard New Instructions (AES-NI) and Inline Field-Programmable Gate Array (FPGA)
- Supported and Non-Supported Features for PMI
- Benefits of PMI
- Configuring Security Flow PMI
- Understanding Symmetric Fat IPsec Tunnel
PMI Processing
You can enable or disable PMI processing:
- Enable PMI processing by using the
set security flow power-mode-ipsecconfiguration mode command. - Disable PMI processing by using the
delete security flow power-mode-ipsecconfiguration mode command. Executing this command deletes the statement from the configuration.
For SRX4100, SRX4200 devices running Junos OS Release 18.4R1, SRX4600 Series Firewalls running Junos OS Release 20.4R1, and vSRX Virtual Firewall running Junos OS Release 18.3R1 after you enable or disable the PMI, you must reboot the device for the configuration to take effect. However, for SRX5000 line and vSRX Virtual Firewall instances running Junos OS Release 19.2R1, reboot is not required.
PMI Statistics
You can verify the PMI statistics by using the show security flow pmi statistics operational mode command.
You can verify the PMI and fat tunnel status by using the show security flow status operational mode command.
Advanced Encryption Standard New Instructions (AES-NI) and Inline Field-Programmable Gate Array (FPGA)
Starting in Junos OS Release 20.4R1, you can enhance PMI performance by using AES-NI. AES-NI in PMI mode helps in balancing the load in SPUs and supports the symmetric fat tunnel in SPC3 cards. This results in accelerated traffic-handling performance and higher throughput for IPsec VPN. PMI uses AES-NI for encryption and FPGA for decryption of cryptographic operation.
To enable PMI processing with AES-NI, include the power-mode-ipsec statement at the [edit security flow] hierarchy level.
To enable or disable inline FPGA, include the inline-fpga-crypto (disabled | enabled) statement at the [edit security forwarding-process application-services] hierarchy level.
Supported and Non-Supported Features for PMI
A tunnel session can either be PMI or non-PMI.
If a session is configured with any non-supported features listed in Table 1 and Table 2, the session is marked as non-PMI and the tunnel goes into non-PMI mode. Once the tunnel goes into the non-PMI mode, the tunnel does not return to the PMI mode.
Table 1 summarizes the supported and non-supported PMI features on SRX Series Firewalls.
Supported Features in PMI |
Non-Supported Features in PMI |
|---|---|
Internet Key Exchange (IKE) functionality |
IPsec-in-IPsec tunnels |
AutoVPN with traffic selectors |
Layer 4 - 7 applications: application firewall and AppSecure |
High availability |
GPRS tunneling protocol (GTP) and Stream Control Transmission Protocol (SCTP) firewalls |
IPv6 |
Host traffic |
Stateful firewall |
Multicast |
st0 interface |
Nested tunnels |
Traffic selectors |
Screen options |
NAT-T |
DES-CBC encryption algorithm |
GTP-U scenario with TEID distribution and asymmetric fat tunnel solution |
3DES-CBC encryption algorithm |
Quality of Service (QoS) |
Application Layer Gateway (ALG) |
First path and fast path processing for fragment handling and unified encryption. |
HMAC-SHA-384 authentication algorithm |
NAT |
HMAC-SHA-512 authentication algorithm |
AES-GCM-128 and AES-GCM-256 encryption algorithm. We recommend you to use AES-GCM encryption algorithm for optimal performance. |
|
AES-CBC-128, AES-CBC-192, and AES-CBC-256 encryption algorithm with HMAC-SHA1-96 authentication algorithm |
|
AES-CBC-128, AES-CBC-192, and AES-CBC-256 encryption algorithm with HMAC-SHA-256-128 authentication algorithm |
|
NULL encryption algorithm |
|
Table 2 summarizes the supported and non-supported PMI features on MX-SPC3 services card.
MX-SPC3 services card does not support np-cache and IPsec session-affinity.
