Using MF filters to perform CoS based on prefixes in a SRX or J series router

If you have a J series or SRX and have some networks downstream that should equally or unequally share an Internet resource. And you dont care about sorting traffic on layer 4 or using standard DSCP classification. It is enough that the different subnets get the bandwidth you want to divide to them. This how you do it.

The below example is a J/SRX router with ge-0/0/0.0 towards Internet and ge-0/0/1.0 to ge-0/0/4.0 have subnets where ge-0/0/1.0 should have 40 percent of the bandwdith guaranteed and ge.0/0/2.0 – ge-0/0/4.0 should have 20 percent of the bandwidth each. All should share equally if here is unused bandwidth.

If you are using a SRX or J series in flow mode, you also need to make sure you have have configured the security stanza correct with zones, adress-books, nat rules, firewall polices etc correctly for the traffic to flow. The below example is strictly the CoS configuration.

Another limitation is that this method only works for a small number of subnets, you only have 8 queues on an interface.

/*
Make sure each interface do per unit scheduling in case we actually will a single IFD with IFL:s and not several interfaces. Config below will work with both models.
*/

set interface ge-0/0/0 per-unit-scheduler
set interface ge-0/0/1 per-unit-scheduler
set interface ge-0/0/2 per-unit-scheduler
set interface ge-0/0/3 per-unit-scheduler
set interface ge-0/0/4 per-unit-scheduler

/*
Configure default DSCP values. We will anyways override this with MF firewall filters. But CoS demands classifier config…
*/

set class-of-service classifiers dscp MyClassifier import default

/*
The reason for the unlogical mapping of queues to forwarding classes is that queue 0 and 3 have some hard coded traffic sent to them.
*/

set class-of-service forwarding-classes SUBNET1 queue 1
set class-of-service forwarding-classes SUBNET2 queue 2
set class-of-service forwarding-classes SUBNET3 queue 4
set class-of-service forwarding-classes SUBNET3 queue 5

/*
The percentage guarantees bandwidth. If there in fact is bandwidth leftover not used by a scheduler, it will be evenly distributed between schedulers since they all have same prio level.
*/

set class-of-service schedulers SUBNET1 transmit-rate percent 40
set class-of-service schedulers SUBNET1 buffer-size percent 40
set class-of-service schedulers SUBNET1 priority low

set class-of-service schedulers SUBNET2 transmit-rate percent 20
set class-of-service schedulers SUBNET2 buffer-size percent 20
set class-of-service schedulers SUBNET2 priority low

set class-of-service schedulers SUBNET3 transmit-rate percent 20
set class-of-service schedulers SUBNET3 buffer-size percent 20
set class-of-service schedulers SUBNET3 priority low

set class-of-service schedulers SUBNET4 transmit-rate percent 20
set class-of-service schedulers SUBNET4 buffer-size percent 40
set class-of-service schedulers SUBNET4 priority low

/*
Map schedulers for forwarding class
*/

set class-of-service scheduler-maps MyMap forwarding-class SUBNET1 scheduler SUBNET1
set class-of-service scheduler-maps MyMap forwarding-class SUBNET2 scheduler SUBNET2
set class-of-service scheduler-maps MyMap forwarding-class SUBNET3 scheduler SUBNET3
set class-of-service scheduler-maps MyMap forwarding-class SUBNET4 scheduler SUBNET4

/*
Map interfaces to schedulers and classifiers. Can be repeated for several IFL:s unde rome IFD if needed. I assume here we actually can use all interfaces ge-0/0/0 – ge-0/0/3. But config works with a single IFD with IFL:s aswell if configured so below. I totally skip rewrite rules since we actually won’t be using DSCP at all, we just want to map traffic to queues to police them.
*/

set class-of-service interface ge-0/0/0 unit 0 classifiers dscp MyClassifier
set class-of-service interface ge-0/0/0 unit 0 scheduler-map MyMap

set class-of-service interface ge-0/0/1 unit 0 classifiers dscp MyClassifier
set class-of-service interface ge-0/0/1 unit 0 scheduler-map MyMap

set class-of-service interface ge-0/0/2 unit 0 classifiers dscp MyClassifier
set class-of-service interface ge-0/0/2 unit 0 scheduler-map MyMap

set class-of-service interface ge-0/0/3 unit 0 classifiers dscp MyClassifier
set class-of-service interface ge-0/0/3 unit 0 scheduler-map MyMap

set class-of-service interface ge-0/0/4 unit 0 classifiers dscp MyClassifier
set class-of-service interface ge-0/0/4 unit 0 scheduler-map MyMap

