[j-nsp] Confusion about DSCP marking and rewrite rules
Alex Arseniev
alex.arseniev at gmail.com
Tue Jan 15 09:12:14 EST 2013
Correction:
- on MX960, a firewall filter can set FC in ingress and then match on it
either on ingress or egress.
Thanks
Alex
----- Original Message -----
From: "Per Granath" <per.granath at gcc.com.cy>
To: "John Neiberger" <jneiberger at gmail.com>
Cc: <juniper-nsp at puck.nether.net>
Sent: Monday, January 14, 2013 3:33 PM
Subject: Re: [j-nsp] Confusion about DSCP marking and rewrite rules
> On egress the (stateless) firewall filter is processed before
> rewrite/marking.
> The filter can assign forwarding-class (normally on ingress), but not
> match on it (on egress).
>
> So, this is where you need to re-design your (IOS) logic.
> Start with a clean sheet, and design a new filter that you can use on
> egress - or block traffic on ingress.
>
>
>
> From: John Neiberger [mailto:jneiberger at gmail.com]
> Sent: Monday, January 14, 2013 5:15 PM
> To: Per Granath
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Confusion about DSCP marking and rewrite rules
>
> That makes perfect sense. I'm not sure what my mental block was with that.
> lol
>
> How does Juniper handle situations where you do need to mark a packet on
> ingress so that you can match on the new marking on egress? If there is a
> rewrite rule, does the rewrite happen before any egress firewall filters
> are evaluated? On the Cisco 7600, we have to add a command to basically
> recirculate a packet through the ingress interface logic twice to actually
> re-mark the packet instead of just classifying it.
>
> For example, an ingress packet may need to be marked as cs2 and then the
> same router might have an egress filter facing some interface that only
> allows cs2. If the marking happens after the egress filter is evaluated,
> that traffic would be dropped. How does this work in Junos on the MX
> series?
>
> Thanks!
> John
>
> On Mon, Jan 14, 2013 at 1:55 AM, Per Granath
> <per.granath at gcc.com.cy<mailto:per.granath at gcc.com.cy>> wrote:
> Note that "marking" is not word used in Junos...
>
> On ingress you do "classification", and on the class assigned you do
> queuing, etc. The class does not change any bit in the packet header - the
> class is assigned "outside" the packet header internally in the router.
>
> On egress you may apply a rewrite rule to a class (on an interface).
> Essentially, this means you cannot rewrite on ingress.
>
> So, your IRB "marking filter", which in Junos is called "multi field
> classifier", does not change any bit in the packet headers - it only
> assigns the internal class - when packets ingress on the IRB.
>
> The rewrite rules on the IRB only rewrite bits when a packet egress on the
> IRB.
>
>
> On some other vendor you may be used to doing rewrite/marking on
> ingress...
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list