Supported Features in PMI |
Non-Supported Features in PMI |
|---|---|
Internet Key Exchange (IKE) functionality |
Layer 4 - 7 applications: application firewall, AppSecure, and ALGs |
AutoVPN with traffic selectors, ADVPN |
Multicast |
High availability |
Nested tunnels |
IPv6 |
Screen options |
Stateful firewall |
Application Layer Gateway (ALG) |
|
st0 interface |
HMAC-SHA-384 authentication algorithm |
|
Traffic selectors |
HMAC-SHA-512 authentication algorithm |
Dead Peer Detection (DPD) |
|
Anti-Replay check |
|
NAT |
|
Post/Pre-Fragment |
|
incoming clear-text fragments and ESP fragment |
|
AES-GCM-128 and AES-GCM-256 encryption algorithm. We recommend you to use AES-GCM encryption algorithm for optimal performance. |
|
AES-CBC-128, AES-CBC-192, and AES-CBC-256 encryption algorithm with HMAC-SHA1-96 authentication algorithm |
|
AES-CBC-128, AES-CBC-192, and AES-CBC-256 encryption algorithm with HMAC-SHA-256-128 authentication algorithm |
|
NULL encryption algorithm |
Note the following usage considerations with PMI:
- Anti-replay
window size
-
Anti-replay window size is 64 packets by default. If you configure fat-tunnel, then it is recommended to increase the anti-replay window size to greater than or equal to 512 packets.
-
- Class of Service (CoS)
- Starting in Junos OS Release 19.1R1, Class of Service(CoS) supports configuration of behavior aggregate (BA) classifier, multifield (MF) classifier, and rewrite-rule functions in PMI on SRX5K-SPC3 Services Processing Card (SPC) cards.
If you enable PMI for a flow session, then the CoS is performed based on a per-flow basis. This means, the first packet of a new flow caches the CoS information in the flow session. Then the subsequent packets of the flow reuse the CoS information cached in the session.
- Encryption algorithm
Junos OS Release 19.3R1 supports options aes-128-cbc, aes-192-cbc, and aes-256-cbc on SRX4100, SRX4200, and vSRX Virtual Firewall in PMI mode to improve IPsec performance, along with the existing support in normal mode.
- GTP-U
- Starting in Junos OS Release 19.2R1, PMI supports GTP-U scenario with TEID distribution and asymmetric fat tunnel solution.
- Starting in Junos OS Release 19.3R1, GTP-U scenario with TEID distribution and asymmetric fat tunnel solution and Software Receive Side Scaling feature on vSRX Virtual Firewall and vSRX Virtual Firewall.
- LAG and redundant (reth) interfaces
- PMI is supported on link aggregation group (LAG) and redundant Ethernet (reth) interfaces.
- PMI fragmentation check
PMI does a pre-fragmentation and post-fragmentation check. If the PMI detects pre-fragmentation and post-fragmentation packets, packets are not allowed through the PMI mode. The packets will return to non-PMI mode.
Any fragments received on an interface does not go through PMI.
- PMI for NAT-T
- PMI for NAT-T is supported only on SRX5400, SRX5600, SRX5800 line equipped with SRX5K-SPC3 Services Processing Card (SPC), or with vSRX Virtual Firewall.
- PMI support (vSRX)
Starting in Junos OS Release 19.4R1, vSRX Virtual Firewall instances support:
Per-flow CoS functions for GTP-U traffic in PMI mode.
CoS features in PMI mode. The following CoS features are supported in PMI mode:
Classifier
Rewrite-rule functions
Queuing
Shaping
Scheduling
Benefits of PMI
Enhances the performance of IPsec.
Configuring Security Flow PMI
The below section describes you how to configure security flow PMI.
To configure security flow PMI, you must enable session cache on IOCs and session affinity:
Enable the session cache on IOCs (IOC2 and IOC3)
user@host# set chassis fpc <fpc-slot> np-cache
Enable VPN session affinity
user@host# set security flow load-distribution session-affinity ipsec
Create security flow in PMI.
user@host#set security flow power-mode-ipsec
Confirm your configuration by entering the
show securitycommand.user@host# show security flow { power-mode-ipsec; }
Enabling PMI may increase anti-replay errors on the peer devices. To mitigate the
issue, either increase the window size using
anti-replay-window-size option or disable the feature using
no-anti-replay option if you cannot increase the window size.
