[j-nsp] Thoroughly confused about matching forwarding class in firewall filters

Mon Jan 13 17:39:34 EST 2014

I'm trying to troubleshoot a one-way audio problem and I'm very
confused. The traffic is marked as EF but it's not making it to the
destination. The egress interface has a firewall filter that at first
glance appears to permit all EF:

term permit-fec-ef {
    from {
        forwarding-class VOIP-BEARER;
    }
    then {
        count fec-ef;
        accept;
    }
}

However, I wondered about the forwarding class and how it is
configured or derived when applied to a firewall filter. I'm still
fairly green when it comes to Junos, so the first place I checked was
"show configuration class-of-service forwarding-classes" but that just
showed me this:

class VOIP-BEARER queue-num 3 priority high;

That's clearly not what I'm looking for because that has no way to
identify the traffic.

Next, I thought perhaps it was configured under the classifiers, so I
looked there. However, I found several classifiers that had the same
forwarding class configured, so now I think that there must be a way
to know which of those forwarding classes is really being referred to
in the firewall filter. I next assume that the forwarding class must
be related to the one associated with the classifier applied to the
interface. This is a subinterface that has a ieee-802.1p classifier
associated with it named DOT1P-CLASSIFIER, which looks like this:

forwarding-class BASIC-DATA {
    loss-priority low code-points [ DOT1P-0 DOT1P-1 DOT1P-2 DOT1P-4
DOT1P-6 DOT1P-7 ];
}
forwarding-class PRIORITY-DATA {
    loss-priority high code-points DOT1P-3;
}
forwarding-class PREMIUM-DATA {
    loss-priority low code-points DOT1P-5;
}

It doesn't have a forwarding class named VOIP-BEARER at all. So, how
in the world does matching on a forwarding class in a firewall filter
work? How does the filter know which forwarding class is being
referenced if you match on a forwarding class? And in my case, the
egress interface does not have a forwarding class with that name in
the classifier associated with the interface, so what is the firewall
filter even matching?

Junos class of service is the bane of my existence. Once in a while I
think I have it figured out how all these pieces fit together, but
then something like this comes up and ruins my fantasy. :-)