/*
Now we need to define MF filters to move traffic into the forwarding-classes. This ties defined forwarding-classes under class-of-service to traffic matched in MF firewall filters with prefix-lists created under policy-options.
*/

set policy-options prefix-list SUBNET1 192.168.1.0/24
set policy-options prefix-list SUBNET2 192.168.2.0/24
set policy-options prefix-list SUBNET3 192.168.3.0/24
set policy-options prefix-list SUBNET4 192.168.4.0/24

set firewall filter MapCoS term SUBNET1 from prefix-list SUBNET1
set firewall filter MapCoS term SUBNET1 then forwarding-class SUBNET1
set firewall filter MapCoS term SUBNET1 then accept

set firewall filter MapCoS term SUBNET2 from prefix-list SUBNET2
set firewall filter MapCoS term SUBNET2 then forwarding-class SUBNET2
set firewall filter MapCoS term SUBNET2 then accept

set firewall filter MapCoS term SUBNET3 from prefix-list SUBNET3
set firewall filter MapCoS term SUBNET3 then forwarding-class SUBNET3
set firewall filter MapCoS term SUBNET3 then accept

set firewall filter MapCoS term SUBNET4 from prefix-list SUBNET4
set firewall filter MapCoS term SUBNET4 then forwarding-class SUBNET4
set firewall filter MapCoS term SUBNET4 then accept

/*
Since we used prefix-list as option in MF filters we can apply these as input filters on all interfaces involved.
*/

set interfaces ge-0/0/0.0 description “Internet”
set interfaces ge-0/0/0.0 family inet address 193.221.119.4/27
set interfaces ge-0/0/0.0 family inet input filter MapCoS

set interfaces ge-0/0/1.0 description “SUBNET1”
set interfaces ge-0/0/1.0 family inet address 192.168.1.1/24
set interfaces ge-0/0/1.0 family inet input filter MapCoS

set interfaces ge-0/0/2.0 description “SUBNET2”
set interfaces ge-0/0/2.0 family inet address 192.168.2.1/24
set interfaces ge-0/0/2.0 family inet input filter MapCoS

set interfaces ge-0/0/3.0 description “SUBNET3”
set interfaces ge-0/0/3.0 family inet address 192.168.3.1/24
set interfaces ge-0/0/3.0 family inet input filter MapCoS

set interfaces ge-0/0/4.0 description “SUBNET4”
set interfaces ge-0/0/4.0 family inet address 192.168.4.1/24
set interfaces ge-0/0/4.0 family inet input filter MapCoS

The distribution of traffic on an interface can be verified from non priviliged mode via:
show interface queue ge-0/0/0.0
show interface queue ge-0/0/1.0
show interface queue ge-0/0/2.0
show interface queue ge-0/0/3.0
show interface queue ge-0/0/4.0

Try it out!

This entry was posted in Juniper Networking, Juniper Security, Networking, Security. Bookmark the permalink.

2 Responses to Using MF filters to perform CoS based on prefixes in a SRX or J series router

  1. izaak99 says:

    This helped me out tremendously since Juniper’s KB article (22066) example was missing so many pieces and explainations to how this works. One big question I have though, you have percents as the transmit-rate, if you want them to have 20Mbs as in your picture, shouldn’t it be “transmit-rate 20M” vs “transmit-rate percent 20”?

    Also, Juniper’s KB article is opposite of how the majority of people would be using this (they are restricting bandwidth TO the internet vs FROM, so the outgoing interface has a specified bandwidth amount). Assuming you do want to slice it up into percents, where would you define the total bandwidth? The problem I’m having is my interfaces are 1G, my ISP is 100Mbs. Where can I define that these schedulers should be using 100Mbs vs 1G?

    Lastly…
    “set class-of-service schedulers SUBNET4 buffer-size percent 40” I’m assuming should be “set class-of-service schedulers SUBNET4 buffer-size percent 20”.

    On the SRX, the syntax for “set class-of-service forwarding-classes SUBNET1 queue 1” is actually “set class-of-service forwarding-classes queue 1 SUBNET1” (reversed) just FYI.

    • patrik says:

      Hello!

      Sorry for being late with my answer. Happy to hear you liked my article!
      Thanks for the good insight on the SRX forwarding-class assignment.
      The reason I used percent in transmit-rate was simply I assumed a fast ethernet interface on the SRX. You are free to use bandwidth statement instead to be more precise no matter the media.
      Cheers
      Patrik
      PS Any other subjects you would like to read about?

Leave a Reply