See Anti-Replay Window.
Understanding Symmetric Fat IPsec Tunnel
To improve the throughput of IPsec tunnel, you can use fat tunnel technology.
Starting in Junos OS Release 19.4R1, you can configure fat IPsec tunnel on SRX5400, SRX5600, and SRX5800 line with SRX5K-SPC3 service card, and vSRX Virtual Firewall instances.
Starting in Junos OS Release 21.1R1, you can configure fat IPsec tunnel on MX-SPC3 services card.
A new CLI command is introduced to enable the fat IPsec tunnel. The fat IPsec tunnel feature is disabled by default. The new CLI command introduced is fat-core in the set security distribution-profile hierarchy. When you enable the fat-core, the below configuration is displayed:
security {
distribution-profile {
fat-core;
}
}
Before configuring the fat IPsec tunnel, make sure the following are configured.
For fast path forwarding, configure the IOC cache for the session information using the
set chassis fpc FPC slot np-cachecommand.To enable session affinity, use the
set security flow load-distribution session-affinity ipseccommand.To enable Power mode, use the
set security flow power-mode-ipseccommand.
See Also
Example: Configuring Behavior Aggregate Classifier in PMI
This example shows how to configure behavior aggregate(BA) classifiers for a SRX Series Firewall to determine forwarding treatment of packets in PMI.
Requirements
This example uses the following hardware and software components:
SRX Series Firewall.
Junos OS Release 19.1R1 and later releases.
Before you begin:
Determine the forwarding class and PLP that are assigned by default to each well-known DSCP that you want to configure for the behavior aggregate classifier.
Overview
Configure behavior aggregate classifiers to classify the packets
that contain valid DSCPs to appropriate queues. Once configured, you
apply the behavior aggregate classifier to the correct interfaces.
You override the default IP precedence classifier by defining a classifier
and applying it to a logical interface. To define new classifiers
for all code point types, include the classifiers statement
at the [edit class-of-service] hierarchy level.
In this example, set the DSCP behavior aggregate classifier
to ba-classifier as the default DSCP map. Set a best-effort
forwarding class as be-class, an expedited forwarding class
as ef-class, an assured forwarding class as af-class, and a network control forwarding class as nc-class.
Finally, apply the behavior aggregate classifier to the interface
ge-0/0/0.
Table 2 shows how the behavior aggregate classifier assigns loss priorities, to incoming packets in the four forwarding classes.
mf-classifier Forwarding Class |
For CoS Traffic Type |
ba-classifier Assignments |
|---|---|---|
|
Best-effort traffic |
High-priority code point: 000001 |
|
Expedited forwarding traffic |
High-priority code point: 101111 |
|
Assured forwarding traffic |
High-priority code point: 001100 |
|
Network control traffic |
High-priority code point: 110001 |
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from the configuration mode.
set class-of-service classifiers dscp ba-classifier import default set class-of-service classifiers dscp ba-classifier forwarding-class be-class loss-priority high code-points 000001 set class-of-service classifiers dscp ba-classifier forwarding-class ef-class loss-priority high code-points 101111 set class-of-service classifiers dscp ba-classifier forwarding-class af-class loss-priority high code-points 001100 set class-of-service classifiers dscp ba-classifier forwarding-class nc-class loss-priority high code-points 110001 set class-of-service interfaces ge-0/0/0 unit 0 classifiers dscp ba-classifier
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure Behavior Aggregate Classifiers for a device in PMI:
Configure the class of service.
[edit] user@host# edit class-of-service
Configure behavior aggregate classifiers for Differentiated Services (DiffServ) CoS.
[edit class-of-service] user@host# edit classifiers dscp ba-classifier user@host# set import default
Configure a best-effort forwarding class classifier.
[edit class-of-service classifiers dscp ba-classifier] user@host# set forwarding-class be-class loss-priority high code-points 000001
Configure an expedited forwarding class classifier.
[edit class-of-service classifiers dscp ba-classifier] user@host# set forwarding-class ef-class loss-priority high code-points 101111
Configure an assured forwarding class classifier.
