SRX

 View Only
last person joined: 16 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

CoS at Layer 2

  • 1.  CoS at Layer 2

     
    Posted 01-03-2019 00:56

    Hi,

     

    I have CoS at Layer 3 working perfectly. However, I now have a scenario where I need to configure CoS for Layer 2.

     

    I am at the point where I have configured the firewall filters and applied them to the VLAN interface (Layer 2) but cannot commit due to it not knowing where the scheduler-map is, even though it is configured with the correct interface.

     

    Any pointers on some great documents for configuring CoS for layer 2?

     

    Thanks



  • 2.  RE: CoS at Layer 2

     
    Posted 01-03-2019 01:42


    Let me add some more information on this:

     

    We have the customer CPE, which links to the NTE (SRX300/340). Our customers require CoS from the NTE through the Data (ISP) network. The CoS works fine on the MX (Layer 3), however, the NTE for the customer, merely acts as a pass through for the Layer 2 VLAN. Please see below:

     

    CPE --> ge-0/0/1.0 (VLAN ONLY) SRX340 ge-0/0/15.10 (TRUNK) ---> MX240 ---> Wherever

     

    So, as can be seen, the ports for the customer VLAN are ONLY layer 2. I need to apply CoS to the ingress interface of ge-0/0/1.0 so the traffic can be queued correctly through the NTE device.

     

    Here is the configuration:

    set firewall family ethernet-switching filter testcos term 1 from dscp 46
    set firewall family ethernet-switching filter testcos term 1 from dscp 26
    set firewall family ethernet-switching filter testcos term 1 then accept
    set firewall family ethernet-switching filter testcos term 1 then forwarding-class SIP-VOICE
    set firewall family ethernet-switching filter testcos term 4 from source-address x.x.x.x/32
    set firewall family ethernet-switching filter testcos term 4 from source-address x.x.x.x/32
    set firewall family ethernet-switching filter testcos term 4 from source-address x.x.x.x/32
    set firewall family ethernet-switching filter testcos term 4 from source-address x.x.x.x/32
    set firewall family ethernet-switching filter testcos term 4 from source-address x.x.x.x/32
    set firewall family ethernet-switching filter testcos term 4 then accept
    set firewall family ethernet-switching filter testcos term 4 then forwarding-class SIP-VOICE
    set firewall family ethernet-switching filter testcos term 2 then accept
    set firewall family ethernet-switching filter testcos term 2 then forwarding-class best-effort

     

    set class-of-service drop-profiles low-drop fill-level 95 drop-probability 0
    set class-of-service drop-profiles low-drop fill-level 100 drop-probability 100
    set class-of-service drop-profiles med-drop fill-level 75 drop-probability 0
    set class-of-service drop-profiles med-drop fill-level 95 drop-probability 30
    set class-of-service drop-profiles high-drop fill-level 50 drop-probability 0
    set class-of-service drop-profiles high-drop fill-level 95 drop-probability 50
    set class-of-service forwarding-classes queue 2 SIP-VOICE
    set class-of-service interfaces ge-0/0/1 scheduler-map normal
    set class-of-service scheduler-maps normal forwarding-class best-effort scheduler be
    set class-of-service scheduler-maps normal forwarding-class expedited-forwarding scheduler ef
    set class-of-service scheduler-maps normal forwarding-class SIP-VOICE scheduler sv
    set class-of-service scheduler-maps normal forwarding-class network-control scheduler nc
    set class-of-service schedulers be transmit-rate percent 65
    set class-of-service schedulers be buffer-size percent 65
    set class-of-service schedulers be priority medium-high
    set class-of-service schedulers be drop-profile-map loss-priority high protocol any drop-profile high-drop
    set class-of-service schedulers be drop-profile-map loss-priority medium-high protocol any drop-profile med-drop
    set class-of-service schedulers be drop-profile-map loss-priority medium-low protocol any drop-profile med-drop
    set class-of-service schedulers be drop-profile-map loss-priority low protocol any drop-profile low-drop
    set class-of-service schedulers nc transmit-rate percent 5
    set class-of-service schedulers nc buffer-size percent 5
    set class-of-service schedulers nc priority medium-high
    set class-of-service schedulers nc drop-profile-map loss-priority high protocol any drop-profile high-drop
    set class-of-service schedulers nc drop-profile-map loss-priority medium-high protocol any drop-profile med-drop
    set class-of-service schedulers nc drop-profile-map loss-priority medium-low protocol any drop-profile med-drop
    set class-of-service schedulers nc drop-profile-map loss-priority low protocol any drop-profile low-drop
    set class-of-service schedulers ef transmit-rate 5k
    set class-of-service schedulers ef transmit-rate exact
    set class-of-service schedulers ef buffer-size temporal 1
    set class-of-service schedulers ef priority low
    set class-of-service schedulers ef drop-profile-map loss-priority high protocol any drop-profile high-drop
    set class-of-service schedulers ef drop-profile-map loss-priority medium-high protocol any drop-profile med-drop
    set class-of-service schedulers ef drop-profile-map loss-priority medium-low protocol any drop-profile med-drop
    set class-of-service schedulers ef drop-profile-map loss-priority low protocol any drop-profile low-drop
    set class-of-service schedulers sv transmit-rate percent 30
    set class-of-service schedulers sv buffer-size percent 30
    set class-of-service schedulers sv priority high
    set class-of-service schedulers sv drop-profile-map loss-priority high protocol any drop-profile high-drop
    set class-of-service schedulers sv drop-profile-map loss-priority medium-high protocol any drop-profile med-drop
    set class-of-service schedulers sv drop-profile-map loss-priority medium-low protocol any drop-profile med-drop
    set class-of-service schedulers sv drop-profile-map loss-priority low protocol any drop-profile low-drop

