Junos and IOS QoS – Part 1 of 4 – Marking traffic

While the concepts of QoS on vendor platforms are similar, the actual configuration is very different. I wanted to do a few posts on the differences between Junos and IOS on the normal QoS things that I do on a day to day basis.

For this first post I’m going to use a very simple diagram:

On the LAN are hosts with soft-phones. These phones use specific ports but do not mark packets sent with DSCP EF. Our goal here is to ensure voice packets are marked. Any UDP packet with a port number of 5060 I will mark with DSCP EF.

IOS

IOS is very simple indeed. You match the kind of traffic you want in an ACL, create a service-policy using that ACL, mark the packets in that policy:

access-list 100 permit udp any eq 5060 any eq 5060
!
class-map match-all VOICE
 match access-group 100
!
policy-map MARK-TRAFFIC
 class VOICE
  set dscp ef
!
interface FastEthernet0/0
 ip address 10.0.0.1 255.255.255.0
 service-policy input MARK-TRAFFIC

Junos

Junos is more complicated. Juniper call marking via matching on parts of a packet a multifield classification. Multifield classification works by matching terms in a firewall filter. The DSCP value is not directly set in the firewall filter. Rather the filter places a packet in a specific queue. It’s the queue outbound that sets the actual dscp value in the packet.

First let’s create the classification I need:

[email protected]> show configuration class-of-service
classifiers {
    dscp MARK-TRAFFIC {
        forwarding-class expedited-forwarding {
            loss-priority low code-points ef;
        }
    }
}

There is a built-in queue called expedited-forwarding. You cna rename these if you wish and add more queues. In the configuration above it states that any packet in this queue will be marked with DSCP EF.

[email protected]> show configuration firewall
family inet {
    filter VOICE {
        term VOICE {
            from {
                protocol udp;
                source-port 5060;
                destination-port 5060;
            }
            then {
                forwarding-class expedited-forwarding;
                accept;
            }
        }
        term CATCH-ALL {
            then accept;
        }
    }
}

In the firewall statement, any packet that matches UDP with source and destination port equal to 5060 will be placed in the expedited-forwarding queue. As this is a firewall filter, I need to still allow the packets through. I also need a catch-all at the end otherwise any packet not matching the first statement is dropped.

Finally the filter will be applied inbound on the LAN interface:

[email protected]> show configuration interfaces fe-0/0/7.0
family inet {
    filter {
        input VOICE;
    }
    address 10.2.2.1/24;
}

Both terms above will mark the needed packets as DSCP EF. All others will not be changed.

Certain Juniper platforms do support the setting of the DSCP value inbound, but it seems to be very hardware specific

UPDATE (03/09/2013)
As a few have pointed out, I’m not actually marking anything here, I’m only classifying. My bad. In order to actually mark a packet you need to use rewrite rules. Junos has a few built-in, but you can make your own as well:

[email protected]> show class-of-service rewrite-rule
Rewrite rule: dscp-default, Code point type: dscp, Index: 31
  Forwarding class                    Loss priority       Code point
  best-effort                         low                 000000
  best-effort                         high                000000
  expedited-forwarding                low                 101110
  expedited-forwarding                high                101110
  assured-forwarding                  low                 001010
  assured-forwarding                  high                001100
  network-control                     low                 110000
  network-control                     high                111000
etc etc etc

The default will ensure that EF traffic is marked 101110 which is DSCP value 46. We apply this rewrite to an interface like so:

[email protected]> show configuration class-of-service
interfaces {
    ge-0/0/0 {
        unit 50 {
            rewrite-rules {
                dscp default;
            }
        }
    }
}

Of course you can create your own rewrite rules, but I’m just going for the easy way out above.

© 2009-2020 Darren O'Connor All Rights Reserved -- Copyright notice by Blog Copyright