[edit class-of-service classifiers dscp ba-classifier] user@host# set forwarding-class af-class loss-priority high code-points 001100
Configure a network control forwarding class classifier.
[edit class-of-service classifiers dscp ba-classifier] user@host# set forwarding-class nc-class loss-priority high code-points 110001
Apply the behavior aggregate classifier to an interface.
[edit] user@host# set class-of-service interfaces ge-0/0/0 unit 0 classifiers dscp ba-classifier
Results
From configuration mode, confirm your configuration
by entering the show class-of-service command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show class-of-service
classifiers {
dscp ba-classifier {
import default;
forwarding-class be-class {
loss-priority high code-points 000001;
}
forwarding-class ef-class {
loss-priority high code-points 101111;
}
forwarding-class af-class {
loss-priority high code-points 001100;
}
forwarding-class nc-class {
loss-priority high code-points 110001;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
classifiers {
dscp ba-classifier;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying the Classifier is applied to the Interfaces
Purpose
Make sure that the classifier is applied to the correct interfaces.
Action
From the operational mode, enter the show class-of-service
interface ge-0/0/0 command.
user@host> show class-of-service interface ge-0/0/0 Physical interface: ge-0/0/0, Index: 144 Queues supported: 8, Queues in use: 4 Scheduled map: <default>, Index:2 Congestion-notification: Disabled LOgical interface: ge-1/0/3, Index: 333 Object Name Type Index Classifier v4-ba-classifier dscp 10755
Meaning
The interfaces are configured as expected.
Example: Configuring Behavior Aggregate Classifier in PMI for vSRX Virtual Firewall instances
This example shows how to configure behavior aggregate (BA) classifiers for a vSRX Virtual Firewall instance to determine forwarding treatment of packets in PMI.
Requirements
This example uses the following hardware and software components:
A vSRX Virtual Firewall instance.
Junos OS Release 19.4R1 and later releases.
Before you begin:
Determine the forwarding class and Packet loss priorities(PLP) that are assigned by default to each well-known DSCP that you want to configure for the behavior aggregate classifier.
Overview
Configure behavior aggregate classifiers to classify the packets
that contain valid DSCPs to appropriate queues. Once configured, you
apply the behavior aggregate classifier to the correct interfaces.
You override the default IP precedence classifier by defining a classifier
and applying it to a logical interface. To define new classifiers
for all code point types, include the classifiers statement
at the [edit class-of-service] hierarchy level.
In this example, set the DSCP behavior aggregate classifier
to ba-classifier as the default DSCP map. Set a best-effort
forwarding class as be-class, an expedited forwarding class
as ef-class, an assured forwarding class as af-class, and a network control forwarding class as nc-class.
Finally, apply the behavior aggregate classifier to the interface
ge-0/0/0.
Table 2 shows how the behavior aggregate classifier assigns loss priorities, to incoming packets in the four forwarding classes.
mf-classifier Forwarding Class |
For CoS Traffic Type |
ba-classifier Assignments |
|---|---|---|
|
Best-effort traffic |
High-priority code point: 000001 |
|
Expedited forwarding traffic |
High-priority code point: 101111 |
|
Assured forwarding traffic |
High-priority code point: 001100 |
|
Network control traffic |
High-priority code point: 110001 |
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from the configuration mode.