     

    set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 10

     

    I know the filter needs applying to the interface, but as I mentioned, it fails with the following error:

     

     root# commit check
    [edit firewall family ethernet-switching filter testcos term 1 then forwarding-class]
    'forwarding-class SIP-VOICE'
    To configure forwarding-class, loss-priority must be set
    [edit firewall family ethernet-switching filter testcos term 4 then forwarding-class]
    'forwarding-class SIP-VOICE'
    To configure forwarding-class, loss-priority must be set
    [edit firewall family ethernet-switching filter testcos term 2 then forwarding-class]
    'forwarding-class best-effort'
    To configure forwarding-class, loss-priority must be set
    error: configuration check-out failed: (statements constraint check failed)



  • 3.  RE: CoS at Layer 2

     
    Posted 01-03-2019 02:25

    Update:

     

    It looks like you cannot use MF at layer 2 as it utilises 802.1p..... so, it looks like I am looking for a BA classifier as per the following document:

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB27307

     

    I will try a couple of different configurations and update here, but if anyone knows how I can complete this for the SIP marked traffic at 46 and 26, as per the firewall config shown above, that would be great....

     

    Thanks



  • 4.  RE: CoS at Layer 2

     
    Posted 01-03-2019 03:14

    Okay..... Maybe someone can answer this please?

     

    I have to create the aliases for dscp 46 and dscp 26. However, because I have to use 802.1p, it only allows me to alias 3 bits. DSCP is normally in a 6 bit format, as follows:

     

    DSCP 46 = 101110

    DSCP 26 = 011010

     

    How can I create the alias for ieee802.1 when only 3 bits are allowed? I am really not sure how I can get the alias set correctly?

     

    I am trying to set the following:

     

    set class-of-service code-point-aliases ieee802.1 sip46 101110

    set class-of-service code-point-aliases ieee802.1 sip26 011010

     

    But it won't let me commit as it only wants 3 bits for the alias.

     

    Now, I can easily set this with the following:

    set class-of-service code-point-aliases dscp sip46 101110

    set class-of-service code-point-aliases dscp sip26 011010

     

    But then this will not be applied when configuring the classifier under ieee802.1.

     

    Any ideas anyone please?



  • 5.  RE: CoS at Layer 2

     
    Posted 01-03-2019 03:37

    I have configured the following as a simple test:

     

    set class-of-service classifiers ieee-802.1 l2-cos-test forwarding-class SIP-VOICE loss-priority high code-points 101

    set class-of-service forwarding-classes queue 2 SIP-VOICE
    set class-of-service interfaces ge-0/0/1 unit 0 classifiers ieee-802.1 l2-cos-test

     

    And made some voice calls and am seeing nothing in the queue on egress.....

