SRX 320 QoS and CoS tagging

View Only

last person joined: yesterday

Ask questions and share experiences about Junos OS.

Back to discussions

Expand all | Collapse all

SRX 320 QoS and CoS tagging

Jump to Best Answer

1. SRX 320 QoS and CoS tagging

Recommend

RESEAU NSI

Posted 9 days ago
Edited by Juniper Community Admin 7 days ago

Hi everyone,

I'm trying to mark my traffic with 802.1p CoS tags to let my ISP know what to prioritise.

I've managed to filter traffic as I'd like an put them in the queues I wanted but I do not find how to mark the filterd traffic.

I would like to have this :

VOICE : DSCP EF CoS 5
PROD : DSCP CS4 CoS 4
INTERNET : default 0

SRX 320 is in version 21.4R3.15.

Here is my conf :

set security policies from-zone EXT to-zone TRUST policy P1 match source-address any
set security policies from-zone EXT to-zone TRUST policy P1 match destination-address any
set security policies from-zone EXT to-zone TRUST policy P1 match application any
set security policies from-zone EXT to-zone TRUST policy P1 then permit
set security policies from-zone EXT to-zone TRUST policy P1 then count
set security policies from-zone TRUST to-zone EXT policy P2 match source-address any
set security policies from-zone TRUST to-zone EXT policy P2 match destination-address any
set security policies from-zone TRUST to-zone EXT policy P2 match application any
set security policies from-zone TRUST to-zone EXT policy P2 then permit
set security policies from-zone TRUST to-zone EXT policy P2 then count
set security policies from-zone TRUST to-zone TRUST policy P3 match source-address any
set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address any
set security policies from-zone TRUST to-zone TRUST policy P3 match application any
set security policies from-zone TRUST to-zone TRUST policy P3 then permit
set security policies from-zone TRUST to-zone TRUST policy P3 then count
set security zones security-zone EXT interfaces irb.667 host-inbound-traffic system-services ping
set security zones security-zone EXT interfaces irb.667 host-inbound-traffic system-services ssh
set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set interfaces ge-0/0/0 unit 0 description LAN
set interfaces ge-0/0/0 unit 0 family inet filter input QOS
set interfaces ge-0/0/0 unit 0 family inet address 10.12.251.254/24
set interfaces ge-0/0/5 unit 0 description UPL
set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members 667
set interfaces irb unit 667 description COL
set interfaces irb unit 667 family inet address 172.31.150.78/30
set class-of-service forwarding-classes queue 1 PROD
set class-of-service forwarding-classes queue 2 VOICE
set firewall family inet filter QOS term VOICE from destination-address 10.10.10.10/32
set firewall family inet filter QOS term VOICE then count VOICE
set firewall family inet filter QOS term VOICE then loss-priority low
set firewall family inet filter QOS term VOICE then forwarding-class VOICE
set firewall family inet filter QOS term PROD from destination-address 10.10.10.11/32
set firewall family inet filter QOS term PROD then count PROD
set firewall family inet filter QOS term PROD then loss-priority low
set firewall family inet filter QOS term PROD then forwarding-class PROD
set firewall family inet filter QOS term INTERNET then count INTERNET
set firewall family inet filter QOS term INTERNET then accept
set vlans COL vlan-id 667
set vlans COL l3-interface irb.667
set protocols l2-learning global-mode switching
set routing-options static route 0.0.0.0/0 next-hop 172.31.150.77

2. RE: SRX 320 QoS and CoS tagging

Recommend

RESEAU NSI

Posted 8 days ago

Update, I've now managed to tag outgoing traffic with DSCP Tag according to what I've defined above.

I've done that by putting rewrite rules and my filter to my outgoing interface.

But the ieee802.1 rewrite rule doesn't seem to do something and I'm still not managing to change the 802.1p tag using this method.