set class-of-service classifiers dscp ba-classifier forwarding-class be loss-priority low code-points be set class-of-service classifiers dscp ba-classifier forwarding-class ef loss-priority low code-points ef set class-of-service classifiers dscp ba-classifier forwarding-class ef loss-priority high code-points af41 set class-of-service classifiers dscp ba-classifier forwarding-class ef loss-priority high code-points af11 set class-of-service classifiers dscp ba-classifier forwarding-class ef loss-priority high code-points af31 set class-of-service classifiers dscp ba-classifier forwarding-class low_delay loss-priority low code-points af21 set class-of-service classifiers dscp ba-classifier forwarding-class low_loss loss-priority low code-points cs6 set class-of-service drop-profiles drop_profile fill-level 20 drop-probability 50 set class-of-service drop-profiles drop_profile fill-level 50 drop-probability 100 set class-of-service forwarding-classes queue 0 be set class-of-service forwarding-classes queue 1 ef set class-of-service forwarding-classes queue 2 low_delay set class-of-service forwarding-classes queue 3 low_loss set class-of-service interfaces ge-0/0/1 unit 0 classifiers dscp ba-classifier set class-of-service interfaces ge-0/0/3 unit 0 scheduler-map SCHEDULER-MAP set class-of-service interfaces ge-0/0/3 unit 0 shaping-rate 2k set class-of-service scheduler-maps SCHEDULER-MAP forwarding-class ef scheduler voice set class-of-service schedulers voice buffer-size temporal 5k set class-of-service schedulers voice drop-profile-map loss-priority any protocol any drop-profile drop_profile
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure Behavior Aggregate Classifiers for a device in PMI:
Configure the class of service.
[edit] user@host# edit class-of-service
Configure behavior aggregate classifiers for Differentiated Services (DiffServ) CoS.
[edit class-of-service] user@host# edit classifiers dscp ba-classifier
Configure a best-effort forwarding class classifier.
[edit class-of-service classifiers dscp ba-classifier] user@host# set forwarding-class be loss-priority low code-points be
Configure an expedited forwarding class classifier.
[edit class-of-service classifiers dscp ba-classifier] user@host# set forwarding-class ef-class loss-priority low code-points ef user@host# set forwarding-class ef-class loss-priority high code-points af41 user@host# set forwarding-class ef-class loss-priority high code-points af11 user@host# set forwarding-class ef-class loss-priority high code-points af31 user@host# set forwarding-class low_delay loss-priority low code-points af21 user@host# set forwarding-class low_loss loss-priority low code-points cs6
Configure drop profiles.
[edit class-of-service drop-profiles] user@host# set drop_profile fill-level 20 drop-probability 50 user@host# set drop_profile fill-level 50 drop-probability 100
Configure the forwarding classes queues.
[edit class-of-service forwarding-classes ] user@host# set queue 0 be user@host# set queue 1 ef user@host# set queue 2 low_delay user@host# set 3 low_loss
Apply the classifier to the interfaces.
[edit class-of-service] user@host# set interfaces ge-0/0/1 unit 0 classifiers dscp ba-classifier user@host# set interfaces ge-0/0/3 unit 0 scheduler-map SCHEDULER-MAP user@host# set interfaces ge-0/0/3 unit 0 shaping-rate 2k
Configure the schedulers.
[edit class-of-service] user@host# set scheduler-maps SCHEDULER-MAP forwarding-class ef scheduler voice user@host# set schedulers voice buffer-size temporal 5k user@host# set schedulers voice drop-profile-map loss-priority any protocol any drop-profile drop_profile
Results
From configuration mode, confirm your configuration
by entering the show class-of-service command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show class-of-service
classifiers {
dscp ba-classifier {
forwarding-class be {
loss-priority low code-points be;
}
forwarding-class ef {
loss-priority low code-points ef;
loss-priority high code-points [ af41 af11 af31 ];
}
forwarding-class low_delay {
loss-priority low code-points af21;
}
forwarding-class low_loss {
loss-priority low code-points cs6;
}
}
}
drop-profiles {
drop_profile {
fill-level 20 drop-probability 50;
fill-level 50 drop-probability 100;
}
}
forwarding-classes {
queue 0 be;
queue 1 ef;
queue 2 low_delay;
queue 3 low_loss;
}
interfaces {
ge-0/0/1 {
unit 0 {
classifiers {
dscp ba-classifier;
}
}
}
ge-0/0/3 {
unit 0 {
scheduler-map SCHEDULER-MAP;
shaping-rate 2k;
}
}
}
scheduler-maps {
SCHEDULER-MAP {
forwarding-class ef scheduler voice;
}
}
schedulers {
voice {
buffer-size temporal 5k;
drop-profile-map loss-priority any protocol any drop-profile drop_profile;
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying the Classifier is applied to the Interfaces
Purpose
Verify that the classifier is configured properly and confirm that the forwarding classes are configured correctly.
