[j-nsp] Thoroughly confused about matching forwarding class in firewall filters
Mark Tinka
mark.tinka at seacom.mu
Tue Jan 14 03:31:59 EST 2014
On Tuesday, January 14, 2014 12:39:34 AM John Neiberger
wrote:
> It doesn't have a forwarding class named VOIP-BEARER at
> all. So, how in the world does matching on a forwarding
> class in a firewall filter work? How does the filter
> know which forwarding class is being referenced if you
> match on a forwarding class? And in my case, the egress
> interface does not have a forwarding class with that
> name in the classifier associated with the interface, so
> what is the firewall filter even matching?
Junos classifiers (BA behaviour classification) are an
ingress feature. They look at the TC and assign that traffic
to a forwarding class based on the TC value.
On egress, the schedulers then de-queue traffic based on the
scheduler. The scheduler takes its information from
properties configured for a forwarding class.
My suggestion, rather than match on forwarding class, why
don't you match on TC value, e.g., "from dscp" or "from exp"
or "from learn-vlan-1p-priority"?
> Junos class of service is the bane of my existence. Once
> in a while I think I have it figured out how all these
> pieces fit together, but then something like this comes
> up and ruins my fantasy. :-)
You and me both.
I have to admit that hardware constraints aside (which
applies to all vendors anyway), I still find Cisco's
flexibility with MQC better.
That said, things are happening on the Juniper side. I hope
to give more details in the near future.
Cheers,
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20140114/25319bcc/attachment-0001.sig>
More information about the juniper-nsp
mailing list