Category Archives: QoS

Using RPM to generate traffic on a Junos device

Posted on by
Reply

RPM (Realtime Probe Monitoring) on a Junos device (similar to IP SLA feature on IOS) is used to monitor network performance between the two end points in a network. In a lab environment, we can use this feature to generate “real” traffic for testing QoS, or security policies, without having to have a real traffic generator, which is very handy. RPM can generate TCP and UDP traffic, in addition to ICMP (which can be easily done with the ping command.

The following are config to simulate ICMP/UDP/TCP traffic from R1 (simulating a Client machine) to R2 (Server).

Configuration

lab@R1> show configuration services   
rpm {
    probe ICMP_Probe {
        test Generate_ICMP_Ping {
            probe-type icmp-ping;
            target address 2.2.2.2;
            probe-count 10;
            probe-interval 1;
            test-interval 1;
            source-address 1.1.1.1;
            dscp-code-points cs1;
            data-size 100;
        }
    }
    probe IP_Phone {
        test Voice_RTP {
            probe-type udp-ping;
            target address 100.1.2.3;
            probe-count 10;
            probe-interval 1;
            test-interval 1;
            destination-port 51000;
            source-address 100.1.1.1;
            dscp-code-points ef;
            data-size 100;
        }
    }
    probe TCP_Probe {
        test Generate_TCP_Ping {
            probe-type tcp-ping;
            target address 2.2.2.2;
            probe-count 10;
            probe-interval 1;
            test-interval 1;
            destination-port 50000;
            source-address 1.1.1.1;
            dscp-code-points be;
            data-size 100;
        }
    }                                   
    probe-limit 500;                    
} 


lab@R2> show configuration services 
rpm {
    probe-server {
        tcp {
            port 50000;
            # destination-interface lo0.0;
        }
        udp {
            port 51000;
            # destination-interface ge-0/0/1.0;
        }
    }
}

Verification

lab@R1> show services rpm probe-results 
 Owner: IP_Phone, Test: Voice_RTP
 Target address: 100.1.2.3, Source address: 100.1.1.1, Probe type: udp-ping, Test size: 10 probes
 Probe results:
 Response received, Sat Aug 9 20:41:56 2014, No hardware timestamps
 Rtt: 2593 usec
 Results over current test:
 Probes sent: 7, Probes received: 7, Loss percentage: 0
 Measurement: Round trip time
 Samples: 7, Minimum: 666 usec, Maximum: 4624 usec, Average: 3008 usec, Peak to peak: 3958 usec, Stddev: 1370 usec,
 Sum: 21053 usec
 Results over last test:
 Probes sent: 10, Probes received: 10, Loss percentage: 0
 Test completed on Sat Aug 9 20:41:49 2014
 Measurement: Round trip time
 Samples: 10, Minimum: 623 usec, Maximum: 4110 usec, Average: 1485 usec, Peak to peak: 3487 usec, Stddev: 1156 usec,
 Sum: 14846 usec
 Results over all tests:
 Probes sent: 107, Probes received: 107, Loss percentage: 0
 Measurement: Round trip time
 Samples: 107, Minimum: 422 usec, Maximum: 4684 usec, Average: 1019 usec, Peak to peak: 4262 usec, Stddev: 981 usec,
 Sum: 109060 usec

 Owner: TCP_Probe, Test: Generate_TCP_Ping
 Target address: 2.2.2.2, Source address: 1.1.1.1, Probe type: tcp-ping, Test size: 10 probes
 Probe results:
 Response received, Sat Aug 9 20:41:55 2014
 Rtt: 940 usec
 Results over current test:
 Probes sent: 6, Probes received: 6, Loss percentage: 0
 Measurement: Round trip time
 Samples: 6, Minimum: 940 usec, Maximum: 1153 usec, Average: 1053 usec, Peak to peak: 213 usec, Stddev: 65 usec,
 Sum: 6318 usec 
 Results over last test:
 Probes sent: 10, Probes received: 10, Loss percentage: 0
 Test completed on Sat Aug 9 20:41:49 2014
 Measurement: Round trip time
 Samples: 10, Minimum: 952 usec, Maximum: 1179 usec, Average: 1044 usec, Peak to peak: 227 usec, Stddev: 72 usec,
 Sum: 10444 usec
 Results over all tests:
 Probes sent: 106, Probes received: 106, Loss percentage: 0
 Measurement: Round trip time
 Samples: 106, Minimum: 762 usec, Maximum: 1803 usec, Average: 1039 usec, Peak to peak: 1041 usec, Stddev: 134 usec,
 Sum: 110160 usec

