Junos OS

 View Only
last person joined: 4 hours ago 

Ask questions and share experiences about Junos OS.
  • 1.  SRX 320 QoS and CoS tagging

    Posted 10 days ago
    Edited by Juniper Community Admin 8 days ago

    Hi everyone,

    I'm trying to mark my traffic with 802.1p CoS tags to let my ISP know what to prioritise.

    I've managed to filter traffic as I'd like an put them in the queues I wanted but I do not find how to mark the filterd traffic.

    I would like to have this :

    • VOICE : DSCP EF CoS 5
    • PROD : DSCP CS4 CoS 4
    • INTERNET : default 0

    SRX 320 is in version 21.4R3.15.

    Here is my conf :

    set security policies from-zone EXT to-zone TRUST policy P1 match source-address any
    set security policies from-zone EXT to-zone TRUST policy P1 match destination-address any
    set security policies from-zone EXT to-zone TRUST policy P1 match application any
    set security policies from-zone EXT to-zone TRUST policy P1 then permit
    set security policies from-zone EXT to-zone TRUST policy P1 then count
    set security policies from-zone TRUST to-zone EXT policy P2 match source-address any
    set security policies from-zone TRUST to-zone EXT policy P2 match destination-address any
    set security policies from-zone TRUST to-zone EXT policy P2 match application any
    set security policies from-zone TRUST to-zone EXT policy P2 then permit
    set security policies from-zone TRUST to-zone EXT policy P2 then count
    set security policies from-zone TRUST to-zone TRUST policy P3 match source-address any
    set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address any
    set security policies from-zone TRUST to-zone TRUST policy P3 match application any
    set security policies from-zone TRUST to-zone TRUST policy P3 then permit
    set security policies from-zone TRUST to-zone TRUST policy P3 then count
    set security zones security-zone EXT interfaces irb.667 host-inbound-traffic system-services ping
    set security zones security-zone EXT interfaces irb.667 host-inbound-traffic system-services ssh
    set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
    set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
    set interfaces ge-0/0/0 unit 0 description LAN
    set interfaces ge-0/0/0 unit 0 family inet filter input QOS
    set interfaces ge-0/0/0 unit 0 family inet address 10.12.251.254/24
    set interfaces ge-0/0/5 unit 0 description UPL
    set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members 667
    set interfaces irb unit 667 description COL
    set interfaces irb unit 667 family inet address 172.31.150.78/30
    set class-of-service forwarding-classes queue 1 PROD
    set class-of-service forwarding-classes queue 2 VOICE
    set firewall family inet filter QOS term VOICE from destination-address 10.10.10.10/32
    set firewall family inet filter QOS term VOICE then count VOICE
    set firewall family inet filter QOS term VOICE then loss-priority low
    set firewall family inet filter QOS term VOICE then forwarding-class VOICE
    set firewall family inet filter QOS term PROD from destination-address 10.10.10.11/32
    set firewall family inet filter QOS term PROD then count PROD
    set firewall family inet filter QOS term PROD then loss-priority low
    set firewall family inet filter QOS term PROD then forwarding-class PROD
    set firewall family inet filter QOS term INTERNET then count INTERNET
    set firewall family inet filter QOS term INTERNET then accept
    set vlans COL vlan-id 667
    set vlans COL l3-interface irb.667
    set protocols l2-learning global-mode switching
    set routing-options static route 0.0.0.0/0 next-hop 172.31.150.77


  • 2.  RE: SRX 320 QoS and CoS tagging

    Posted 9 days ago

    Update, I've now managed to tag outgoing traffic with DSCP Tag according to what I've defined above.

    I've done that by putting rewrite rules and my filter to my outgoing interface.

    But the ieee802.1 rewrite rule doesn't seem to do something and I'm still not managing to change the 802.1p tag using this method.

    Still lokking. Configuration :

    set security policies from-zone EXT to-zone TRUST policy P1 match source-address any
    set security policies from-zone EXT to-zone TRUST policy P1 match destination-address any
    set security policies from-zone EXT to-zone TRUST policy P1 match application any
    set security policies from-zone EXT to-zone TRUST policy P1 then permit
    set security policies from-zone EXT to-zone TRUST policy P1 then count
    set security policies from-zone TRUST to-zone EXT policy P2 match source-address any
    set security policies from-zone TRUST to-zone EXT policy P2 match destination-address any
    set security policies from-zone TRUST to-zone EXT policy P2 match application any
    set security policies from-zone TRUST to-zone EXT policy P2 then permit
    set security policies from-zone TRUST to-zone EXT policy P2 then count
    set security policies from-zone TRUST to-zone TRUST policy P3 match source-address any
    set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address any
    set security policies from-zone TRUST to-zone TRUST policy P3 match application any
    set security policies from-zone TRUST to-zone TRUST policy P3 then permit
    set security policies from-zone TRUST to-zone TRUST policy P3 then count
    set security zones security-zone EXT interfaces irb.667 host-inbound-traffic system-services ping
    set security zones security-zone EXT interfaces irb.667 host-inbound-traffic system-services ssh
    set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
    set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
    set interfaces ge-0/0/0 unit 0 description LAN
    set interfaces ge-0/0/0 unit 0 family inet address 10.12.251.254/24
    set interfaces ge-0/0/5 unit 0 description UPL
    set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members 667
    set interfaces irb unit 667 description COL
    set interfaces irb unit 667 family inet filter output QOS
    set interfaces irb unit 667 family inet address 172.31.150.78/30
    set class-of-service interfaces irb unit 667 rewrite-rules dscp QOS
    set class-of-service interfaces irb unit 667 rewrite-rules ieee-802.1 default
    set class-of-service rewrite-rules dscp QOS forwarding-class assured-forwarding loss-priority medium-low code-point cs4
    set class-of-service rewrite-rules dscp QOS forwarding-class expedited-forwarding loss-priority low code-point ef
    set firewall family inet filter QOS term VOIX from destination-address 10.10.10.10/32
    set firewall family inet filter QOS term VOIX then count VOIX
    set firewall family inet filter QOS term VOIX then loss-priority low
    set firewall family inet filter QOS term VOIX then forwarding-class expedited-forwarding
    set firewall family inet filter QOS term PROD from destination-address 10.10.10.11/32
    set firewall family inet filter QOS term PROD then count PROD
    set firewall family inet filter QOS term PROD then loss-priority medium-low
    set firewall family inet filter QOS term PROD then forwarding-class assured-forwarding
    set firewall family inet filter QOS term INTERNET then count INTERNET
    set firewall family inet filter QOS term INTERNET then loss-priority high
    set firewall family inet filter QOS term INTERNET then forwarding-class best-effort
    set firewall family inet filter QOS term INTERNET then accept
    set vlans COL vlan-id 667
    set vlans COL l3-interface irb.667
    set protocols l2-learning global-mode switching
    set routing-options static route 0.0.0.0/0 next-hop 172.31.150.77


    ------------------------------
    RESEAU NSI
    ------------------------------



  • 3.  RE: SRX 320 QoS and CoS tagging
    Best Answer

    Posted 7 days ago

    Just found the solution. The interface I was using is IRB which is declared as a layer 3 Interface.

    Because the interface is layer 3 interface, no layer 2 802.1p tag is available to rewrite.

    I used a vlan tagging interface instead and It Worked.

    I now can tag on layer 3 DSCP and layer 2 802.1p depending on a filter I set which can use source / destination address or port.

    Configuration :

    set security policies from-zone EXT to-zone TRUST policy P1 match source-address any
    set security policies from-zone EXT to-zone TRUST policy P1 match destination-address any
    set security policies from-zone EXT to-zone TRUST policy P1 match application any
    set security policies from-zone EXT to-zone TRUST policy P1 then permit
    set security policies from-zone EXT to-zone TRUST policy P1 then count
    set security policies from-zone TRUST to-zone EXT policy P2 match source-address any
    set security policies from-zone TRUST to-zone EXT policy P2 match destination-address any
    set security policies from-zone TRUST to-zone EXT policy P2 match application any
    set security policies from-zone TRUST to-zone EXT policy P2 then permit
    set security policies from-zone TRUST to-zone EXT policy P2 then count
    set security policies from-zone TRUST to-zone TRUST policy P3 match source-address any
    set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address any
    set security policies from-zone TRUST to-zone TRUST policy P3 match application any
    set security policies from-zone TRUST to-zone TRUST policy P3 then permit
    set security policies from-zone TRUST to-zone TRUST policy P3 then count
    set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
    set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
    set security zones security-zone EXT interfaces ge-0/0/5.667 host-inbound-traffic system-services ping
    set security zones security-zone EXT interfaces ge-0/0/5.667 host-inbound-traffic system-services ssh
    set interfaces ge-0/0/0 unit 0 description LAN
    set interfaces ge-0/0/0 unit 0 family inet address 10.12.251.254/24
    set interfaces ge-0/0/5 vlan-tagging
    set interfaces ge-0/0/5 unit 667 description UPL
    set interfaces ge-0/0/5 unit 667 vlan-id 667
    set interfaces ge-0/0/5 unit 667 family inet filter output QOS
    set interfaces ge-0/0/5 unit 667 family inet address 172.31.150.78/30
    set class-of-service interfaces ge-0/0/5 unit 667 rewrite-rules dscp QOS
    set class-of-service interfaces ge-0/0/5 unit 667 rewrite-rules ieee-802.1 QOS
    set class-of-service rewrite-rules dscp QOS forwarding-class assured-forwarding loss-priority medium-low code-point cs4
    set class-of-service rewrite-rules dscp QOS forwarding-class expedited-forwarding loss-priority low code-point ef
    set class-of-service rewrite-rules ieee-802.1 QOS forwarding-class assured-forwarding loss-priority medium-low code-point 100
    set class-of-service rewrite-rules ieee-802.1 QOS forwarding-class expedited-forwarding loss-priority low code-point 101
    set firewall filter QOS term VOIX from destination-address 10.143.0.126/32
    set firewall filter QOS term VOIX then count VOIX
    set firewall filter QOS term VOIX then loss-priority low
    set firewall filter QOS term VOIX then forwarding-class expedited-forwarding
    set firewall filter QOS term PROD from destination-address 10.143.0.132/32
    set firewall filter QOS term PROD then count PROD
    set firewall filter QOS term PROD then loss-priority medium-low
    set firewall filter QOS term PROD then forwarding-class assured-forwarding
    set firewall filter QOS term INTERNET then count INTERNET
    set firewall filter QOS term INTERNET then loss-priority high
    set firewall filter QOS term INTERNET then forwarding-class best-effort
    set firewall filter QOS term INTERNET then accept
    set vlans COL vlan-id 667
    set protocols l2-learning global-mode switching
    set protocols rstp interface all
    set routing-options static route 0.0.0.0/0 next-hop 172.31.150.77


    ------------------------------
    RESEAU NSI
    ------------------------------