Welcome December! In my previous blog post, in haste I neglected to test my QoS configuration and found that using the interface stats command (show interfaces extensive ge-/X/X/X) all of the packets were being sent under the Best Effort class.
This evening I updated it to follow the Juniper multifield classifier, and also enabled DSCP.
Under firewall > family inet, I changed the filter to the following:
filter mf-classifier {
term ssh {
from {
protocol [ tcp udp ];
port 22;
}
then {
forwarding-class Premium-data;
accept;
}
}
term counterstrike1 {
from {
protocol [ tcp udp ];
port 27015;
}
then {
forwarding-class Premium-data;
accept;
}
}
term counterstrike2 {
from {
protocol [ tcp udp ];
port 27020;
}
then {
forwarding-class Premium-data;
accept;
}
}
term counterstrike3 {
from {
protocol [ tcp udp ];
port 27005;
}
then {
forwarding-class Premium-data;
accept;
}
}
term counterstrike4 {
from {
protocol [ tcp udp ];
port 51840;
}
then {
forwarding-class Premium-data;
accept;
}
}
term wificalling1 {
from {
protocol [ tcp udp ];
port 500;
}
then {
forwarding-class Voice;
accept;
}
}
term wificalling2 {
from {
protocol [ tcp udp ];
port 4500;
}
then {
forwarding-class Voice;
accept;
}
}
term spotify {
from {
protocol [ tcp udp ];
port 4070;
}
then {
forwarding-class Voice;
accept;
}
}
term sip {
from {
protocol [ tcp udp ];
port 5060-5061;
}
then {
forwarding-class Voice;
accept;
}
}
term rtp {
from {
protocol [ tcp udp ];
port 16384-32767;
}
then {
forwarding-class Voice;
accept;
}
}
term webex {
from {
protocol [ tcp udp ];
port 9000;
}
then {
forwarding-class Voice;
accept;
}
}
term CORP {
from {
address {
192.168.5.0/24;
}
protocol [ tcp udp ];
}
then {
forwarding-class Voice;
accept;
}
}
term accept-all {
then accept;
}
}
Then, under class-of-service, I defined:
class-of-service {
forwarding-classes {
queue 0 BE-data;
queue 1 Premium-data;
queue 2 Voice;
queue 3 NC;
}
interfaces {
ge-0/0/0 {
unit 0 {
classifiers {
dscp default;
}
}
}
ge-0/0/1 {
unit 0 {
classifiers {
dscp default;
}
}
}
ge-0/0/2 {
unit 0 {
classifiers {
dscp default;
}
}
}
ge-0/0/3 {
unit 0 {
classifiers {
dscp default;
}
}
}
ge-0/0/4 {
unit 0 {
classifiers {
dscp default;
}
}
}
ge-0/0/5 {
unit 0 {
classifiers {
dscp default;
}
}
}
ge-0/0/7 {
unit 0 {
classifiers {
dscp default;
}
}
}
}
}
Then under interfaces, I specified the interfaces as (example):
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.10.254/24;
filter {
input mf-classifier;
output mf-classifier;
}
}
}
}
This can be verified by issuing the statistics command noted above:
Queue counters: Queued packets Transmitted packets Dropped packets
0 BE-data 17300925 17300925 0
1 Premium-data 0 0 0
2 Voice 125 125 0
3 NC 5 5 0
The definition of these forwarding classes, which are built into the default configuration are (source: Default Forwarding Classes):
My hope (in time I will test) is that DSCP will also be picked up. These are flags that software introduce into packets to assist upstream routers. The story doesn't end here though, as recent versions of Windows will overwite any of these to zero, which is problematic (Cisco Article). Fortunately this can be re-enabled in the registry for non-Dmain-joined hosts as follows:
HKEY_LOCAL_MACHINE > CurrentControlSet > Services > tcpip > QoS 1. Go to HKLM\System\CurrentControlSet\Services\Tcpip\QoS. If "QoS" folder doesn't exist there - create it. 2. Add a DWORD parameter named "Do not use NLA" and assign "1" as its value. 3. Reboot.
I need to spend some time to see if this takes effect - results for the above are mixed in forum discussions. For now my hope is any non-DSCP tagged packets will be picked up by the port and IP based rules at the SRX level.
December 01, 2020