Junos Cup 2014
Junos Cup 2014

Tournament 4: Ecuador Challenge & Solution: Class of Service at Egress L3VPN PE

[ Edited ]
‎07-03-2014 07:08 AM

Country Flag: Ecuador

 

Author: Antonio Sánchez-Monge

 

Title: Class of Service at Egress L3VPN PE

 

Type: Service Provider

 

Difficulty: High (2 points).

 

Technical Description: With three configuration set commands, make sure that the traffic going from CE1 to CE2 is correctly classified and counted on its way out of PE2.

 

Topology:

 

Ecuador-Topology

 

Challenge Instructions:

For this challenge, you need to start the topology called: “Ecuador – Class of Service on an Egress PE”.

 

When you try to solve this challenge, leave a ping command running all the time from CE1 to CE2:

 

juniper@CE1> ping 10.2.2.2 interval 0.1

PING 10.2.2.2 (10.2.2.2): 56 data bytes

64 bytes from 10.2.2.2: icmp_seq=0 ttl=61 time=25.413 ms

64 bytes from 10.2.2.2: icmp_seq=1 ttl=61 time=30.553 ms

64 bytes from 10.2.2.2: icmp_seq=2 ttl=61 time=30.512 ms

[...]

 

Let’s focus on PE2, the egress PE. The ICMP echo requests are being sent out to CE2 over Queue #1, as you can check with the following command:

juniper@PE2> show interfaces queue ge-0/0/1 | except "    0"

 

However, the output firewall filter applied to ge-0/0/1.0 is not counting the packets, as you can check with:

juniper@PE2> show firewall

 

You need to change the configuration at PE2 so that the traffic:

-       Is still sent out of Queue #1

-       Increments the firewall filter “checkFC” counter “ef”.

 

You are not allowed to change the definition of the filter “checkFC”, nor the way it is applied. It must stay applied only to ge-0/0/1.0, and only in the output direction. And it must be the only output filter applied to ge-0/0/1.0.

 

You need to accomplish the fix with three set commands:

configure

<set command #1>

<set command #2>

<set command #3>

commit

 

Note: Although in other platforms the COS toolset is larger, VJX is not that flexible. You need to find a method to achieve it on the VJX. Although this method is applicable to other platforms too, other platforms have less limitations.

 

To solve this challenge please submit the three set commands that are issued on PE2.

 

OFFICIAL SOLUTION:

 

Configure at PE2:

 

set routing-instances myVRF vrf-table-label                                                      

 

set routing-instances myVRF forwarding-options family inet filter output myFilter

 

set firewall family inet filter myFilter term myTerm then forwarding-class expedited-forwarding   

 

 

Julie Wider
Advocacy Manager
Twitter: @JNetCommunity & @jawider