Many of you will have deployed CoS extensively on your networks. One area of a Junos CoS deployment that I am often asked about by friends is how to manipulate traffic that is sourced from the routing-engine. There are multiple catches and caveats in dealing with this traffic, and different ways to manipulate this.
At a 10,000 foot level, whenever we deploy CoS we generally want to be able to manipulate route-engine sourced traffic such as ISIS, BGP, OSPF, BFD, RSVP, etc to have various different DSCP, EXP, and 802.1p markings. Firstly, we can set a policy as to the marking used for traffic sourced from the route-engine;
set class-of-service host-outbound-traffic dscp-code-point 111000 set class-of-service host-outbound-traffic ieee-802.1 default 111
You can also specify the forwarding-class that is used for processing traffic sourced from the route-engine;
set class-of-service host-outbound-traffic forwarding-class hoffs-odd-class
It’s important to note that your rewrite rules will not take effect with this traffic (by default). Even if you have specified a forwarding-class, the “host-outbound-traffic” markings will be applied outbound for this route-engine sourced traffic.
However as of Junos 12.3, Juniper have implemented a new option for “host-outbound-traffic” on the MX, which causes the router to use the rewrite-rule for each unit to put markings onto traffic from the RE (based on the forwarding-class it is assigned). This is particularly helpful where you might have multiple fibre providers providing access to your customers, each with a different markings scheme that you are required to use. Note that this is only available for the 802.1p markings (not DSCP) This is done as follows;
set class-of-service host-outbound-traffic ieee-802.1 rewrite-rules
Of course a rewrite-rule must be configured on the outbound unit for this to have effect. So if we have a rewrite-rule to map “hoffs-odd-class” traffic to a marking of 010, the traffic will be now marked as 010 on egress.
This of course does not help us for DSCP markings (it only applies to 802.1p markings). Often we will want to manipulate these. Also how would we approach this problem if we were to wanted to assign different forwarding-classes to different types of traffic being sourced from the RE? A great example of this is that while we might want to ensure that BGP is prioritised, we probably don’t need prioritisation of http traffic sourced from the RE!
The solution for this is quite clever. Most of you will know that you can firewall off all traffic to the RE (regardless of the IP it is destined to – even if that IP is on a physical interface) by applying an inbound firewall filter to the loopback. The clever thing is that you can also apply a firewall filter to all traffic leaving the RE by applying an outbound firewall filter to the loopback. If we want to ensure that all http/https traffic is put into the best-effort forwarding-class, we could do the following;
set interfaces lo0 unit 0 family inet filter output RE-QOS set firewall family inet filter RE-QOS term web from protocol tcp set firewall family inet filter RE-QOS term web from port http set firewall family inet filter RE-QOS term web from port https set firewall family inet filter RE-QOS term web then dscp be set firewall family inet filter RE-QOS term web then forwarding-class best-effort set firewall family inet filter RE-QOS term web then accept set firewall family inet filter RE-QOS term catchall then accept
This is a pretty handy tool and allows us to do a fairly fine-grained manipulation of how each traffic-type being sourced by the RE is treated. Obviously you could customise this in any way to suit your needs. However it’s worth noting that to my understanding you cannot manipulate the 802.1p markings with a firewall filter – hence why the “rewrite-rules” option becomes so important for host-oubound-traffic.
If you thought that this is all there is to marking/classifying traffic sourced from the RE, you would be wrong! On a MX router, the processing of certain control traffic is delegated to the individual line-cards (such as BFD). I have learned the hard way that the markings on this traffic are not modified by any configuration you apply to normal RE-sourced traffic.
The news is not all bad though, as there is an easy workaround for this, and not many protocols are distributed to the line cards. For this traffic, you can apply an outbound firewall filter to the interface you are doing this traffic on. As an example, here is how to ensure that BFD traffic which has been distributed to the line card is placed into the correct forwarding class and marked appropriately;
set interfaces ge-1/2/3 unit 0 family inet filter output cos-bfd-link set firewall family inet filter cos-bfd-link term 1 from protocol udp set firewall family inet filter cos-bfd-link term 1 from port 3784 set firewall family inet filter cos-bfd-link term 1 from port 3785 set firewall family inet filter cos-bfd-link term 1 then loss-priority low set firewall family inet filter cos-bfd-link term 1 then forwarding-class network-control set firewall family inet filter cos-bfd-link term 1 then dscp 111000 set firewall family inet filter cos-bfd-link term 2 then accept
Hope this helps!