Action
From the operational mode, enter the show class-of-service
forwarding-class command.
user@host> show class-of-service forwarding-class Forwarding class ID Queue Restricted queue Fabric priority Policing priority SPU priority be 0 0 0 low normal low ef 1 1 1 low normal low low_delay 2 2 2 low normal low low_loss 3 3 3 low normal low
Meaning
The output shows the configured custom classifier settings.
Example: Configuring and Applying a Firewall Filter for a Multifield Classifier in PMI
This example shows how to configure a firewall filter to classify traffic to different forwarding class by using DSCP value and multifield (MF) classifier in PMI.
The classifier detects packets of interest to class of service (CoS) as they arrive on an interface. MF classifiers are used when a simple behavior aggregate (BA) classifier is insufficient to classify a packet, when peering routers do not have CoS bits marked, or the peering router’s marking is untrusted.
Requirements
This example uses the following hardware and software components:
SRX Series Firewall.
Junos OS Release 19.1R1 and later releases.
Before you begin:
Determine the forwarding class that are assigned by default to each well-known DSCP that you want to configure for the MF classifier. See Improving IPsec Performance with PowerMode IPsec.
Overview
This example explain how to configure the firewall filter mf-classifier. To configure the MF classifier, create and name
the assured forwarding traffic class, set the match condition, and
then specify the destination address as 192.168.44.55. Create the
forwarding class for assured forwarding DiffServ traffic as af-class and set the loss priority to low.
In this example, create and name the expedited forwarding traffic
class and set the match condition for the expedited forwarding traffic
class. Specify the destination address as 192.168.66.77. Create the
forwarding class for expedited forwarding DiffServ traffic as ef-class and set the policer to ef-policer. Create
and name the network-control traffic class and set the match condition.
In this example, create and name the forwarding class for the
network control traffic class as nc-class and name the
forwarding class for the best-effort traffic class as be-class. Finally, apply the multifield classifier firewall filter as an
input and output filter on each customer-facing or host-facing that
needs the filter. In this example, the interface for input filter
is ge-0/0/2 and interface for output filter is ge-0/0/4.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from the configuration mode.
set firewall filter mf-classifier interface-specific set firewall filter mf-classifier term assured-forwarding from destination-address 192.168.44.55 set firewall filter mf-classifier term assured-forwarding then forwarding-class af-class set firewall filter mf-classifier term assured-forwarding then loss-priority low set firewall filter mf-classifier term expedited-forwarding from destination-address 192.168.66.77 set firewall filter mf-classifier term expedited-forwarding then forwarding-class ef-class set firewall filter mf-classifier term expedited-forwarding then policer ef-policer set firewall filter mf-classifier term network-control from precedence net-control set firewall filter mf-classifier term network-control then forwarding-class nc-class set firewall filter mf-classifier term best-effort then forwarding-class be-class set interfaces ge-0/0/2 unit 0 family inet filter input mf-classifier set interfaces ge-0/0/4 unit 0 family inet filter output mf-classifier
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure a Firewall Filter for a Multifield Classifier for a device in PMI:
Create and name the multifield classifier filter.
[edit] user@host# edit firewall filter mf-classifier user@host# set interface-specific
Create and name the term for the assured forwarding traffic class.
[edit firewall filter mf-classifier] user@host# edit term assured-forwarding
Specify the destination address for assured forwarding traffic.
[edit firewall filter mf-classifier term assured-forwarding] user@host# set from destination-address 192.168.44.55
Create the forwarding class and set the loss priority for the assured forwarding traffic class.
[edit firewall filter mf-classifier term assured-forwarding] user@host# set then forwarding-class af-class user@host# set then loss-priority low
Create and name the term for the expedited forwarding traffic class.
[edit] user@host# edit firewall filter mf-classifier user@host# edit term expedited-forwarding
Specify the destination address for the expedited forwarding traffic.