     

     



  • 6.  RE: CoS at Layer 2

    Posted 01-03-2019 05:50

    Ensure that the incoming interface ge-0/0/1 should be a trunk interface (CoS marking is at the 802.1Q header)  and it should receive vlan-tagged packets with proper marking.

     



  • 7.  RE: CoS at Layer 2

     
    Posted 01-03-2019 07:54

    Hi Nellika,

     

    Okay, that is where the problem is then.

     

    In our scenario we will have very, very picky customers who, if they have to complete any type of configuration other than IP address on a CPE, they may well not subscribe. This means that we mark the VLAN at NTE interface level (like an edge switch would normally), meaning that ge-0/0/1 has to remain as an access layer port. The egress interface is a trunk to our MX through the downsteam provider....

     

    I'm guessing the way it works is that interface receives a non marked frame, then on egress attaches the VLAN information.... this means that the classifier is actually looking at a completely unmarked packet?

     

    When I say "unmarked", I mean with a VLAN-ID as the VLAN-ID will be attached on egress from the port, whereas a classifier looks at ingress.... and that packet will be at layer 2 only (MAC)...

     

    So there is no way of achieving this?

     

     



  • 8.  RE: CoS at Layer 2

     
    Posted 01-03-2019 08:43

    Let's change the scenario slightly and see if there is a way of achieving the following:

     

    Let's say we give the customer a separate port on the SRX340 purely for SIP traffic (The customer can deal with how they get the SIP to that port)..... this port will also be an access port on VLAN10, but instead of restricting the actual port (we wouldn't be able to restrict this anyway as the customer may only have a 5mb or 10mb circuit, or maybe even less), can we restrict bandwidth from this port only?



  • 9.  RE: CoS at Layer 2

    Posted 01-03-2019 08:56

    You may try "set class-of-service interfaces ge-0/0/2 unit 0 forwarding-class SIP-VOICE" and apply scheduler-map with required bandwidth restriction, to outgoing interface

     



  • 10.  RE: CoS at Layer 2

     
    Posted 01-03-2019 09:22

    Hi Nellika,

     

    That won;t work in our scenario.

    I will close this as I do not think it is possible, but here is an explanation as to why I don't think it is possible:

     

    CoS Classifier looks as a packet on ingress to the interface - important as to why it does not work.

     

    If an interface is configured as an access port only, a packet is received at L2 MAC only. As it exits the port (egress) the VLAN-ID is tagged onto the packet. The Classifier can either look for DSCP (Layer 3) or ieee-802.1p (L2). But the 802.1p code-point is embedded in the VLAN-ID section of the packet. It cannot see that on ingress as it does not yet exist. 

     

    So, it looks like the way around this is having to use a double /30 address configuration with routing in between, then normal CoS can be applied (which I have tested and works perfectly).

     

     



  • 11.  RE: CoS at Layer 2
    Best Answer

    Posted 01-03-2019 09:03

    Hello there,


    @adgwytc wrote:

    can we restrict bandwidth from this port only?


    If You need to wholesale-rate-limit the amount of traffic coming into this port (does not matter if pkts arriving into this port go to other such access ports on the same box and/or go to uplink/trunk) then the easiest way to do it is input policer, does not require messing with 802.1p codepoints at all.

    HTH

    Thx

    Alex 



  • 12.  RE: CoS at Layer 2

    Posted 01-03-2019 07:49

    Hello there,

     


    @adgwytc wrote:

    Okay..... Maybe someone can answer this please?

     

    I have to create the aliases for dscp 46 and dscp 26. However, because I have to use 802.1p, it only allows me to alias 3 bits. DSCP is normally in a 6 bit format, as follows:

     

    DSCP 46 = 101110

    DSCP 26 = 011010

     

    How can I create the alias for ieee802.1 when only 3 bits are allowed? I am really not sure how I can get the alias set correctly?

     

     


    Short answer - You cannot create 6-bit wide IEEE 802.1p codepoint alias. IEEE 802.1p field is 3-bit wide only, this is IEEE standard. You can download IEEE 802 standards for free https://ieeexplore.ieee.org/browse/standards/get-program/page/

    Long answer - if You have > 8 forwarding classes with DSCP codepoints mapped into them, You need to fold some of these FC into the single 3-bit wide IEEE 802.1p codepoint. This also means that if You need differential treatment on far end that receives 802.1p-marked frames, the far end needs to reclassify on DSCP again.

    HTH

    Thx

    Alex