[j-nsp] Confusion about DSCP marking and rewrite rules

John Neiberger jneiberger at gmail.com
Fri Jan 11 11:54:10 EST 2013


I'm still learning how Junos handles DSCP marking and I ran into a question
based on something I saw in production.

Let's assume we have an irb, and in that irb is an ae, and the ae has two
physical ports in it. If I want to mark traffic on ingress, does it matter
on which interfaces I configure the marking filter and rewrite rules?

My guess is that if you only apply them to a single interface, only traffic
on that interface will be marked. If you apply it to the ae then all
interfaces in that ae bundle will be marked, but other interfaces in the
irb wouldn't be marked. If you apply it on the irb then everything goes
through the marking filter.

Is that about right? This is on an MX960. Are there some nuances on this
platform that might affect the decision on where to apply these filters and
rules?

The odd thing on the  interface I'm looking at is that the irb has the
ingress marking firewall filter but it does not have the rewrite rules
associated with it. Instead, the ae interface has the rewrite rules
associated with it. So, on ingress, a frame travels through an ae interface
with rewrite rules added to it, but no filter to specify any markings. That
doesn't happen until the frame hits the irb, which doesn't have rewrite
rules applied. I'm a little confused about why this is working. I would
have expected to see the rewrite rules applied to the same L3 interface
that has the ingress firewall filter applied.

Thanks,
John


More information about the juniper-nsp mailing list