 Owner: ICMP_Probe, Test: Generate_ICMP_Ping
 Target address: 2.2.2.2, Source address: 1.1.1.1, Probe type: icmp-ping, Test size: 10 probes
 Probe results:
 Response received, Sat Aug 9 20:41:56 2014, No hardware timestamps
 Rtt: 449 usec
 Results over current test:
 Probes sent: 7, Probes received: 7, Loss percentage: 0
 Measurement: Round trip time
 Samples: 7, Minimum: 360 usec, Maximum: 449 usec, Average: 401 usec, Peak to peak: 89 usec, Stddev: 33 usec, Sum: 2810 usec
 Results over last test:
 Probes sent: 10, Probes received: 10, Loss percentage: 0
 Test completed on Sat Aug 9 20:41:49 2014
 Measurement: Round trip time
 Samples: 10, Minimum: 306 usec, Maximum: 454 usec, Average: 381 usec, Peak to peak: 148 usec, Stddev: 37 usec,
 Sum: 3805 usec
 Results over all tests:
 Probes sent: 117, Probes received: 117, Loss percentage: 0
 Measurement: Round trip time
 Samples: 117, Minimum: 214 usec, Maximum: 531 usec, Average: 357 usec, Peak to peak: 317 usec, Stddev: 72 usec,
 Sum: 41719 usec


lab@R2# run show services rpm active-servers 
 Protocol: TCP, Port: 50000

 Protocol: UDP, Port: 51000

Policing configuration and verification

Posted on by
Reply

In this post, we are going to configure a simple policing policy, and see it in action with different ways of verification.

Topology

         13.0.0.0/24	             23.0.0.0/24
  R1 --------------------- MX5 ---------------------- R2
ge-1/1/0           ge-1/0/0  ge-1/0/1              ge-1/1/1

We are going to implement 1Mbps policer on the interface ge-1/0/0 of MX5, facing R1. We leave all other interfaces without any policing.

Configuration

[edit]
lab@MX5# show firewall 
policer police-1m {
    if-exceeding {
        bandwidth-limit 1m;
        burst-size-limit 125k;
    }
    then {
        discard;
    }
}

[edit]
lab@MX5# show interfaces ge-1/0/0 
description "Connection to virtual R1";
unit 0 {
    family inet {
        policer {
            input police-1m;
            output police-1m;
        }
        address 13.0.0.3/24;
    }
}

lab@MX5> show configuration interfaces ge-1/0/1    
description "Connection to virtual R2";
unit 0 {
    family inet {
        address 23.0.0.3/24;
    }
}

Verification

Traffic is generated by extended ping from virtual router R1 to virtual router R2 (which goes via the default router MX5)

lab@MX5> ping routing-instance R1 23.0.0.2 rapid count 100000000 size 1000 interval 0.1  

lab@MX5> monitor interface ge-1/0/0  

Interface: ge-1/0/0, Enabled, Link is Up
Encapsulation: Ethernet, Speed: 1000mbps
Traffic statistics:                                              Current delta
  Input bytes:                 488441864 (1199736 bps)                [918084]
  Output bytes:                384233800 (976480 bps)                 [751772]
  Input packets:                  478239 (146 pps)                       [894]
  Output packets:                 376522 (118 pps)                       [733]

