Lets say you have a network with VoIP handsets internally and a SIP proxy externally. You will want to make sure the SIP traffic gets better treatment at the firewall, particularly if the internet and VoIP traffic is running over the same WAN link. So how do you implement this in JUNOS?
The steps in a nut shell are:
– setup the class-of-service schedulers and
– then map the schedulers to the forwarding class
– then apply the firewall rules to move the packets into the forwarding class
– Then apply the firewall filter to the interface
– setup the class-of-service schedulers and
– then map the schedulers to the forwarding class
– then apply the firewall rules to move the packets into the forwarding class
– Then apply the firewall filter to the interface
On proper networks you go one step further and specify DSCP bits (ie you tag packets with DSCP bits) and when they hit the next router, that next hop knows what type of packet it is (based on the DSCP bit) and then that router classifies the packet appropriately. At the moment we are basically using Class of Service for bandwidth shaping and packet prioritisation, these settings will get lost when the packet hits the next hope, but it is assumed that the upstream router is not congested – if the upstream hop is congested, then you need to speak with your ISP and work with them to implement CoS or to fix their end!
So here is the syntax below – example on a 10 Mbps circuit
set class-of-service forwarding-classes queue 1 real-time
set class-of-service forwarding-classes queue 2 burst-hi
set class-of-service forwarding-classes queue 0 best-effort
set class-of-service forwarding-classes queue 3 network-control
set class-of-service forwarding-classes queue 4 ddn
set class-of-service scheduler-maps cos-map forwarding-class best-effort scheduler be-scheduler
set class-of-service scheduler-maps cos-map forwarding-class burst-hi scheduler bh-scheduler
set class-of-service scheduler-maps cos-map forwarding-class real-time scheduler rt-scheduler
set class-of-service scheduler-maps cos-map forwarding-class network-control scheduler nc-scheduler
set class-of-service scheduler-maps cos-map forwarding-class ddn scheduler ddn-scheduler
set class-of-service schedulers nc-scheduler transmit-rate 500k
set class-of-service schedulers nc-scheduler buffer-size percent 10
set class-of-service schedulers nc-scheduler priority high
set class-of-service schedulers rt-scheduler transmit-rate 2m
set class-of-service schedulers rt-scheduler buffer-size percent 30
set class-of-service schedulers rt-scheduler priority high
set class-of-service schedulers bh-scheduler transmit-rate 100k
set class-of-service schedulers bh-scheduler buffer-size percent 10
set class-of-service schedulers bh-scheduler priority medium-high
set class-of-service schedulers be-scheduler transmit-rate 6m
set class-of-service schedulers be-scheduler transmit-rate exact
set class-of-service schedulers be-scheduler buffer-size remainder
set class-of-service schedulers be-scheduler priority low
set class-of-service schedulers ddn-scheduler transmit-rate 1m
set class-of-service schedulers ddn-scheduler transmit-rate exact
set class-of-service schedulers ddn-scheduler buffer-size percent 20
set class-of-service schedulers ddn-scheduler priority lowset firewall family inet filter ddn-traffic term a from protocol icmp
set firewall family inet filter ddn-traffic term a then forwarding-class network-control
set firewall family inet filter ddn-traffic term a then acceptset firewall family inet filter ddn-traffic term 1 from source-address /32
set firewall family inet filter ddn-traffic term 1 then forwarding-class real-time
set firewall family inet filter ddn-traffic term 1 then accept
set firewall family inet filter ddn-traffic term 2 from destination-address /32
set firewall family inet filter ddn-traffic term 2 then forwarding-class real-time
set firewall family inet filter ddn-traffic term 2 then acceptset firewall family inet filter ddn-traffic term default then policer throttle
set firewall family inet filter ddn-traffic term default then forwarding-class best-effort
set firewall family inet filter ddn-traffic term default then acceptset firewall policer throttle if-exceeding bandwidth-limit 6m
set firewall policer throttle if-exceeding burst-size-limit 500k
set firewall policer throttle then discardset interfaces fe-0/0/7 description "LAN NETWORK"
set interfaces fe-0/0/7 unit 0 family inet filter input ddn-traffic
set interfaces fe-0/0/7 unit 0 family inet filter output ddn-traffic
set interfaces fe-0/0/7 unit 0 family inet address 192.168.1.1/24
After this is done you can see all the packet magic with the following command – note the queue counter portion
root@SRX# run show interfaces fe-0/0/7 extensive
Physical interface: fe-0/0/7, Enabled, Physical link is UpQueue counters: Queued packets Transmitted packets Dropped packets
0 best-effort 340328019 340328019 0
1 real-time 50253 50253 0
2 burst-hi 0 0 0
3 network-cont 132115 132115 0
4 ddn 0 0 0
Queue number: Mapped forwarding classes
0 best-effort
1 real-time
2 burst-hi
3 network-control
4 ddn