Tournament 4: Ecuador Challenge & Solution: Class of Service at Egress L3VPN PE
[ Edited ]
Country Flag: Ecuador
Author: Antonio Sánchez-Monge
Title: Class of Service at Egress L3VPN PE
Type: Service Provider
Difficulty: High (2 points).
Technical Description: With three configuration set commands, make sure that the traffic going from CE1 to CE2 is correctly classified and counted on its way out of PE2.
For this challenge, you need to start the topology called: “Ecuador – Class of Service on an Egress PE”.
When you try to solve this challenge, leave a ping command running all the time from CE1 to CE2:
juniper@CE1> ping 10.2.2.2 interval 0.1
PING 10.2.2.2 (10.2.2.2): 56 data bytes
64 bytes from 10.2.2.2: icmp_seq=0 ttl=61 time=25.413 ms
64 bytes from 10.2.2.2: icmp_seq=1 ttl=61 time=30.553 ms
64 bytes from 10.2.2.2: icmp_seq=2 ttl=61 time=30.512 ms
Let’s focus on PE2, the egress PE. The ICMP echo requests are being sent out to CE2 over Queue #1, as you can check with the following command:
juniper@PE2> show interfaces queue ge-0/0/1 | except " 0"
However, the output firewall filter applied to ge-0/0/1.0 is not counting the packets, as you can check with:
juniper@PE2> show firewall
You need to change the configuration at PE2 so that the traffic:
- Is still sent out of Queue #1
- Increments the firewall filter “checkFC” counter “ef”.
You are not allowed to change the definition of the filter “checkFC”, nor the way it is applied. It must stay applied only to ge-0/0/1.0, and only in the output direction. And it must be the only output filter applied to ge-0/0/1.0.
You need to accomplish the fix with three set commands:
<set command #1>
<set command #2>
<set command #3>
Note: Although in other platforms the COS toolset is larger, VJX is not that flexible. You need to find a method to achieve it on the VJX. Although this method is applicable to other platforms too, other platforms have less limitations.
To solve this challenge please submit the three set commands that are issued on PE2.
Configure at PE2:
set routing-instances myVRF vrf-table-label
set routing-instances myVRF forwarding-options family inet filter output myFilter
set firewall family inet filter myFilter term myTerm then forwarding-class expedited-forwarding