[j-nsp] Confusion about DSCP marking and rewrite rules
per.granath at gcc.com.cy
Mon Jan 14 10:33:47 EST 2013
On egress the (stateless) firewall filter is processed before rewrite/marking.
The filter can assign forwarding-class (normally on ingress), but not match on it (on egress).
So, this is where you need to re-design your (IOS) logic.
Start with a clean sheet, and design a new filter that you can use on egress - or block traffic on ingress.
From: John Neiberger [mailto:jneiberger at gmail.com]
Sent: Monday, January 14, 2013 5:15 PM
To: Per Granath
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Confusion about DSCP marking and rewrite rules
That makes perfect sense. I'm not sure what my mental block was with that. lol
How does Juniper handle situations where you do need to mark a packet on ingress so that you can match on the new marking on egress? If there is a rewrite rule, does the rewrite happen before any egress firewall filters are evaluated? On the Cisco 7600, we have to add a command to basically recirculate a packet through the ingress interface logic twice to actually re-mark the packet instead of just classifying it.
For example, an ingress packet may need to be marked as cs2 and then the same router might have an egress filter facing some interface that only allows cs2. If the marking happens after the egress filter is evaluated, that traffic would be dropped. How does this work in Junos on the MX series?
On Mon, Jan 14, 2013 at 1:55 AM, Per Granath <per.granath at gcc.com.cy<mailto:per.granath at gcc.com.cy>> wrote:
Note that "marking" is not word used in Junos...
On ingress you do "classification", and on the class assigned you do queuing, etc. The class does not change any bit in the packet header - the class is assigned "outside" the packet header internally in the router.
On egress you may apply a rewrite rule to a class (on an interface). Essentially, this means you cannot rewrite on ingress.
So, your IRB "marking filter", which in Junos is called "multi field classifier", does not change any bit in the packet headers - it only assigns the internal class - when packets ingress on the IRB.
The rewrite rules on the IRB only rewrite bits when a packet egress on the IRB.
On some other vendor you may be used to doing rewrite/marking on ingress...
More information about the juniper-nsp