[j-nsp] DSCP marking for packets not leaving router

From: Blaz Zupan (blaz@inlimbo.org)
Date: Wed Apr 03 2002 - 01:23:52 EST


We have two upstream connections and lots of customers who would like to
have their connection to only be limited on the upstream connections, but
not on our peering connections.

In C-land, we use a service policy to DSCP mark packets that are comming
from one of our upstreams. We can then use CBWFQ to limit only those packets
colored with specific DSCP bits.

I can easily do this for packets *leaving* the router on our Juniper with
something like this:

forwarding-classes {
    queue 1 internet-traffic;
}

interfaces {
    fe-0/1/0 {
        unit 1 {
            rewrite-rules {
                dscp internet-traffic;
            }
        }
    }
}

rewrite-rules {
    dscp internet-traffic {
        forwarding-class internet-traffic {
            loss-priority high code-point 100110;
        }
    }
}

firewall {
  filter incoming-internet-traffic {
    term internet-traffic {
        then {
            loss-priority high;
            forwarding-class internet-traffic;
            accept;
        }
    }
}

interfaces {
  e3-0/0/0 {
    unit 0 {
      family inet {
        filter {
          input incoming-internet-traffic;
        }
      }
    }
  }
}

Thus, packets comming in through e3-0/0/0 are put into the
"internet-traffic" queue and all packets leaving the router through
fe-0/1/0.1 and belonging to the internet-traffic queue are marked with
certain DSCP bits.

I can then use CBWFQ on one of our downstream Cisco's to limit only those
packets marked on the Juniper. But now, what do I do when one of those
customers is connected directly to the Juniper? How do I rate-limit only
traffic that is comming in through e3-0/0/0?



This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:40 EDT