Junos OS

What is the functional difference between using ingress-queuing-filter vs a regular “input filter” on an interface when performing classification?

Hi sean@kndy.net

 

The ingress-queuing-filter statement to set the packet loss priority and forwarding class for the packet, or drop the packet prior to input queue selection. This assists in traffic shaping.

The ingress-queuing-filter statement is available only for the following protocol families: bridge, ccc, inet, inet6, mpls, and vpls.

 

Please refer below:

https://www.juniper.net/documentation/en_US/junos/topics/example/ingress-queuing-filter-configuring.html

 

On the other hand, an ingress (input) firewall filter is applied to packets that are entering an interface or VLAN, and an egress (output) firewall filter is applied to packets that are exiting an interface or VLAN. You can configure firewall filters to determine where to accept or discard a packet before it enters or exits a port, VLAN, Layer 2 CCC, Layer 3 (routed) interface, Routed VLAN interface (RVI), or MPLS interface.

 

Please refer below:

https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-qfx-series-overview.html

 

In my understanding, the two are for separate use cases. The above documents should be able to clearly distinguish to you the need for each type.

 

Hope this helps 🙂

 

Please mark "Accepted Solution" if this helps you solve your query. Kudos are always appreciated 

Hi Sean,

 

The main difference between "input filter" and "ingress-queuing-filter" is,

 

input-filter - When using input-filter in an interface, the match conditions in firewall filters can only be applied to the traffic after the ingress queue had been selected.

 

ingress-queuing-filter - With ingress-queuing-filter, these match conditions in firewall filter can be classified and packet-loss-priority can be applied prior to selecting the forwarding queue.

As there are some replies already let me just share some observations while configuring the same:

 

>>>Ingress-Queuing filter is not supported on AE interfaces 

[edit interfaces ae1 unit 100 family inet]
'ingress-queuing-filter'
MF Ingress-Queuing_Filter feature supported only on Ethernet interfaces. Failed for interface ae1
error: Failed to read config
commit-check failed
commit-check failed
error: configuration check-out failed

>>>Counting is not supported for Ingress-Queuing-Filter 

[edit interfaces xe-2/1/11 unit 0 family inet]
'ingress-queuing-filter'
Unsupported ingress-queuing-filter action 'count' in filter 'test-2'
error: Failed to read config
commit-check failed
commit-check failed
error: configuration check-out failed

# deactivate firewall family inet filter test-2 term 1 then count

# commit
commit complete

>>>In case both are configured as below, below output proves that inet filter over writing the Ingress-Queuing filter

set firewall family inet filter test-1 term 1 then count AF
set firewall family inet filter test-1 term 1 then forwarding-class assured-forwarding
set firewall family inet filter test-1 term 1 then accept
set firewall family inet filter test-2 term 1 then count EF
deactivate firewall family inet filter test-2 term 1 then count
set firewall family inet filter test-2 term 1 then forwarding-class expedited-forwarding
set firewall family inet filter test-2 term 1 then accept

 

set interfaces xe-2/1/11 unit 0 family inet filter input test-1
set interfaces xe-2/1/11 unit 0 family inet ingress-queuing-filter test-2
set interfaces xe-2/1/11 unit 0 family inet address 160.1.1.2/24

 

Queue: 1, Forwarding classes: expedited-forwarding

Queued:

Packets : 913    0 pps

Bytes : 115038 0 bps

 

 

Queue: 2, Forwarding classes: assured-forwarding

Queued:

Packets : 1293  9 pps

Bytes : 162918 9600 bps