[edit firewall filter mf-classifier term expedited-forwarding] user@host# set from destination-address 192.168.66.77
Create the forwarding class and apply the policer for the expedited forwarding traffic class.
[edit firewall filter mf-classifier term expedited-forwarding] user@host# set then forwarding-class ef-class user@host# set then policer ef-policer
Create and name the term for the network control traffic class.
[edit] user@host# edit firewall filter mf-classifier user@host# edit term network-control
Create the match condition for the network control traffic class.
[edit firewall filter mf-classifier term network-control] user@host# set from precedence net-control
Create and name the forwarding class for the network control traffic class.
[edit firewall filter mf-classifier term network-control] user@host# set then forwarding-class nc-class
Create and name the term for the best-effort traffic class.
[edit] user@host# edit firewall filter mf-classifier user@host# edit term best-effort
Create and name the forwarding class for the best-effort traffic class.
[edit firewall filter mf-classifier term best-effort] user@host# set then forwarding-class be-class
Apply the multifield classifier firewall filter as an input filter.
[edit] user@host# set interfaces ge-0/0/2 unit 0 family inet filter input mf-classifier
Apply the multifield classifier firewall filter as an output filter.
[edit] user@host# set interfaces ge-0/0/4 unit 0 family inet filter output mf-classifier
Results
From configuration mode, confirm your configuration
by entering the show firewall filter mf-classifier command.
If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
[edit]
user@host# show firewall filter mf-classifier
interface-specific;
term assured-forwarding {
from {
destination-address {
192.168.44.55/32;
}
}
then {
loss-priority low;
forwarding-class af-class;
}
}
term expedited-forwarding {
from {
destination-address {
192.168.66.77/32;
}
}
then {
policer ef-policer;
forwarding-class ef-class;
}
}
term network-control {
from {
precedence net-control;
}
then forwarding-class nc-class;
}
term best-effort {
then forwarding-class be-class;
}
From configuration mode, confirm your configuration by entering
the show interfaces command. If the output does not display
the intended configuration, repeat the configuration instructions
in this example to correct it.
[edit]
user@host# show show interfaces
ge-0/0/2 {
unit 0 {
family inet {
filter {
input mf-classifier;
}
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
filter {
output mf-classifier;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying a Firewall Filter for a Multifield Classifier Configuration
Purpose
Verify that a firewall filter for a multifield classifier is configured properly on a device and confirm that the forwarding classes are configured correctly.
Action
From configuration mode, enter the show class-of-service
forwarding-class command.
user@host> show class-of-service forwarding-class Forwarding class ID Queue Restricted queue Fabric priority Policing priority SPU priority BE-data 0 0 0 low normal low Premium-data 1 1 1 low normal low Voice 2 2 2 low normal low NC 3 3 3 low normal low
Meaning
The output shows the configured custom classifier settings.
Example: Configuring and Applying Rewrite Rules on a Security Device in PMI
This example shows how to configure and apply rewrite rules for a device in PMI.
Requirements
This example uses the following hardware and software components:
SRX Series Firewall.
Junos OS Release 19.1R1 and later releases.
Before you begin:
Create and configure the forwarding classes. See Improving IPsec Performance with PowerMode IPsec.
Overview
This example explains how to configure rewrite rules to replace CoS values on packets received from the customer or host with the values expected by other SRX Series Firewalls. You do not have to configure rewrite rules if the received packets already contain valid CoS values. Rewrite rules apply the forwarding class information and packet loss priority used internally by the device to establish the CoS value on outbound packets. After you configure the rewrite rules, apply them to the correct interfaces.