lab@MX5> monitor interface ge-1/0/1 
Interface: ge-1/0/1, Enabled, Link is Up
Encapsulation: Ethernet, Speed: 1000mbps
Traffic statistics:                                              Current delta
  Input bytes:                1335798212 (993416 bps)                 [500834]
  Output bytes:               1268010600 (992616 bps)                 [500736]
  Input packets:                 1169994 (121 pps)                       [488]
  Output packets:                1415823 (120 pps)                       [488]

lab@MX5> show interfaces ge-1/0/0.0 extensive | match "bps|Policer" 
     Input  bytes  :            530838800              1194960 bps
     Output bytes  :            415154716               971944 bps
      Policer: Input: police-1m-ge-1/0/0.0-inet-i, Output: police-1m-ge-1/0/0.0-inet-o
      Policer: Input: __default_arp_policer__

lab@MX5> show interfaces ge-1/0/1.0 extensive | match "bps|Policer"    
     Input  bytes  :           1136550684               951264 bps
     Output bytes  :           1261332916               951264 bps
      Policer: Input: __default_arp_policer__

Note that dropped packets due to the policers are not shown with “show interface” command output. Instead it is shown with show policer

lab@MX5> clear firewall all

lab@MX5> show policer                                
Policers:
Name                                                Bytes              Packets
__default_arp_policer__                                 0                    0
police-1m-ge-1/0/0.0-inet-i                       1464900                 1425
police-1m-ge-1/0/0.0-inet-o                             0                    0

lab@MX5> show policer police-1m-ge-1/0/0.0-inet-i    
Policers:
Name                                                Bytes              Packets
police-1m-ge-1/0/0.0-inet-i                       1464900                 1425

The input rate on the interface ge-1/0/0 (1.2 Mbps) is the rate of traffic before being policed. If we want to see the rate of traffic already subject to the input policy, then we can look at the rate of outbound traffic on interface ge-1/0/1 which is around 1Mbps. No traffic is policed by outbound policy on ge-1/0/0 interface, because the return ping traffic is all conforming.

We are going to demonstrate the outbound policer in action, by increasing the returning traffic from R2 to R1. This is done by removing the inbound policer on ge-1/0/0 of MX5.

[edit]
lab@MX5# edit interfaces ge-1/0/0 unit 0 family inet   

[edit interfaces ge-1/0/0 unit 0 family inet]
lab@MX5# deactivate policer input        

[edit interfaces ge-1/0/0 unit 0 family inet]
lab@MX5# commit 

lab@MX5> show interfaces ge-1/0/0.0 extensive | match "bps|Policer" 
     Input  bytes  :            727758528              1253184 bps
     Output bytes  :            575508324              1017432 bps
      Policer: Output: police-1m-ge-1/0/0.0-inet-o
      Policer: Input: __default_arp_policer__

lab@MX5> show interfaces ge-1/0/1.0 extensive | match "bps|Policer"    
     Input  bytes  :           1327061700              1207688 bps
     Output bytes  :           1451843932              1207688 bps
      Policer: Input: __default_arp_policer__

lab@MX5> show policer 
Policers:
Name                                                Bytes              Packets
__default_arp_policer__                                 0                    0
police-1m-ge-1/0/0.0-inet-o                       2563832                 2494

As we can see, the packets are now being dropped by policer “police-1m-ge-1/0/0.0-inet-o” or the policer “police-1m”, on interface ge-1/0/0.0 in the output direction. The traffic rate in the output direction shown in the “show interface” or “monitor interface” is always the rate after being policed.

Junos QoS Simple Configuration

Posted on by
Reply

Topology

Where Junos3 is a Juniper, and R1 and R2 are Cisco.

Configuration

Classification

lab@Junos3# show firewall family inet      
filter classify-traffic {
    term sip {
        from {
            protocol [ tcp udp ];
            port 5060;
        }
        then {
            forwarding-class voip;
            accept;
        }
    }
    term rtp {
        from {
            protocol udp;
            port 16384-32767;
        }
        then {
            forwarding-class voip;
            accept;
        }
    }
    term telnet {
        from {
            protocol tcp;
            port 23;
        }
        then {
            forwarding-class admin;
            accept;
        }
    }
    term ping {
        from {
            protocol icmp;
        }
        then {
            forwarding-class admin;
            accept;
        }                               
    }
    term accept-all {
        then accept;
    }
}

Queues and Scheduler Maps

lab@Junos3# show class-of-service       
forwarding-classes {
    queue 1 admin;
    queue 2 voip;
}

schedulers {
    best-effort-sched {
        transmit-rate percent 40;
        buffer-size percent 40;
        priority low;
    }
    admin-sched {
        transmit-rate percent 45;
        buffer-size percent 45;
        priority medium-low;
    }
    voip-sched {
        transmit-rate percent 10;
        buffer-size percent 10;
        priority high;
    }
    network-control-sched {
        transmit-rate percent 5;
        buffer-size percent 5;          
        priority medium-high;
    }
}

scheduler-maps {
    my-sched-map {
        forwarding-class best-effort scheduler best-effort-sched;
        forwarding-class admin scheduler admin-sched;
        forwarding-class voip scheduler voip-sched;
        forwarding-class network-control scheduler network-control-sched;
    }
}

interfaces {
    ge-0/0/1 {
        scheduler-map my-sched-map;
    }
    ge-1/0/1 {
        scheduler-map my-sched-map;
    }
}

SET CONFIG

lab@Junos3# show firewall family inet | display set 
set firewall family inet filter classify-traffic term sip from protocol tcp
set firewall family inet filter classify-traffic term sip from protocol udp
set firewall family inet filter classify-traffic term sip from port 5060
set firewall family inet filter classify-traffic term sip then forwarding-class voip
set firewall family inet filter classify-traffic term sip then accept
set firewall family inet filter classify-traffic term rtp from protocol udp
set firewall family inet filter classify-traffic term rtp from port 16384-32767
set firewall family inet filter classify-traffic term rtp then forwarding-class voip
set firewall family inet filter classify-traffic term rtp then accept
set firewall family inet filter classify-traffic term telnet from protocol tcp
set firewall family inet filter classify-traffic term telnet from port 23
set firewall family inet filter classify-traffic term telnet then forwarding-class admin
set firewall family inet filter classify-traffic term telnet then accept
set firewall family inet filter classify-traffic term ping from protocol icmp
set firewall family inet filter classify-traffic term ping then forwarding-class admin
set firewall family inet filter classify-traffic term ping then accept
set firewall family inet filter classify-traffic term accept-all then accept

lab@Junos3# show class-of-service | display set 
set class-of-service forwarding-classes queue 1 admin
set class-of-service forwarding-classes queue 2 voip
set class-of-service interfaces ge-0/0/1 scheduler-map my-sched-map
set class-of-service interfaces ge-1/0/1 scheduler-map my-sched-map
set class-of-service scheduler-maps my-sched-map forwarding-class best-effort scheduler best-effort-sched
set class-of-service scheduler-maps my-sched-map forwarding-class admin scheduler admin-sched
set class-of-service scheduler-maps my-sched-map forwarding-class voip scheduler voip-sched
set class-of-service scheduler-maps my-sched-map forwarding-class network-control scheduler network-control-sched
set class-of-service schedulers best-effort-sched transmit-rate percent 40
set class-of-service schedulers best-effort-sched buffer-size percent 40
set class-of-service schedulers best-effort-sched priority low
set class-of-service schedulers admin-sched transmit-rate percent 45
set class-of-service schedulers admin-sched buffer-size percent 45
set class-of-service schedulers admin-sched priority medium-low
set class-of-service schedulers voip-sched transmit-rate percent 10
set class-of-service schedulers voip-sched buffer-size percent 10
set class-of-service schedulers voip-sched priority high
set class-of-service schedulers network-control-sched transmit-rate percent 5
set class-of-service schedulers network-control-sched buffer-size percent 5
set class-of-service schedulers network-control-sched priority medium-high