Still lokking. Configuration :

set security policies from-zone EXT to-zone TRUST policy P1 match source-address any
set security policies from-zone EXT to-zone TRUST policy P1 match destination-address any
set security policies from-zone EXT to-zone TRUST policy P1 match application any
set security policies from-zone EXT to-zone TRUST policy P1 then permit
set security policies from-zone EXT to-zone TRUST policy P1 then count
set security policies from-zone TRUST to-zone EXT policy P2 match source-address any
set security policies from-zone TRUST to-zone EXT policy P2 match destination-address any
set security policies from-zone TRUST to-zone EXT policy P2 match application any
set security policies from-zone TRUST to-zone EXT policy P2 then permit
set security policies from-zone TRUST to-zone EXT policy P2 then count
set security policies from-zone TRUST to-zone TRUST policy P3 match source-address any
set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address any
set security policies from-zone TRUST to-zone TRUST policy P3 match application any
set security policies from-zone TRUST to-zone TRUST policy P3 then permit
set security policies from-zone TRUST to-zone TRUST policy P3 then count
set security zones security-zone EXT interfaces irb.667 host-inbound-traffic system-services ping
set security zones security-zone EXT interfaces irb.667 host-inbound-traffic system-services ssh
set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set interfaces ge-0/0/0 unit 0 description LAN
set interfaces ge-0/0/0 unit 0 family inet address 10.12.251.254/24
set interfaces ge-0/0/5 unit 0 description UPL
set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members 667
set interfaces irb unit 667 description COL
set interfaces irb unit 667 family inet filter output QOS
set interfaces irb unit 667 family inet address 172.31.150.78/30
set class-of-service interfaces irb unit 667 rewrite-rules dscp QOS
set class-of-service interfaces irb unit 667 rewrite-rules ieee-802.1 default
set class-of-service rewrite-rules dscp QOS forwarding-class assured-forwarding loss-priority medium-low code-point cs4
set class-of-service rewrite-rules dscp QOS forwarding-class expedited-forwarding loss-priority low code-point ef
set firewall family inet filter QOS term VOIX from destination-address 10.10.10.10/32
set firewall family inet filter QOS term VOIX then count VOIX
set firewall family inet filter QOS term VOIX then loss-priority low
set firewall family inet filter QOS term VOIX then forwarding-class expedited-forwarding
set firewall family inet filter QOS term PROD from destination-address 10.10.10.11/32
set firewall family inet filter QOS term PROD then count PROD
set firewall family inet filter QOS term PROD then loss-priority medium-low
set firewall family inet filter QOS term PROD then forwarding-class assured-forwarding
set firewall family inet filter QOS term INTERNET then count INTERNET
set firewall family inet filter QOS term INTERNET then loss-priority high
set firewall family inet filter QOS term INTERNET then forwarding-class best-effort
set firewall family inet filter QOS term INTERNET then accept
set vlans COL vlan-id 667
set vlans COL l3-interface irb.667
set protocols l2-learning global-mode switching
set routing-options static route 0.0.0.0/0 next-hop 172.31.150.77

------------------------------
RESEAU NSI
------------------------------

Original Message

Original Message:
Sent: 06-11-2024 05:49
From: RESEAU NSI
Subject: SRX 320 QoS and CoS tagging

Hi everyone,

I'm trying to mark my traffic with 802.1p CoS tags to let my ISP know what to prioritise.

I've managed to filter traffic as I'd like an put them in the queues I wanted but I do not find how to mark the filterd traffic.

I would like to have this :

VOICE : DSCP EF CoS 5
PROD : DSCP CS4 CoS 4
INTERNET : default 0

SRX 320 is in version 21.4R3.15.

Here is my conf :

set security policies from-zone EXT to-zone TRUST policy P1 match source-address anyset security policies from-zone EXT to-zone TRUST policy P1 match destination-address anyset security policies from-zone EXT to-zone TRUST policy P1 match application anyset security policies from-zone EXT to-zone TRUST policy P1 then permitset security policies from-zone EXT to-zone TRUST policy P1 then countset security policies from-zone TRUST to-zone EXT policy P2 match source-address anyset security policies from-zone TRUST to-zone EXT policy P2 match destination-address anyset security policies from-zone TRUST to-zone EXT policy P2 match application anyset security policies from-zone TRUST to-zone EXT policy P2 then permitset security policies from-zone TRUST to-zone EXT policy P2 then countset security policies from-zone TRUST to-zone TRUST policy P3 match source-address anyset security policies from-zone TRUST to-zone TRUST policy P3 match destination-address anyset security policies from-zone TRUST to-zone TRUST policy P3 match application anyset security policies from-zone TRUST to-zone TRUST policy P3 then permitset security policies from-zone TRUST to-zone TRUST policy P3 then countset security zones security-zone EXT interfaces irb.667 host-inbound-traffic system-services pingset security zones security-zone EXT interfaces irb.667 host-inbound-traffic system-services sshset security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services pingset security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services sshset interfaces ge-0/0/0 unit 0 description LANset interfaces ge-0/0/0 unit 0 family inet filter input QOSset interfaces ge-0/0/0 unit 0 family inet address 10.12.251.254/24set interfaces ge-0/0/5 unit 0 description UPLset interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode trunkset interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members 667set interfaces irb unit 667 description COLset interfaces irb unit 667 family inet address 172.31.150.78/30set class-of-service forwarding-classes queue 1 PRODset class-of-service forwarding-classes queue 2 VOICEset firewall family inet filter QOS term VOICE from destination-address 10.10.10.10/32set firewall family inet filter QOS term VOICE then count VOICEset firewall family inet filter QOS term VOICE then loss-priority lowset firewall family inet filter QOS term VOICE then forwarding-class VOICEset firewall family inet filter QOS term PROD from destination-address 10.10.10.11/32set firewall family inet filter QOS term PROD then count PRODset firewall family inet filter QOS term PROD then loss-priority lowset firewall family inet filter QOS term PROD then forwarding-class PRODset firewall family inet filter QOS term INTERNET then count INTERNETset firewall family inet filter QOS term INTERNET then acceptset vlans COL vlan-id 667set vlans COL l3-interface irb.667set protocols l2-learning global-mode switchingset routing-options static route 0.0.0.0/0 next-hop 172.31.150.77