In this example, configure the rewrite rule for DiffServ CoS
as rewrite-dscps. Specify the best-effort forwarding class
as be-class, expedited forwarding class as ef-class, an assured forwarding class as af-class, and a network
control class as nc-class. Finally, apply the rewrite rule
to the ge-0/0/0 interface.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from the configuration mode.
set class-of-service rewrite-rules dscp rewrite-dscps forwarding-class be-class loss-priority low code-point 000000 set class-of-service rewrite-rules dscp rewrite-dscps forwarding-class be-class loss-priority high code-point 000001 set class-of-service rewrite-rules dscp rewrite-dscps forwarding-class ef-class loss-priority low code-point 101110 set class-of-service rewrite-rules dscp rewrite-dscps forwarding-class ef-class loss-priority high code-point 101111 set class-of-service rewrite-rules dscp rewrite-dscps forwarding-class af-class loss-priority low code-point 001010 set class-of-service rewrite-rules dscp rewrite-dscps forwarding-class af-class loss-priority high code-point 001100 set class-of-service rewrite-rules dscp rewrite-dscps forwarding-class nc-class loss-priority low code-point 110000 set class-of-service rewrite-rules dscp rewrite-dscps forwarding-class nc-class loss-priority high code-point 110001 set class-of-service interfaces ge-0/0/0 unit 0 rewrite-rules dscp rewrite-dscps
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure and apply Rewrite Rules for a device in PMI:
Configure rewrite rules for DiffServ CoS.
[edit] user@host# edit class-of-service user@host# edit rewrite-rules dscp rewrite-dscps
Configure best-effort forwarding class rewrite rules.
[edit class-of-service rewrite-rules dscp rewrite-dscps] user@host# set forwarding-class be-class loss-priority low code-point 000000 user@host# set forwarding-class be-class loss-priority high code-point 000001
Configure expedited forwarding class rewrite rules.
[edit class-of-service rewrite-rules dscp rewrite-dscps] user@host# set forwarding-class ef-class loss-priority low code-point 101110 user@host# set forwarding-class ef-class loss-priority high code-point 101111
Configure an assured forwarding class rewrite rules.
[edit class-of-service rewrite-rules dscp rewrite-dscps] user@host# set forwarding-class af-class loss-priority low code-point 001010 user@host# set forwarding-class af-class loss-priority high code-point 001100
Configure a network control class rewrite rules.
[edit class-of-service rewrite-rules dscp rewrite-dscps] user@host# set forwarding-class nc-class loss-priority low code-point 110000 user@host# set forwarding-class nc-class loss-priority high code-point 110001
Apply rewrite rules to an interface.
[edit class-of-service] user@host# set interfaces ge-0/0/0 unit 0 rewrite-rules dscp rewrite-dscps
Results
From configuration mode, confirm your configuration
by entering the show class-of-service command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show class-of-service
interfaces {
ge-0/0/0 {
unit 0 {
rewrite-rules {
dscp rewrite-dscps;
}
}
}
}
rewrite-rules {
dscp rewrite-dscps {
forwarding-class be-class {
loss-priority low code-point 000000;
loss-priority high code-point 000001;
}
forwarding-class ef-class {
loss-priority low code-point 101110;
loss-priority high code-point 101111;
}
forwarding-class af-class {
loss-priority low code-point 001010;
loss-priority high code-point 001100;
}
forwarding-class nc-class {
loss-priority low code-point 110000;
loss-priority high code-point 110001;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying Rewrite Rules Configuration
Purpose
Verify that rewrite rules are configured properly.
Action
From the operational mode, enter the show class-of-service command.
user@host> show class-of-service Physical interface: ge-0/0/0, Index: 130 Maximum usable queues: 8, Queues in use: 4 Scheduled map: <default>, Index:2 Congestion-notification: Disabled LOgical interface: ge0/0/0, Index: 71 Object Name Type Index Classifier ipprec-compatibility ip 13
Meaning
Rewrite rules are configured on ge-0/0/0 interface as expected.
Configure IPsec ESP Authentication-only Mode in PMI
The PMI introduced a new data path for achieving a high IPsec throughput performance. Starting in Junos OS Release 19.4R1, on SRX5000 line with SRX5K-SPC3 card, you can use Encapsulating Security Payload (ESP) authentication-only mode in PMI mode, which provides authentication, integrity checking, and replay protection without encrypting the data packets.
Starting in Junos OS release 22.1R3, we support the PMI express path processing for passthrough ESP traffic on the SRX Series Firewalls.
Before you begin:
Make sure that the session is PMI capable. See VPN Session Affinity .
To configure ESP authentication-only mode: