From Infrastructure Router Security Technical Implementation Guide Juniper
Part of Management traffic doesn't get preferred treatment
When network congestion occurs, all traffic has an equal chance of being dropped.
When management traffic must traverse several nodes to reach the management network, ensure that all core routers within the managed network have been configured to provide preferred treatment for management traffic. This will ensure that management traffic receives guaranteed bandwidth at each forwarding device along the path to the management network. Step 1: Verify that all internal or core router interfaces are bound to a DSCP classifier and that both CE-facing and core-facing interfaces have a forwarding-class policy defined (i.e. scheduler-map) as shown in the configuration below: class-of-service { interfaces { fe-* { scheduler-map MAP-FC-Policy; unit 0 { classifiers { dscp access-classifier; } rewrite-rules { dscp basic-rewrite-rules; } } } ge-* { scheduler-map MAP-FC-Policy; unit 0 { classifiers { dscp core-classifier; } } } } } Step 2: Verify that the classifier places traffic in the appropriate forwarding class according to the approved DSCPs as shown in the example below: class-of-service { classifiers { dscp access-classifier { forwarding-class best-effort { loss-priority high code-points 000000; } forwarding-class data-AF13-AF23 { loss-priority high code-points 001110; loss-priority low code-points 010110; } forwarding-class video-AF33-AF43 { loss-priority high code-points 011110; loss-priority low code-points 100110; } forwarding-class voice-EF { loss-priority low code-points 101110; } forwarding-class network-control { loss-priority low code-points 110000; } } } } Step 3: Verify that the forwarding classes are associated with the correct queues and polices (i.e., schedulers) as shown in the example below: class-of-service { forwarding-classes { queue 0 best-effort; queue 1 data-AF13-AF23; queue 2 video-AF33-AF43; queue 3 voice-EF; queue 4 network-control; } scheduler-maps { MAP-FC-Policy { forwarding-class best-effort scheduler Q0-best-effort; forwarding-class data-AF13-AF23 scheduler Q1-data; forwarding-class video-AF33-AF43 scheduler Q2-video; forwarding-class voice-EF scheduler Q3-voice; forwarding-class network-control scheduler Q4-network-control; } schedulers { Q0-best-effort { transmit-rate percent 20; buffer-size percent 20; drop-profile-map loss-priority low protocol any drop-profile be-low-drop-profile; drop-profile-map loss-priority high protocol any drop-profile be-high-drop-profile; priority low; } Q1-data { transmit-rate percent 35; buffer-size percent 30; drop-profile-map loss-priority low protocol any drop-profile data-low-drop-profile; drop-profile-map loss-priority high protocol any drop-profile data-high-drop-profile; priority low; } Q2-video { transmit-rate percent 40; buffer-size percent 35; drop-profile-map loss-priority low protocol any drop-profile video-low-drop-profile; drop-profile-map loss-priority high protocol any drop-profile video-high-drop-profile; priority low; } Q3-voice { buffer-size percent 10; priority strict-high; } Q4-network-control { transmit-rate percent 5; buffer-size percent 5; priority high; } } drop-profiles { video -high-drop-profile { fill-level 30 drop-probability 30; fill-level 50 drop-probability 50; fill-level 70 drop-probability 60; fill-level 90 drop-probability 100; } video -low-drop-profile { fill-level 40 drop-probability 30; fill-level 60 drop-probability 50; fill-level 80 drop-probability 60; fill-level 100 drop-probability 100; } data-high-drop-profile { fill-level 25 drop-probability 30; fill-level 45 drop-probability 50; fill-level 65 drop-probability 60; fill-level 85 drop-probability 100; } data-low-drop-profile { fill-level 30 drop-probability 30; fill-level 50 drop-probability 50; fill-level 70 drop-probability 60; fill-level 90 drop-probability 100; } be-high-drop-profile { fill-level 20 drop-probability 30; fill-level 40 drop-probability 50; fill-level 60 drop-probability 60; fill-level 80 drop-probability 100; } be-low-drop-profile { fill-level 25 drop-probability 30; fill-level 45 drop-probability 50; fill-level 65 drop-probability 60; fill-level 85 drop-probability 100; } } } Note: Scheduling policy maps configure the forwarding classes that represent packet queues for the physical interfaces that they are bound to. On M-series and T-series platforms, you can configure one queue per interface to have strict-high priority, which works the same as high priority, but provides unlimited transmission bandwidth. Hence, there is no need to define a transmit-rate for a strict-high priority queue. As long as the queue with strict-high priority has traffic to send, it receives precedence over all other queues, except queues with high priority. Queues with strict-high and high priority take turns transmitting packets until the strict-high queue is empty, the high priority queues are empty, or the high priority queues run out of bandwidth credit. Only then can lower priority queues send traffic. If only 4 queues are supported by the interface, map two classes into one queue as shown in the following example: class-of-service { restricted-queues { forwarding-class best-effort queue 0; forwarding-class data-AF13-AF23 queue 0; forwarding-class video-AF33-AF4 queue 1; forwarding-class voice-EF 2; forwarding-class network-control queue 3; } }
When management traffic must traverse several nodes to reach the management network, ensure that all core routers within the managed network have been configured to provide preferred treatment for management traffic.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer