Switching

Hi there,

I'm trying to classify certain traffic into a customized forwarding-class on EX3300 version 12.3R6.6, but it doesn't work. Below is my configuration. What am I doing wrong?

1. Create a customized forwarding-class

class-of-service {
    forwarding-classes {
        class voice queue-num 6;
    }
}

2. define firewall filter voip_class to classify the interested traffic

firewall {
    family ethernet-switching {
        filter voip_class {
            term voip {
                from {
                    destination-address {
                        10.69.217.179/32;
                    }
                    protocol tcp;
                }
                then {
                    accept;
                    forwarding-class voice;
                    loss-priority low;
                }
            }
            term network_control {
                from {
                    precedence [ net-control internet-control ];
                }
                then {
                    forwarding-class network-control;
                    loss-priority low;
                }
            }
            term best_effort_traffic {
                then {
                    forwarding-class best-effort;
                    loss-priority low;
                }
            }
        }
    }
}

3. apply the firewall filter voip_class as an input filter to the interface where source is located

ge-0/0/12 {
        description TO-PHY-MONITOR-SRV-ETH0;
        unit 0 {
            family ethernet-switching {
                filter {
                    input voip_class;
                }
            }
        }

After the configuration, I used iperf3 to generate tcp traffic from a host connected to ge-0/0/12 destinated to 10.69.217.179. But when I used "run show interfaces queue ge-0/0/12", the result shows that the traffic is still classified as the default forwarding-class best-effort

Physical interface: ge-0/0/12, Enabled, Physical link is Up
  Interface index: 141, SNMP ifIndex: 526
  Description: TO-PHY-MONITOR-SRV-ETH0
Forwarding classes: 16 supported, 5 in use
Egress queues: 8 supported, 5 in use
Queue: 0, Forwarding classes: best-effort
  Queued:
  Transmitted:
    Packets              :                 83675
    Bytes                :               6540209
    Tail-dropped packets :                     0
    RL-dropped packets   :                     0
    RL-dropped bytes     :                     0
Queue: 1, Forwarding classes: assured-forwarding
  Queued:
  Transmitted:
    Packets              :                     0
    Bytes                :                     0
    Tail-dropped packets :                     0
    RL-dropped packets   :                     0
    RL-dropped bytes     :                     0
Queue: 5, Forwarding classes: expedited-forwarding
  Queued:
  Transmitted:
    Packets              :                     0
    Bytes                :                     0
    Tail-dropped packets :                     0
    RL-dropped packets   :                     0
    RL-dropped bytes     :                     0
Queue: 6, Forwarding classes: voice
  Queued:
  Transmitted:
    Packets              :                     0
    Bytes                :                     0
    Tail-dropped packets :                     0
    RL-dropped packets   :                     0
    RL-dropped bytes     :                     0
Queue: 7, Forwarding classes: network-control
  Queued:
  Transmitted:
    Packets              :                   903
    Bytes                :                 82601
    Tail-dropped packets :                     0
    RL-dropped packets   :                     0
    RL-dropped bytes     :                     0

Hi,

Looks like you are missing the schedulers which will queue the traffic egress from the switch.

See;

http://www.juniper.net/documentation/en_US/junos12.1/topics/example/cos-scheduler-security-configuring.html

The multifield classification looks fine, but it is also helpful to put counters on each term so when you generate traffic you can check for specific term matches. 

When you look at the interface queues you need to look at the egress port not the ingress.

ie

ipref -> in:ge-0/0/12 -> out:get-x/x/x -> ipref-client

you should do 'show interfaces queue ge-x/x/x' if the traffic was in the reverse direction then you would check the queues for ge-0/0/12.

Create a scheduler, apply it to the egress port and it should work.

Tim

Hi Tim,

Thank you so much. Your solution works. But for the adding counter, I got an commit check failure.

I added "set firewall famility ethernet-switching filter voip_class term voip then count voip_counter", then performed a commit check. I got the following error:

Referenced filter 'voip_class' can not be used as count not supported on ingress

Does it mean counter can only be applied on firewall filters that are applied as output filter?

Also I'm a bit confused. Does switche has ingress queue? Can QoS be applied on ingress queue? Because from the output of "show interface queue" command, it seems that switch only cares about egress queue.

What version of junos do you have on your EX3300? There are some differences between EX/MX/SRX with regards to the granularity of the filters, but I have counts on my EX3300's and EX4200's with 11.4 and 12.3.

edit: I see you are using 12.3. Can you show me the configuration that you tried with the count? I confirmed on EX3300 running 11.4 and EX4200 with 12.3R6.

family ethernet-switching {
    filter multifield-classifier {
        term voice {
            from {
                destination-address x.x.x.x/24;
                protocol udp;
            }
            then {
                accept;
                forwarding-class voice;
                loss-priority low;
                count voice;
            }
        }
    }
}

and the counters from 'show firewall'

Filter: multifield-classifier                                  
Counters:
Name                                                Bytes              Packets
besteffort                                    91012603970            342975492

Also if you are using MFC extensively, consider moving the firewall filter from the interface onto the L2 vlan.

ie

vlans {
    Data {
        vlan-id x;
        filter {
            input MFC;
        }
    }
}

Tim

Hi Tim,

My EX3300 version is 12.3R6.6

The configuration is exactly the same as it is in my first post. Is there any addtional configuration you need to know?

