Class of Service Classifiers

During my second JNCIE-SEC study and after another unfortunate failure, I stepped back a little
bit. Sometimes I need to break for a while to recharge my battery. I am still not sure if I am fully
re-charged though but I have to move on. As my little doughter already went to bed, I can
continue with Class of Service which I think I have never written about before. Feel free to
correct my mistakes.
On this post, I will only write about how we can classify a packet and send it to an interface
queue which can be a good start for anyone who doesnt know CoS. You will find a basic setup
below and branchK SRX device (which is actually a 12.1X47-D10 firefly VM) will handle the
classification of an ICMP packet as an example. The purpose of this post is only about
classification. I wont talk about scheduling etc. Along the road, I will try to talk about more for
each of these config items but first I would like to show a working example. Lets get started.

Only configuration is done under [edit class-of-service] level and nowhere else in this post.
Below you also see step by step the function of each config stanza.
[edit class-of-service]
root@BranchK# show
classifiers {
dscp sip-traffic {

1
2
3
4
5
6
7
8

[edit class-of-service]
root@BranchK# show
classifiers {
dscp sip-traffic {
forwarding-class assured-forwarding { <<<-------- 2)
loss-priority low code-points af22;
}
}

9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

}
forwarding-classes {
<<<--------- 1)
queue 2 assured-forwarding priority high;
}
interfaces {
ge-0/0/0 {
unit 403 {
classifiers {
dscp sip-traffic;
<<<----------- 5)
}
}
}
}
scheduler-maps {
sec-map1 {
forwarding-class assured-forwarding scheduler voice-sd; <<<------- 4)
}
}
schedulers {
voice-sd {
<<<-------- 3)
buffer-size percent 50;
priority high;
}
}

1) Create a forwarding class or use built-in one assured-forwarding for this example

2) Assign code points/bits to forwarding class

3) Create scheduler

4) Create a scheduler map and assign scheduler(s) you created to forwarding classes

5) and finally apply the classifier you created on the INPUT interface

So what does this config literally mean? It means that If a packet enters the interface ge0/0/0.403 and has the DSCP field is set to 010100 (which is AF22), assign it to Assured
Forwarding class which is sent to Queue number 2. This may not still be clear but I will show
you this by an example.
From the HostE linux device connected, I will send a single ICMP packet with modified DSCP
field i.e set to 010100
Lets ping Google DNS server with our modified ICMP packet

root@hostE:~/Labs# ping -Q 80
PING 8.8.8.8 (8.8.8.8) 56(84) by
64 bytes from 8.8.8.8: icmp_req

1
2
3
4
5
6
7

root@hostE:~/Labs# ping -Q 80 8.8.8.8 -c 1

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_req=1 ttl=45 time=25.2 ms
--- 8.8.8.8 ping statistics --1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 25.216/25.216/25.216/0.000 ms
-Q 80 means change the ToS field. You can check ping manual for more details.
Check the assured-forwarding packet counter.
[edit
class-of-service]
root@BranchK# run show inter
Physical interface: ge-0/0/0, Ena

[edit class-of-service]
1 root@BranchK# run show interfaces ge-0/0/0 extensive
2 Physical interface: ge-0/0/0, Enabled, Physical link is Up
3 Interface index: 134, SNMP ifIndex: 507, Generation: 137
4 Link-level type: Ethernet, MTU: 1518, Link-mode: Full-duplex, Speed: 1000mbps, BPDU
5 Error: None, MAC-REWRITE Error: None,
6
7 CoS queues : 8 supported, 8 maximum usable queues
8 ....
9
10 Queue counters:
Queued packets Transmitted packets
Dropped packets
11 0 best-effort
16
16
0
12 1 expedited-fo
0
0
0
13 2 assured-forw
1
1
0 <<<------- Single ICMP packet is
14 sent to Queue 2
15 3 network-cont
0
0
0
16 Queue number:
Mapped forwarding classes
17 0
best-effort
18 1
expedited-forwarding
19 2
assured-forwarding
3
network-control

We took the packet on 0.403 interface and sent it via 0.402 but egress queue is assuredforwarding instead of the best-effort which is by default. Lets also have a look how this
transmitted packet looks like in wireshark.

As you can see we modified the DSCP field!

Note: Dont worry about source IP address. It is the natted address and I make up all IP address
for my lab.
For beginning, it is just an introduction. I hope to do more fancy stuff later. Stay tuned!