Junos OS

Hi,

 

I am trying to get the following configured and am having problems with the docs....

 

SIP-VOIP will be marked traffic entering the network (101110 - 46) and so therefore I configure a classifier, maybe as follows:

 

set class-of-service classifiers dscp sip-voice forwarding-class SIP-VOICE loss-priority high code-points 101110

set class-of-service classifiers dscp sip-voice forwarding-class SIP-VOICE loss-priority low code-points 101111

 

Okay, I can set a policer with this and can get it to work. However, I believe this configuration is designed for MARKED traffic. The rest of the traffic that is entering that interface is going to be UNMARKED best-effort traffic. This, I believe, is configured under the "Firewall filter" section, maybe as follows:

 

set firewall family inet filter rest-of-traffic term best-effort from ? ..... It's at this point that I am a little lost, as I was hoping there would be an options for "all the rest of the traffic".... there is an interface option but would that also take into account the DSCP marked traffic? 

 

At this point, rather than a "yes" or "no" answer to that quesiton, it would be great if someone could actually give a snippet of code to configure this so I can truly separate the traffic as required.

 

Thanks

set firewall filter Cos term 1 from dscp af11
set firewall filter Cos term 1 then forwarding-class expedited-forwarding ---> term 1 to put the known dscp traffic to the respective queue

set firewall filter Cos term 2 then forwarding-class assured-forwarding ----> Term 2 for remaining traffic to the specific queue


Apply this filter as Input on the interface.

Thank you gentlemen for your repsponses. Perfect.... just what I was after.... very much appreciated.

I have it working perfectly and also for any type of attack too..... For other people looking for an answer, I thought I would post it here:

 

First up, I set the drop-profile.... this is required for RED and for class-of-service, a must:

set class-of-service drop-profiles low-drop fill-level 95 drop-probability 0
set class-of-service drop-profiles low-drop fill-level 100 drop-probability 100
set class-of-service drop-profiles med-drop fill-level 75 drop-probability 0
set class-of-service drop-profiles med-drop fill-level 95 drop-probability 30
set class-of-service drop-profiles high-drop fill-level 50 drop-probability 0
set class-of-service drop-profiles high-drop fill-level 95 drop-probability 50

 

Next up, we need to configure the schedulers themselves (Just read up on what the schedulers do) - Make sure you set the transmit-rates and buffer sizes to what you require. The small size and temporal count on one of the schedulers is for traffic that is unwanted.

set class-of-service schedulers be transmit-rate percent 65
set class-of-service schedulers be buffer-size percent 65
set class-of-service schedulers be priority medium-low
set class-of-service schedulers be drop-profile-map loss-priority high protocol any drop-profile high-drop
set class-of-service schedulers be drop-profile-map loss-priority medium-high protocol any drop-profile med-drop
set class-of-service schedulers be drop-profile-map loss-priority medium-low protocol any drop-profile med-drop
set class-of-service schedulers be drop-profile-map loss-priority low protocol any drop-profile low-drop
set class-of-service schedulers nc transmit-rate percent 5
set class-of-service schedulers nc buffer-size percent 5
set class-of-service schedulers nc priority medium-high
set class-of-service schedulers nc drop-profile-map loss-priority high protocol any drop-profile high-drop
set class-of-service schedulers nc drop-profile-map loss-priority medium-high protocol any drop-profile med-drop
set class-of-service schedulers nc drop-profile-map loss-priority medium-low protocol any drop-profile med-drop
set class-of-service schedulers nc drop-profile-map loss-priority low protocol any drop-profile low-drop
set class-of-service schedulers ef transmit-rate 5k
set class-of-service schedulers ef transmit-rate exact
set class-of-service schedulers ef buffer-size temporal 1
set class-of-service schedulers ef priority low
set class-of-service schedulers ef drop-profile-map loss-priority high protocol any drop-profile high-drop
set class-of-service schedulers ef drop-profile-map loss-priority medium-high protocol any drop-profile med-drop
set class-of-service schedulers ef drop-profile-map loss-priority medium-low protocol any drop-profile med-drop
set class-of-service schedulers ef drop-profile-map loss-priority low protocol any drop-profile low-drop
set class-of-service schedulers sv transmit-rate percent 30
set class-of-service schedulers sv buffer-size percent 30
set class-of-service schedulers sv priority high
set class-of-service schedulers sv drop-profile-map loss-priority high protocol any drop-profile high-drop
set class-of-service schedulers sv drop-profile-map loss-priority medium-high protocol any drop-profile med-drop
set class-of-service schedulers sv drop-profile-map loss-priority medium-low protocol any drop-profile med-drop
set class-of-service schedulers sv drop-profile-map loss-priority low protocol any drop-profile low-drop

 

Now we can set up the scheduler-maps (These maps reference the schedulers and the schedulers reference the drop-profiles):

set class-of-service scheduler-maps normal forwarding-class best-effort scheduler be
set class-of-service scheduler-maps normal forwarding-class expedited-forwarding scheduler ef
set class-of-service scheduler-maps normal forwarding-class SIP-VOICE scheduler sv
set class-of-service scheduler-maps normal forwarding-class network-control scheduler nc

 

Now we actually need to assign this to an interface.... as this is a scheduler and scheduler-maps, they are assigned to the egress interface. We don't assign to an interface as such, but more we set the interface inside the class-of service and assign the scheduler map as follows:

set class-of-service interfaces xe-1/2/5 scheduler-map normal

 

Okay, so you now have your exit schedulers configured and ready to go, but we have yet to assign and classifiers on the ingress interface to place into the queues. Here's how I did this (as there are two ways of doing this) - Mine is configured for voice traffic and then everything else:

set firewall filter cos term 1 from dscp 46
set firewall filter cos term 1 from dscp 26
set firewall filter cos term 1 then forwarding-class SIP-VOICE
set firewall filter cos term 1 then accept
set firewall filter cos term 2 then forwarding-class best-effort
set firewall filter cos term 2 then accept

 

The 46 and 26 mentioned above are dscp code-points for SIP and RTP.... you can also view the binary for this when viewing class-of-service interface (interface name) comprehensive.

 

The tricky part was always going to be "How are we going to know if we are being attacked, as the traffic is unlikely to be known"? Well, there is no easy way as I found. MX have built in default DDoS protection anyway, so I decided to rely on source and a manual input resolution as follows:

set firewall filter cos term 3 from source-address (attacking source or subnet)

set firewall filter cos term 3 then forwarding-class DDoS

set firewall filter cos term 3 then accept

 

I didn't want to deny it here as I want to view some of the packets, but I've sent them to a queue that is only 3k in bandwidth.... 

 

Hope this helps...

 

 

 

Thanks for sharing the working config for other users.

Hi!

 

If you do not want to change CoS classification for rest of the traffic and expect them to be process as the default. You can use the keyword "import default", within classifier itself. So the classification you specfically configured will be used and rest of the undefined classification will be picked up from default config.

 

I don't think you need multi-field classifer here..

 

labroot# set classifiers dscp test import ?
Possible completions:
<import> Include this classifier in this definition
default Default classifier for this code point type

 

Hope it helps!