------------------------------
RESEAU NSI
------------------------------

3. RE: SRX 320 QoS and CoS tagging
Best Answer

Recommend

RESEAU NSI

Posted 6 days ago

Just found the solution. The interface I was using is IRB which is declared as a layer 3 Interface.

Because the interface is layer 3 interface, no layer 2 802.1p tag is available to rewrite.

I used a vlan tagging interface instead and It Worked.

I now can tag on layer 3 DSCP and layer 2 802.1p depending on a filter I set which can use source / destination address or port.

Configuration :

set security policies from-zone EXT to-zone TRUST policy P1 match source-address any
set security policies from-zone EXT to-zone TRUST policy P1 match destination-address any
set security policies from-zone EXT to-zone TRUST policy P1 match application any
set security policies from-zone EXT to-zone TRUST policy P1 then permit
set security policies from-zone EXT to-zone TRUST policy P1 then count
set security policies from-zone TRUST to-zone EXT policy P2 match source-address any
set security policies from-zone TRUST to-zone EXT policy P2 match destination-address any
set security policies from-zone TRUST to-zone EXT policy P2 match application any
set security policies from-zone TRUST to-zone EXT policy P2 then permit
set security policies from-zone TRUST to-zone EXT policy P2 then count
set security policies from-zone TRUST to-zone TRUST policy P3 match source-address any
set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address any
set security policies from-zone TRUST to-zone TRUST policy P3 match application any
set security policies from-zone TRUST to-zone TRUST policy P3 then permit
set security policies from-zone TRUST to-zone TRUST policy P3 then count
set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone EXT interfaces ge-0/0/5.667 host-inbound-traffic system-services ping
set security zones security-zone EXT interfaces ge-0/0/5.667 host-inbound-traffic system-services ssh
set interfaces ge-0/0/0 unit 0 description LAN
set interfaces ge-0/0/0 unit 0 family inet address 10.12.251.254/24
set interfaces ge-0/0/5 vlan-tagging
set interfaces ge-0/0/5 unit 667 description UPL
set interfaces ge-0/0/5 unit 667 vlan-id 667
set interfaces ge-0/0/5 unit 667 family inet filter output QOS
set interfaces ge-0/0/5 unit 667 family inet address 172.31.150.78/30
set class-of-service interfaces ge-0/0/5 unit 667 rewrite-rules dscp QOS
set class-of-service interfaces ge-0/0/5 unit 667 rewrite-rules ieee-802.1 QOS
set class-of-service rewrite-rules dscp QOS forwarding-class assured-forwarding loss-priority medium-low code-point cs4
set class-of-service rewrite-rules dscp QOS forwarding-class expedited-forwarding loss-priority low code-point ef
set class-of-service rewrite-rules ieee-802.1 QOS forwarding-class assured-forwarding loss-priority medium-low code-point 100
set class-of-service rewrite-rules ieee-802.1 QOS forwarding-class expedited-forwarding loss-priority low code-point 101
set firewall filter QOS term VOIX from destination-address 10.143.0.126/32
set firewall filter QOS term VOIX then count VOIX
set firewall filter QOS term VOIX then loss-priority low
set firewall filter QOS term VOIX then forwarding-class expedited-forwarding
set firewall filter QOS term PROD from destination-address 10.143.0.132/32
set firewall filter QOS term PROD then count PROD
set firewall filter QOS term PROD then loss-priority medium-low
set firewall filter QOS term PROD then forwarding-class assured-forwarding
set firewall filter QOS term INTERNET then count INTERNET
set firewall filter QOS term INTERNET then loss-priority high
set firewall filter QOS term INTERNET then forwarding-class best-effort
set firewall filter QOS term INTERNET then accept
set vlans COL vlan-id 667
set protocols l2-learning global-mode switching
set protocols rstp interface all
set routing-options static route 0.0.0.0/0 next-hop 172.31.150.77

