[j-nsp] Thoroughly confused about matching forwarding class in firewall filters

John Neiberger jneiberger at gmail.com
Tue Jan 14 10:28:13 EST 2014


On Tue, Jan 14, 2014 at 1:31 AM, Mark Tinka <mark.tinka at seacom.mu> wrote:
> On Tuesday, January 14, 2014 12:39:34 AM John Neiberger
> wrote:
>
>> It doesn't have a forwarding class named VOIP-BEARER at
>> all. So, how in the world does matching on a forwarding
>> class in a firewall filter work? How does the filter
>> know which forwarding class is being referenced if you
>> match on a forwarding class? And in my case, the egress
>> interface does not have a forwarding class with that
>> name in the classifier associated with the interface, so
>> what is the firewall filter even matching?
>
> Junos classifiers (BA behaviour classification) are an
> ingress feature. They look at the TC and assign that traffic
> to a forwarding class based on the TC value.
>

Ah. I get it. The forwarding class is somewhat analogous to qos-groups
in IOS XR. Traffic doesn't get assigned to them until you assign
something to them, and they have no intrinsic meaning. Their use is
all in how you apply them.

> On egress, the schedulers then de-queue traffic based on the
> scheduler. The scheduler takes its information from
> properties configured for a forwarding class.
>
> My suggestion, rather than match on forwarding class, why
> don't you match on TC value, e.g., "from dscp" or "from exp"
> or "from learn-vlan-1p-priority"?
>

Got it. Makes perfect sense. We either need to associate this traffic
with the appropriate forwarding class on ingress or change the egress
filter to match on something in the packet itself, like DSCP.

Thanks to all for the help, I really appreciate it!

John


More information about the juniper-nsp mailing list