Juniper SRX 210 Voice over Data traffic priority config

NORMALLY, PACKET CLASSIFICATION OR MARKING IS PERFORMED AT INGRESS AS IT IS NEEDED TO ENSURE THE CORRECT TREATMENT OF THE PACKETS IN THE SUBSEQUENT PROCESSING STAGES, WHILE PACKET QUEUING/SHAPING IS USUALLY PERFORMED AT EGRESS SINCE IT IS GENERALLY WHERE BANDWIDTH LIMITATIONS OCCUR, FORCING PACKETS TO BE EITHER DROPPED OR QUEUED.


1.1 BA Classification

To apply a BA classifier, first define a classifier, a list of code points (values of the DSCP or EXP bit field), and the associated forwarding classes and packet loss priorities. Once the classifier is defined, it can be applied to a logical interface. The loss priority and forwarding class will be determined by querying the classifier table for that interface, using the ingress DSCP/EXP bits of the packet as the index value (the determination of which bits to query is based on the protocol family MPLS, IPv6, or IP).

The classifier defines IP precedense value 101 as voice traffic and 000 as data traffic.
set class-of-service classifiers inet-precedence corp-traffic forwarding-class voice-class loss-priority low code-points 101
 
set class-of-service classifiers inet-precedence corp-traffic forwarding-class data-class loss-priority high code-points 000

1.2 Assign priority queuing to voice and data traffic

After traffic is classified, queuing and scheduling can be used to provide different levels of service for the classified traffic. In JUNOS software, forwarding classes are associated with packet queues. A traffic class is no more than a queue that is configured with a given bandwidth and scheduling priority. Several forwarding classes can be assigned to the same queue (in that sense, different forwarding classes act as aliases for a particular queue).

set class-of-service forwarding-classes queue 0 voice-class

 set class-of-service forwarding-classes queue 1 data-class

1.3 Configuring the scheduler map and voice scheduler


Once forwarding classes (and therefore queues) have been defined, it is possible to configure the way each queue is scheduled.

Each queue is configured with a given priority and transmit rate. The priority of a queue determines the order in which it is served, while the transmit rate defines how many bytes can be transmitted per scheduled interval.The simplest configuration of schedulers consists of a priority and a transmit rate for each queue. The first step is to create a scheduler template with these parameters, and a scheduler map that associates each scheduler (transmit rate and priority) with a forwarding class (and therefore with a queue).


set class-of-service scheduler-maps corp-map forwarding-class voice-class scheduler voice-sched

1.4 Define the voice and data traffic schedulers and set the priority
 

Treatment of the strict-high-priority queue, however, is different from other queues. Only one strict-high-priority queue can be configured on a logical interface. This queue has the highest priority and can use all of an interface’s bandwidth (on a strict-high-priority queue it is not possible to configure a transmit rate). A strict-high-priority queue minimizes packet delays, as it is always serviced as soon as packets arrive but can starve other queues. To avoid unintentional starvation of other queues, it is a good idea to use policers in conjunction with strict-high-priority queuing.

set class-of-service schedulers voice-sched priority strict-high
set class-of-service schedulers data-sched priority low
 

1.5 Apply the BA classifier to an input interface - fe-0/0/3.

Each physical interface can be assigned queue sets shared between all logical interfaces associated with a physical interface, or each logical interface can be assigned its own queue set, which can be configured by adding the per-unit-scheduler option to the configuration.

set class-of-service interfaces fe-0/0/3 unit 0 classifiers inet-precedence corp-traffic

Apply the scheduler map to and output interface - fe-0/0/4.

set class-of-service interfaces fe-0/0/4 scheduler-map corp-map

1.6 Configure two policers: one as voice-drop and second as voice-excess

Policing refers to the ability of a router to measure data rates and, based on this measurement, to either drop or reclassify the traffic.In simple terms, policers allow the establishment of a data rate, which, if exceeded, results in traffic being either reclassified or dropped. In order to measure traffic rates, it is important to determine a measurement interval (or burst limits, as we shall see shortly). Traffic always egresses an interface at line rate. To send traffic at a “lower speed,” bursts have to be followed by idle periods, resulting in an average transmit rate lower than the line rate.

