From Juniper Router RTR Security Technical Implementation Guide
Part of SRG-NET-000193-RTR-000113
Associated with: CCI-001095
Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a QoS framework to differentiate traffic and provide a method to manage network congestion. The Differentiated Services Model (DiffServ) is based on per-hop behavior by categorizing traffic into different classes and enabling each node to enforce a forwarding treatment to each packet as dictated by a policy.
Review the router configuration and verify that a QoS policy has been configured to provide preferred treatment for mission-critical applications in accordance with the QoS DoDIN Technical Profile. PE routers are responsible for classifying customer traffic and setting the forwarding class. Verify that a Multifield (MF) classifier has been configured to classify traffic based on protocol and ports as shown in the example below. firewall { family inet { … … … } filter CLASSIFY_TRAFFIC { term SIP { from { protocol tcp; port 5060; } then { forwarding-class expedited-forwarding; accept; } } term RTP { from { protocol udp; port 16384-32767; } then { forwarding-class expedited-forwarding; accept; } } term H.323 { from { protocol tcp; port 1720; } then { loss-priority high; forwarding-class assured-forwarding; accept; } } term VIDEO_GK { from { protocol udp; port 1718-1719; } then { loss-priority high; forwarding-class assured-forwarding; accept; } } term VIDEO_BEARER { from { protocol udp; port 3230-3235; } then { loss-priority low; forwarding-class assured-forwarding; accept; } } term SSH { from { protocol tcp; port ssh; } then { loss-priority high; forwarding-class assured-forwarding; accept; } } term TACACS { from { protocol tcp; port tacacs; } then { loss-priority high; forwarding-class assured-forwarding; accept; } } term SNMP { from { protocol tcp; port snmp; } then { loss-priority high; forwarding-class assured-forwarding; accept; } } term ICMP { from { protocol icmp; } then { loss-priority high; forwarding-class assured-forwarding; accept; } } term OSPF { from { protocol ospf; } then { forwarding-class network-control; accept; } } term PIM { from { protocol pim; } then { forwarding-class network-control; accept; } } term ACCEPT_OTHER { then { forwarding-class best-effort; accept; } } } } Verify that the classifier filter is bound to all CE-facing interfaces as shown in the example below. interfaces { ge-0/0/0 { description "Customer 1"; unit 0 { family inet { filter { CLASSIFY_TRAFFIC } address x.x.x.x/30; } } } Verify that drop profiles and schedulers have been configured that define how queued egress packets are prioritized. class-of-service { drop-profiles { LOW_DROP { fill-level 95 drop-probability 0; fill-level 100 drop-probability 100; } HIGH_DROP { fill-level 50 drop-probability 10; fill-level 95 drop-probability 100; } } schedulers { VOIP_SCHED { transmit-rate percent 10; buffer-size percent 10; priority high; } CONTROL_PLANE_SCHED { transmit-rate percent 10; buffer-size percent 10; priority medium-high; } VIDEO_SCHED { transmit-rate percent 20; buffer-size percent 20; priority medium-high; drop-profile-map loss-priority low protocol any drop-profile LOW_DROP; } MGMT_SCHED { transmit-rate percent 10; buffer-size percent 10; priority medium-low; drop-profile-map loss-priority high protocol any drop-profile HIGH_DROP; } BEST_EFFORT_SCHED { transmit-rate percent 50; buffer-size percent 50; priority low; } } } Verify that scheduler maps have been configured to link the forwarding classes to schedulers as shown in the example below. class-of-service { … … … } scheduler-maps { QOS_SCHED_MAP { forwarding-class expedited-forwarding scheduler VOIP_SCHED; forwarding-class network-control scheduler CONTROL_PLANE_SCHED; forwarding-class assured-forwarding scheduler MGMT_SCHED; forwarding-class best-effort scheduler BEST_EFFORT_SCHED; } } Verify that the configured QoS scheduler map has been applied to all interfaces and that the rewrite rules have been applied to all core-facing interfaces as shown in the example below. class-of-service { … … … } interfaces { ge-0/0/1 { scheduler-map QOS_SCHED_MAP; unit 0 { rewrite-rules { dscp default; } } } ge-0/1/1 { scheduler-map QOS_SCHED_MAP; unit 0 { rewrite-rules { dscp default; } } } ge-1/0/0 { scheduler-map QOS_SCHED_MAP; } ge-1/0/1 { scheduler-map QOS_SCHED_MAP; } } If the router is not configured to enforce a QoS policy in accordance with the QoS DoDIN Technical Profile, this is a finding.
