[j-nsp] Confusion about DSCP marking and rewrite rules

Alex Arseniev alex.arseniev at gmail.com
Tue Jan 15 09:12:14 EST 2013


Correction:
- on MX960, a firewall filter can set FC in ingress and then match on it 
either on ingress or egress.
Thanks
Alex

----- Original Message ----- 
From: "Per Granath" <per.granath at gcc.com.cy>
To: "John Neiberger" <jneiberger at gmail.com>
Cc: <juniper-nsp at puck.nether.net>
Sent: Monday, January 14, 2013 3:33 PM
Subject: Re: [j-nsp] Confusion about DSCP marking and rewrite rules


> On egress the (stateless) firewall filter is processed before 
> rewrite/marking.
> The filter can assign forwarding-class (normally on ingress), but not 
> match on it (on egress).
>
> So, this is where you need to re-design your (IOS) logic.
> Start with a clean sheet, and design a new filter that you can use on 
> egress - or block traffic on ingress.
>
>
>
> From: John Neiberger [mailto:jneiberger at gmail.com]
> Sent: Monday, January 14, 2013 5:15 PM
> To: Per Granath
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Confusion about DSCP marking and rewrite rules
>
> That makes perfect sense. I'm not sure what my mental block was with that. 
> lol
>
> How does Juniper handle situations where you do need to mark a packet on 
> ingress so that you can match on the new marking on egress? If there is a 
> rewrite rule, does the rewrite happen before any egress firewall filters 
> are evaluated? On the Cisco 7600, we have to add a command to basically 
> recirculate a packet through the ingress interface logic twice to actually 
> re-mark the packet instead of just classifying it.
>
> For example, an ingress packet may need to be marked as cs2 and then the 
> same router might have an egress filter facing some interface that only 
> allows cs2. If the marking happens after the egress filter is evaluated, 
> that traffic would be dropped. How does this work in Junos on the MX 
> series?
>
> Thanks!
> John
>
> On Mon, Jan 14, 2013 at 1:55 AM, Per Granath 
> <per.granath at gcc.com.cy<mailto:per.granath at gcc.com.cy>> wrote:
> Note that "marking" is not word used in Junos...
>
> On ingress you do "classification", and on the class assigned you do 
> queuing, etc. The class does not change any bit in the packet header - the 
> class is assigned "outside" the packet header internally in the router.
>
> On egress you may apply a rewrite rule to a class (on an interface). 
> Essentially, this means you cannot rewrite on ingress.
>
> So, your IRB "marking filter", which in Junos is called "multi field 
> classifier", does not change any bit in the packet headers - it only 
> assigns the internal class - when packets ingress on the IRB.
>
> The rewrite rules on the IRB only rewrite bits when a packet egress on the 
> IRB.
>
>
> On some other vendor you may be used to doing rewrite/marking on 
> ingress...
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 



More information about the juniper-nsp mailing list