set firewall policer voice-drop if-exceeding bandwidth-limit 350k
 
set firewall policer voice-drop if-exceeding burst-size-limit 5k
set firewall policer voice-drop then discard
set firewall policer voice-excess if-exceeding bandwidth-limit 175k
set firewall policer voice-excess if-exceeding burst-size-limit 5k
set firewall policer voice-excess then out-of-profile

1.7 Create a firewall filter voice-term that includes the new policers. First add the policer voice-drop to the term 

The configuration of a simple filter is identical to that of a standard firewall filter, but is located under the [firewall family inet simple-filter] hierarchy, with the following limitations:

  •     Allows only forwarding class, loss priority and policer actions (does not allow drop action; simple filters always accept traffic)
  •     Does not allow certain keywords/qualifiers such as except and protocol-except
  •     Does not allow non-contiguous masks
  •     Allows only one source-address and destination-address prefix per term
  • Filters and simple filters can be applied to logical interfaces both on ingress and egress:


set firewall filter voice-term term 01 from forwarding-class voice-class
 
set firewall filter voice-term term 01 then policer voice-drop
set firewall filter voice-term term 01 then next term

1.8 Then add the policer voice-excess to the term 

set firewall filter voice-term term 02 from forwarding-class voice-class

 set firewall filter voice-term term 02 then policer voice-excess
set firewall filter voice-term term 02 then accept

1.9. Apply filter voice-term to interface or vlan 

set interfaces vlan unit 7 family inet filter output voice-term

or

set interface fe-0/0/4 unit 0 family inet filter output voice-term 
set interface fe-0/0/4 unit 0 family inet address 10.1.1.4/24

For testing purposes let’s take SRX210. The data traffic and voice traffic enters the same vlan 7. We need to prioritize voice traffic over data traffic:
***
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members PC
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members PC
set interfaces vlan unit 7 family inet filter output voice-term
set interfaces vlan unit 7 family inet address 192.168.1.5/24 preferred
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1
set protocols stp
set class-of-service classifiers inet-precedence corp-traffic forwarding-class voice-class loss-priority low code-points 101
set class-of-service classifiers inet-precedence corp-traffic forwarding-class data-class loss-priority high code-points 000
set class-of-service forwarding-classes queue 0 voice-classset class-of-service forwarding-classes queue 1 data-classset class-of-service interfaces fe-0/0/3 unit 0 classifiers inet-precedence corp-trafficset class-of-service interfaces fe-0/0/4 scheduler-map corp-mapset class-of-service scheduler-maps corp-map forwarding-class voice-class scheduler voice-sched
set class-of-service schedulers voice-sched priority strict-high
set class-of-service schedulers data-sched priority low
set security zones security-zone trust host-inbound-traffic system-services allset security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.7 host-inbound-traffic system-services allset security zones security-zone trust interfaces vlan.7 host-inbound-traffic protocols all
set security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic protocols all
set security zones security-zone trust interfaces fe-0/0/4.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/4.0 host-inbound-traffic protocols all
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set firewall policer voice-drop if-exceeding bandwidth-limit 350k
set firewall policer voice-drop if-exceeding burst-size-limit 5k
set firewall policer voice-drop then discard
set firewall policer voice-excess if-exceeding bandwidth-limit 175kset firewall policer voice-excess if-exceeding burst-size-limit 5k
set firewall policer voice-excess then out-of-profile
set firewall filter voice-term term 01 from forwarding-class voice-class
set firewall filter voice-term term 01 then policer voice-drop
set firewall filter voice-term term 01 then next term
set firewall filter voice-term term 02 from forwarding-class voice-class
set firewall filter voice-term term 02 then policer voice-excessset firewall filter voice-term term 02 then accept
set vlans PC vlan-id 7
set vlans PC l3-interface vlan.7


Now check the results:

>show firewall

Filter: voice-term

Policers:

Name                                              Packets

voice-drop-01                                         93

voice-excess-02                                      60


Comments

Popular posts from this blog

HPE MSR series router NAT, DHCP, SSH config

Juniper SRX Routing Instances Configuration and Importing Routes to and from virtual routers

Install Junos with USB