[j-nsp] Confusion about DSCP marking and rewrite rules
John Neiberger
jneiberger at gmail.com
Mon Jan 14 10:14:40 EST 2013
That makes perfect sense. I'm not sure what my mental block was with that.
lol
How does Juniper handle situations where you do need to mark a packet on
ingress so that you can match on the new marking on egress? If there is a
rewrite rule, does the rewrite happen before any egress firewall filters
are evaluated? On the Cisco 7600, we have to add a command to basically
recirculate a packet through the ingress interface logic twice to actually
re-mark the packet instead of just classifying it.
For example, an ingress packet may need to be marked as cs2 and then the
same router might have an egress filter facing some interface that only
allows cs2. If the marking happens after the egress filter is evaluated,
that traffic would be dropped. How does this work in Junos on the MX series?
Thanks!
John
On Mon, Jan 14, 2013 at 1:55 AM, Per Granath <per.granath at gcc.com.cy> wrote:
> Note that "marking" is not word used in Junos...
>
> On ingress you do "classification", and on the class assigned you do
> queuing, etc. The class does not change any bit in the packet header - the
> class is assigned "outside" the packet header internally in the router.
>
> On egress you may apply a rewrite rule to a class (on an interface).
> Essentially, this means you cannot rewrite on ingress.
>
> So, your IRB "marking filter", which in Junos is called "multi field
> classifier", does not change any bit in the packet headers - it only
> assigns the internal class - when packets ingress on the IRB.
>
> The rewrite rules on the IRB only rewrite bits when a packet egress on the
> IRB.
>
>
> On some other vendor you may be used to doing rewrite/marking on ingress...
>
More information about the juniper-nsp
mailing list