Can you add a count to 1 term 'show | compare' then 'commit check' and show me the output of both please?

I found an existing EX3300 with 12.3R6 and it has counts as well ingress on the VLAN.

show | compare

[edit firewall family ethernet-switching filter voip_class term voip then]
+       count voip_counter;

commit check

[edit interfaces ge-0/0/12 unit 0 family ethernet-switching]
  'filter'
    Referenced filter 'voip_class' can not be used as count not supported on ingress
error: configuration check-out failed

show version

Model: ex3300-48t
JUNOS Base OS boot [12.3R6.6]
JUNOS Base OS Software Suite [12.3R6.6]
JUNOS Kernel Software Suite [12.3R6.6]
JUNOS Crypto Software Suite [12.3R6.6]
JUNOS Online Documentation [12.3R6.6]
JUNOS Enterprise Software Suite [12.3R6.6]
JUNOS Packet Forwarding Engine Enterprise Software Suite [12.3R6.6]
JUNOS Routing Software Suite [12.3R6.6]
JUNOS Web Management [12.3R6.6]
JUNOS FIPS mode utilities [12.3R6.6]

Can you move the filter to the VLAN like I mentioned above? This is what I have deployed in production. 

It might not be supported on the interface specifically... filters do not scale on the interface as each filter/term key pair takes up tcam and can be exhausted quickly.

Tim

Hi Tim,

You are right. Moving the filter to vlan makes it work.

Thanks a lot.

I have a similar scenario.

I have an EX2200 (VC 2 members) 12.3R9.

It is L2 only.  Vlan 119 is my 'voice' vlan.  The RVI terminating it is upstream on a trunk on this EX2200 to another EX2200.

Phone on port ge-1/0/30, IP 192.168.19.59

Trunk on ge-0/1/3

Config as per following,

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
manager@Level-14-330-Switch> show configuration class-of-service
forwarding-classes {
class expedited-forwarding queue-num 5;
class best-effort queue-num 0;
class network-control queue-num 7;
}
interfaces {
ge-0/1/3 {
scheduler-map cos-map;
}
}
scheduler-maps {
cos-map {
forwarding-class expedited-forwarding scheduler voice_scheduler;
forwarding-class best-effort scheduler besteffort_scheduler;
forwarding-class network-control scheduler networkcontrol_scheduler;
}
}
schedulers {
voice_scheduler {
transmit-rate percent 10;
buffer-size percent 10;
priority strict-high;
}
besteffort_scheduler {
transmit-rate percent 35;
buffer-size percent 35;
priority low;
}
networkcontrol_scheduler {
transmit-rate percent 5;
buffer-size percent 5;
priority strict-high;
}
}

---------------------------------------------------------------------------------------------------------

manager@Level-14-330-Switch> show configuration firewall
family ethernet-switching {
filter voice_class {
term network_control {
from {
precedence [ net-control internet-control ];
}
then {
forwarding-class network-control;
loss-priority low;
}
}
term best_effort {
then {
forwarding-class best-effort;
loss-priority low;
}
}
term voice {
from {
source-address {
192.168.19.0/24;
}
}
then {
forwarding-class expedited-forwarding;
loss-priority low;
}
}
term else {
then accept;
}
}
}

---------------------------------------------------------------------------------------------------------

manager@Level-14-330-Switch> show configuration interfaces ge-1/0/30
description " CSBC Voice ";
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members VLAN_19;
}
filter {
input voice_class;
}
}
}

manager@Level-14-330-Switch> show configuration vlans VLAN_19
description " CSBC Voice ";
vlan-id 119;
filter {
input voice_class;
}

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

I cannot see 'expedited-forwarding / queue 5' tx and rx counters incrementing when traffic that is generated on port ge-1/0/30 sourced from address 192.168.19.59.
I understand counters are shown on egress.
But I cannot see them on ge-0/1/3 either.  Where they are meant to appear.  I have all my schedulers and scheduler-maps configured.

Why can't I get that queue showing counters incrementing on my trunk for the expedited-forwading (hardware queue 5) ?

Whoops.. Firewall is top down..

Terms were incorrectly positioned...

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

term network_control {.....}
term best_effort {.....}
term voice {.....}
term else
then accept;

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

..

term voice should have been at the top, then network control and then best effort....

All solved.

A final note...

I don't understand why.. http://www.juniper.net/techpubs/en_US/junos12.3/topics/example/cos-ex-series-configuring.html, the firewall filter is matching 'source' port instead of 'destination' port.. in those matching conditions... ?

It is counter intuitive..

source port is random 5 digit, and DESTINATION port is what the services listen in on...

Can anyone share some input as to why source is used and not DESTINATION with ethernet-switching firewall filter ?

This should work on the VLAN rather than the interface as per this link;

http://www.juniper.net/techpubs/en_US/junos13.2/topics/reference/general/firewall-filter-ex-series-match-conditions-support.html#action_modifers_tab_sup_ipv4