Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  What are the differenes for the followings ?

    Posted 12-07-2022 23:13

    set class-of-service classifiers dscp WIFI-traffic forwarding-class WIFI loss-priority low code-points 101100

    set class-of-service routing-instances VRF1 classifiers dscp WIFI-traffic

     

    set firewall family inet filter WIFI-filter term 1 from dscp be

    set firewall family inet filter WIFI-filter term 1 then forwarding-class WIFI

    set firewall family inet filter WIFI-filter term 1 then loss-priority low

    set firewall family inet filter WIFI-filter term 1 then accept

    set firewall family inet filter WIFI-filter term 2 then accept

    set routing-instances VRF1 forwarding-options family inet filter input WIFI-filter

    thanks !!



  • 2.  RE: What are the differenes for the followings ?

    Posted 12-08-2022 05:56
    The differences;
    "dscp code-point 101100 "vs "dscp be" unless the default alias has been overridden with
    set class-of-service code-point-aliases dscp be 101100​
    Then it's just 
    set class-of-service routing-instances VRF1 classifiers dscp​

    This is only relevant if VRF1 has vrf-table-label enabled (or, at least, I don't know what it does other than in that context!).
    It only applies to traffic coming from an MPLS interface.
    It replaces the default exp classifier that happens here otherwise (exp-default). (This also happens on junos versions that don't even normally apply exp-default to mpls enabled interfaces, I hadn't even noticed that newer versions appear to fix this, and always apply exp-default to mpls enabled interfaces).
    I think this happens on the ingress PFE, so any changes here done would alter fabric priority.

    vs
    set routing-instances VRF1 forwarding-options family inet filter input​

    This is the equivalent of putting that filter onto each interface in the VRF in the input direction. 

    It would apply to traffic from non-MPLS interfaces, and also MPLS interfaces if vrf-table-label is on for the VRF, as this adds the lsi interface to the VRF, and traffic appears to "ingress" from it. Not 100% sure on what does/doesn't work without vrf-table-label, would need to test.

    Is that an answer to anything like what you were asking?


    I've probably missed things.




  • 3.  RE: What are the differenes for the followings ?

    Posted 12-08-2022 10:47
    thanks so much for your insights.


  • 4.  RE: What are the differenes for the followings ?

    Posted 12-08-2022 10:58
    One more question to bother:

    If I want to filter the inbound traffic from CE to PE interface, say like the following:

    CE -------> (ge-0/0/0.10) (PE)
    The filter should be directly applied to ge-0/0/0 or inside the VRF ?

    set interface ge-0/0/0.10 family inet input filter
    or
    set routing-instances VRF1 forwarding-options family inet filter input filter

    thanks a lot !!


  • 5.  RE: What are the differenes for the followings ?
    Best Answer

    Posted 12-08-2022 12:40
    There is no "should".

    Both would work, but there are certainly more caveats and non-trivial interactions when using  FTF instead of applying a filter to an interface.
    or to rephrase "If it will work, you *should* put it on the interface, unless there is a reason to instead apply it as a FTF".

    the FTF is a bit "non-obvious", and does tend to result in the question "what does this do, and why isn't it on an interface?" coming up again and again.
    But sadly, it's also quite useful, and sometimes better performing.


  • 6.  RE: What are the differenes for the followings ?

    Posted 12-08-2022 12:46
    thanks so so so much for your insights.