[j-nsp] Juniper Equivalent to Cisco's qos pre-classify?
Devin Kennedy
devinkennedy415 at hotmail.com
Tue Jun 7 14:41:54 EDT 2011
Thanks Jon. Actually we need this to work on the SRX210, SRX240, J4350 and
M7i. We did find that we were able to add a input/output filter in order to
classify on the sp- interface, but the SRX/J boxes don't allow application
of a filter at all for the st0 interface it seems.
Thanks for the input in regards to the M-series, however; this will help us
with the M7i for sure.
From: Jonathan Looney [mailto:jonlooney at gmail.com]
Sent: Tuesday, June 07, 2011 2:16 PM
To: Devin Kennedy
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Juniper Equivalent to Cisco's qos pre-classify?
You didn't specify the platform.
If you're speaking of something with an AS or MS card/module of some kind,
then you can do this by classifying the pre-encrypted packet anytime between
input and encryption. If you want to classify it on output to the encryption
module, you would apply the classifier to the appropriate (inside) unit on
the sp-* interface. I believe you can even apply a re-write rule on that
interface that will change the original (unencrypted) packet's ToS bits as
it transmitted to the AS/MS card/module for encryption. The ToS bits should
get copied to the ESP (encrypted) packet's IP header, and I believe the
router should maintain the previously-assigned forwarding class and loss
priority for the packet. You'll just need to make sure you don't
accidentally change the forwarding class/loss priority as the encrypted
packet makes its way through the router a second time. Then, if desired, you
can apply a custom rewrite rule on output. (Keep in mind that - if I recall
correctly - the default IP precedence output rule may cause packets from
other forwarding classes to be marked as best effort.)
If you're speaking of an SRX device, then I can't help you definitively.
However, I suspect it may work in a similar way if you substitute st
interface for sp-* interface in the above.
Hope that helps.
-Jon
On Tue, Jun 7, 2011 at 11:19 AM, Devin Kennedy <devinkennedy415 at hotmail.com>
wrote:
Hello:
I'm trying to get our current CoS configurations to work with IPsec. I know
that the ToS bits are copied to the IP header that ESP places on the
encrypted payload. However, we are currently utilizing MF classifiers, so
we are classifying based on dest/source addresses and ports. The problem is
that the classification happens after encryption so all of our packets are
being sent to the BE queue (since the TCP header is no longer visible after
encryption).
Is anyone aware of a command or a method of accomplishing the same thing as
Cisco's "qos pre-classify" command so that the classification is done before
the encryption process?
Thanks for any help on this.
Best Regards,
Devin J Kennedy
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list