Configure a QoS policy on each router in accordance with the QoS DoDIN Technical Profile. The PE router must classify ingress traffic entering the backbone. Configure a Multifield (MF) classifier to classify traffic based on protocol and ports as shown in the example below. [edit firewall family inet filter CLASSIFY_TRAFFIC] set term SIP from protocol tcp set term SIP from port 5060 set term SIP then forwarding-class expedited-forwarding set term SIP then accept set term RTP from protocol tcp set term RTP from port 16384-32767 set term RTP then forwarding-class expedited-forwarding set term RTP then accept set term H.323 from protocol tcp set term H.323 from port 1720 set term H.323 then forwarding-class assured-forwarding loss-priority low set term H.323 then accept set term VIDEO_GK from protocol udp set term VIDEO_GK from port 1718-1719 set term VIDEO_GK then forwarding-class assured-forwarding loss-priority low set term VIDEO_GK then accept set term VIDEO_BEARER from protocol udp set term VIDEO_BEARER from port 3230-3235 set term VIDEO_BEARER then forwarding-class assured-forwarding loss-priority low set term VIDEO_BEARER then accept set term SSH from protocol tcp set term SSH from port ssh set term SSH then forwarding-class assured-forwarding loss-priority high set term SSH then accept set term TACACS from protocol tcp set term TACACS from port tacacs set term TACACS then forwarding-class assured-forwarding loss-priority high set term TACACS then accept set term SNMP from protocol tcp set term SNMP from port snmp set term SNMP then forwarding-class assured-forwarding loss-priority high set term SNMP then accept set term ICMP from protocol icmp set term ICMP then forwarding-class assured-forwarding loss-priority high set term ICMP then accept set term OSPF from protocol ospf set term OSPF then forwarding-class network-control set term OSPF then accept set term PIM from protocol pim set term PIM then forwarding-class network-control set term PIM then accept set term ACCEPT_OTHER then forwarding-class best-effort set term ACCEPT_OTHER then accept Configure drop profiles. [edit class-of-service] set drop-profiles LOW_DROP fill-level 95 drop-probability 0 set drop-profiles LOW_DROP fill-level 100 drop-probability 100 set drop-profiles HIGH_DROP fill-level 50 drop-probability 10 set drop-profiles HIGH_DROP fill-level 95 drop-probability 100 Configure QoS schedulers to define how queued egress packets are prioritized. [edit class-of-service schedulers] set VOIP_SCHED transmit-rate percent 10 set VOIP_SCHED buffer-size percent 10 set VOIP_SCHED priority high set VIDEO_SCHED transmit-rate percent 20 set VIDEO_SCHED buffer-size percent 20 set VIDEO_SCHED priority medium-high set VIDEO_SCHED drop-profile-map protocol any loss-priority low drop-profile LOW_DROP set MGMT_SCHED transmit-rate percent 10 set MGMT_SCHED buffer-size percent 10 set MGMT_SCHED priority medium-low set MGMT_SCHED drop-profile-map protocol any loss-priority high drop-profile HIGH_DROP set CONTROL_PLANE_SCHED transmit-rate percent 10 set CONTROL_PLANE_SCHED buffer-size percent 10 set CONTROL_PLANE_SCHED priority medium-high set BEST_EFFORT_SCHED transmit-rate percent 50 set BEST_EFFORT_SCHED buffer-size percent 50 set BEST_EFFORT_SCHED priority low Configure scheduler maps to link the forwarding classes to schedulers. [edit class-of-service scheduler-maps QOS_SCHED_MAP] set forwarding-class expedited-forwarding scheduler VOIP_SCHED set forwarding-class network-control scheduler CONTROL_PLANE_SCHED set forwarding-class assured-forwarding scheduler VIDEO_SCHED set forwarding-class assured-forwarding scheduler MGMT_SCHED set forwarding-class best-effort scheduler BEST_EFFORT_SCHED Apply the filter that classifies traffic inbound on all CE-facing interfaces [edit interfaces ge-0/1/0 unit 0] set family inet filter input CLASSIFY_TRAFFIC Apply the scheduler map to all interfaces as shown in the example. [edit class-of-service interfaces] set ge-0/0/1 scheduler-map QOS_SCHED_MAP set ge-0/1/1 scheduler-map QOS_SCHED_MAP set ge-1/0/0 scheduler-map QOS_SCHED_MAP set ge-1/0/1 scheduler-map QOS_SCHED_MAP Apply the rewrite rules to mark egress packets on all core-facing interfaces as shown in the example. [edit class-of-service interfaces] set ge-0/0/1 unit 0 rewrite-rules dscp default set ge-0/1/1 unit 0 rewrite-rules dscp default
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer