Junos Cup 2014
Junos Cup 2014

Tournament 4: Ecuador Challenge & Solution: Class of Service at Egress L3VPN PE

[ Edited ]
‎07-03-2014 07:08 AM

Country Flag: Ecuador


Author: Antonio Sánchez-Monge


Title: Class of Service at Egress L3VPN PE


Type: Service Provider


Difficulty: High (2 points).


Technical Description: With three configuration set commands, make sure that the traffic going from CE1 to CE2 is correctly classified and counted on its way out of PE2.






Challenge Instructions:

For this challenge, you need to start the topology called: “Ecuador – Class of Service on an Egress PE”.


When you try to solve this challenge, leave a ping command running all the time from CE1 to CE2:


juniper@CE1> ping interval 0.1

PING ( 56 data bytes

64 bytes from icmp_seq=0 ttl=61 time=25.413 ms

64 bytes from icmp_seq=1 ttl=61 time=30.553 ms

64 bytes from icmp_seq=2 ttl=61 time=30.512 ms



Let’s focus on PE2, the egress PE. The ICMP echo requests are being sent out to CE2 over Queue #1, as you can check with the following command:

juniper@PE2> show interfaces queue ge-0/0/1 | except "    0"


However, the output firewall filter applied to ge-0/0/1.0 is not counting the packets, as you can check with:

juniper@PE2> show firewall


You need to change the configuration at PE2 so that the traffic:

-       Is still sent out of Queue #1

-       Increments the firewall filter “checkFC” counter “ef”.


You are not allowed to change the definition of the filter “checkFC”, nor the way it is applied. It must stay applied only to ge-0/0/1.0, and only in the output direction. And it must be the only output filter applied to ge-0/0/1.0.


You need to accomplish the fix with three set commands:


<set command #1>

<set command #2>

<set command #3>



Note: Although in other platforms the COS toolset is larger, VJX is not that flexible. You need to find a method to achieve it on the VJX. Although this method is applicable to other platforms too, other platforms have less limitations.


To solve this challenge please submit the three set commands that are issued on PE2.




Configure at PE2:


set routing-instances myVRF vrf-table-label                                                      


set routing-instances myVRF forwarding-options family inet filter output myFilter


set firewall family inet filter myFilter term myTerm then forwarding-class expedited-forwarding   



Julie Wider
Advocacy Manager
Twitter: @JNetCommunity & @jawider