------------------------------
RESEAU NSI
------------------------------

Original Message

Original Message:
Sent: 06-11-2024 05:49
From: RESEAU NSI
Subject: SRX 320 QoS and CoS tagging

Hi everyone,

I'm trying to mark my traffic with 802.1p CoS tags to let my ISP know what to prioritise.

I've managed to filter traffic as I'd like an put them in the queues I wanted but I do not find how to mark the filterd traffic.

I would like to have this :

VOICE : DSCP EF CoS 5
PROD : DSCP CS4 CoS 4
INTERNET : default 0

SRX 320 is in version 21.4R3.15.

Here is my conf :

set security policies from-zone EXT to-zone TRUST policy P1 match source-address anyset security policies from-zone EXT to-zone TRUST policy P1 match destination-address anyset security policies from-zone EXT to-zone TRUST policy P1 match application anyset security policies from-zone EXT to-zone TRUST policy P1 then permitset security policies from-zone EXT to-zone TRUST policy P1 then countset security policies from-zone TRUST to-zone EXT policy P2 match source-address anyset security policies from-zone TRUST to-zone EXT policy P2 match destination-address anyset security policies from-zone TRUST to-zone EXT policy P2 match application anyset security policies from-zone TRUST to-zone EXT policy P2 then permitset security policies from-zone TRUST to-zone EXT policy P2 then countset security policies from-zone TRUST to-zone TRUST policy P3 match source-address anyset security policies from-zone TRUST to-zone TRUST policy P3 match destination-address anyset security policies from-zone TRUST to-zone TRUST policy P3 match application anyset security policies from-zone TRUST to-zone TRUST policy P3 then permitset security policies from-zone TRUST to-zone TRUST policy P3 then countset security zones security-zone EXT interfaces irb.667 host-inbound-traffic system-services pingset security zones security-zone EXT interfaces irb.667 host-inbound-traffic system-services sshset security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services pingset security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services sshset interfaces ge-0/0/0 unit 0 description LANset interfaces ge-0/0/0 unit 0 family inet filter input QOSset interfaces ge-0/0/0 unit 0 family inet address 10.12.251.254/24set interfaces ge-0/0/5 unit 0 description UPLset interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode trunkset interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members 667set interfaces irb unit 667 description COLset interfaces irb unit 667 family inet address 172.31.150.78/30set class-of-service forwarding-classes queue 1 PRODset class-of-service forwarding-classes queue 2 VOICEset firewall family inet filter QOS term VOICE from destination-address 10.10.10.10/32set firewall family inet filter QOS term VOICE then count VOICEset firewall family inet filter QOS term VOICE then loss-priority lowset firewall family inet filter QOS term VOICE then forwarding-class VOICEset firewall family inet filter QOS term PROD from destination-address 10.10.10.11/32set firewall family inet filter QOS term PROD then count PRODset firewall family inet filter QOS term PROD then loss-priority lowset firewall family inet filter QOS term PROD then forwarding-class PRODset firewall family inet filter QOS term INTERNET then count INTERNETset firewall family inet filter QOS term INTERNET then acceptset vlans COL vlan-id 667set vlans COL l3-interface irb.667set protocols l2-learning global-mode switchingset routing-options static route 0.0.0.0/0 next-hop 172.31.150.77

Junos OS

SRX 320 QoS and CoS tagging

RESEAU NSI9 days ago

RESEAU NSI8 days ago

RESEAU NSI6 days agoBest Answer

1. SRX 320 QoS and CoS tagging

2. RE: SRX 320 QoS and CoS tagging

3. RE: SRX 320 QoS and CoS tagging Best Answer

3. RE: SRX 320 QoS and CoS tagging
Best Answer