How to Match Traffic Based Using Multifield Classifiers in Junos

Multifield ( MF) classifiers examine the packet’s header and based on the contents therein, assign the packet to a forwarding class. Unlike behavior aggregate (BA) classifiers, MF classifiers examine more than just the CoS bits in the header.

If you accept the premise that your neighboring networks don’t know or don’t care what CoS bits are set in packets that are sent to your network, you have to find a different way to match traffic. You can do so in two easy ways:

  • Look at where the traffic is from.

  • Look at where the traffic is heading.

Match traffic based on the source address

In many cases, the source address of a packet tells you what type of packet it is. For example, imagine that you have an application server with the address 192.168.66.77. Any packet that has that source address in its header can be classified the same way. In this case, you basically assign those packets to the forwarding class tied to that application or set of applications.

For this scenario, assume that inbound traffic has a source address of 192.168.66.77, and that traffic from this host is to be classified with the other business-critical applications grouped into the cos-buscrit forwarding class. Configure a firewall filter that matches on the source address:

[edit firewall]
filter mf-classifier {
  interface-specific;
  term assured-forwarding {
   from {
     source-address 192.168.66.77;
   }
   then {
     forwarding-class cos-buscrit;
     loss-priority low;
   }
  }
}

This configuration matches all traffic with a source address matching the specified source. Any traffic that meets those conditions is then assigned to the cos-buscrit forwarding class, and its PLP is set to low.

You must then apply the filter to an interface. Because you’re matching on inbound traffic, you want the configuration to be an input filter.

[edit interfaces]
t1-0/0/1 {
  unit 0 {
   family inet {
     filter input mf-classifier;
   }
  }
}

All inbound traffic on the specified interface will be matched.

Instead of using the filter input statement, try using the input-list statement:

[edit interfaces]
t1-0/0/1 {
  unit 0 {
   family inet {
     filter input-list mf-classifier;
   }
  }
}

If you use the input-list statement, you can add multiple firewall filters to the same interface if you ever need to. Otherwise, you can configure only one filter per interface at a time.

Match traffic based on destination port

In addition to being able to match traffic based on where it originates, you can often determine the type of packet (and therefore the proper packet classification) based on the destination port. For example, some applications use well-known ports.

SIP is an excellent example. SIP traffic uses the port 5060, so you should be able to match packets based on their destination port. Any packet with a destination port of 5060 can be classified with the other SIP traffic.

In this example, all voice traffic (including signaling) is being handled as part of the cos-voice forwarding class.

[edit firewall]
filter voice-mf-classifier {
  interface-specific;
  term expedited-forwarding {
   from {
     destination-port 5060;
   }
   then {
     forwarding-class cos-voice;
     loss-priority low;
   }
  }
}
[edit interfaces]
t1-0/0/0 {
  unit 0 {
   family inet {
     filter input-list voice-mf-classifier;
   }
_  }
}

This configuration defines another input filter that matches on the destination port. Traffic matching the specified port is classified as voice traffic and uses the voice forwarding class defined previously.

blog comments powered by Disqus
Advertisement

Inside Dummies.com

Dummies.com Sweepstakes

Win $500. Easy.