VERIFICATION

Clear interface queue statistic with the following command

lab@Junos3> clear interfaces statistics all 

lab@Junos3> show interfaces queue ge-0/0/1     
Physical interface: ge-0/0/1, Enabled, Physical link is Up
  Interface index: 134, SNMP ifIndex: 508
  Description: DEVNET-R6-6509 GE1/21
Forwarding classes: 8 supported, 4 in use
Egress queues: 8 supported, 4 in use
Queue: 0, Forwarding classes: best-effort 
  Queued:
    Packets              :                     0                     0 pps
    Bytes                :                     0                     0 bps
  Transmitted:
    Packets              :                     0                     0 pps
    Bytes                :                     0                     0 bps
    Tail-dropped packets :                     0                     0 pps
    RED-dropped packets  :                     0                     0 pps
     Low                 :                     0                     0 pps
     Medium-low          :                     0                     0 pps
     Medium-high         :                     0                     0 pps
     High                :                     0                     0 pps
    RED-dropped bytes    :                     0                     0 bps
     Low                 :                     0                     0 bps
     Medium-low          :                     0                     0 bps
     Medium-high         :                     0                     0 bps
     High                :                     0                     0 bps
...

Generating VOIP traffic from R2 to R1 with SIP signalling by telnetting to R1 port TCP=5060, and confirm that the the traffic get queued on the Junos3 outbound interface to R1.

R2#telnet 13.0.0.1 5060
Trying 13.0.0.1, 5060 ... 
% Connection refused by remote host

lab@Junos3> show interfaces queue ge-0/0/1 | find voip 
Queue: 2, Forwarding classes: voip 
  Queued:
    Packets              :                     3                     0 pps
    Bytes                :                   180                     0 bps
  Transmitted:
    Packets              :                     3                     0 pps
    Bytes                :                   180                     0 bps
    Tail-dropped packets :                     0                     0 pps
    RED-dropped packets  :                     0                     0 pps
     Low                 :                     0                     0 pps
     Medium-low          :                     0                     0 pps
     Medium-high         :                     0                     0 pps
     High                :                     0                     0 pps
    RED-dropped bytes    :                     0                     0 bps
     Low                 :                     0                     0 bps
     Medium-low          :                     0                     0 bps
     Medium-high         :                     0                     0 bps
     High                :                     0                     0 bps

Generating admin traffic by telnetting from R2 to R1 via normal telnet TCP port=23, and confirm the same:

R2#telnet 13.0.0.1     
Trying 13.0.0.1 ... Open

==================================================
Cisco Router R1
==================================================

lab@Junos3> show interfaces queue ge-0/0/1 | find admin 
Queue: 1, Forwarding classes: admin 
  Queued:
    Packets              :                    51                     0 pps
    Bytes                :                  3066                     0 bps
  Transmitted:
    Packets              :                    51                     0 pps
    Bytes                :                  3066                     0 bps
    Tail-dropped packets :                     0                     0 pps
    RED-dropped packets  :                     0                     0 pps
     Low                 :                     0                     0 pps
     Medium-low          :                     0                     0 pps
     Medium-high         :                     0                     0 pps
     High                :                     0                     0 pps
    RED-dropped bytes    :                     0                     0 bps
     Low                 :                     0                     0 bps
     Medium-low          :                     0                     0 bps
     Medium-high         :                     0                     0 bps
     High                :                     0                     0 bps

For the demonstration purpose, ICMP is classified into the admin, so we can generate a lot of admin traffic with extended ping packets from R2 to R1 as well. In practice, surely ICMP should not be part of admin traffic.

Note:

By default, J series routers come with default Firewall setting. To remove this totally, we need to delete the state full firewall function, and enable the packet based mode.

delete security
set security forwarding-options family mpls mode packet-based