[j-nsp] CoS and ingress traffic with DSCP markings
Mark Tinka
mark.tinka at seacom.mu
Sat Jan 25 10:44:25 EST 2014
On Friday, January 24, 2014 07:29:58 PM John Neiberger
wrote:
> I have a follow-up to make sure I understand this. Let's
> say we have egress rewrite rules that look purely at
> forwarding class. If we have an ingress firewall filter
> on another interface that sets the forwarding class
> correctly, that will override the default classifiers on
> the ingress interface, right?
Correct.
> I think it's starting to
> click. The classifier applied in the class-of-service
> config is a Behavior Aggregate classifer,...
Correct.
> but if we use
> a firewall filter for this purpose, it's called a
> multifield classifier, right?
Correct.
> As long as one or the
> other is setting the forwarding class correctly, we're
> okay, but we run into problems if ingress traffic has
> DSCP markings already but doesn't match against a BA or
> MF classifier.
BA classifiers should match any incoming DSCP value. All 64
DSCP code points are associated with a forwarding class by
default, in Junos. The only question is whether you like the
default code-point-to-forwarding-class-and-loss-priority
mappings, or whether you want to switch them up to your
desire.
My QoS strategy tends to be more wholesale than specific
(I've never been one for millions of queues or classes of
service), so the default values in Junos work for me just
fine.
> In that case, the egress rewrite rules
> will re-mark the traffic unexpectedly.
Well, the point of remarking is that you don't like/trust
what came in, and you want to change it so that subsequent
hops in the network treat traffic a certain way re: QoS. And
that is why, for me, remarking on egress has been a big
issue with Juniper for many, many years. It just isn't
granular enough, particularly in complex topologies such as
collapsed core (P/PE) designs.
On the Trio chipset, firewall filters now support ingress
remarking of DSCP values, both for IPv4 and IPv6. I use this
at present. The only drawback is that EXP remarking is not
currently supported in a firewall filter.
IQE and IQ2E PIC's on the M320 and T320 have proper ingress
remarking with the ToS Translation Tables, supporting
DSCPv4, DSCPv6 and EXP. But those are the only platforms you
can get this capability on, sadly, and anyone would be mad
to invest money in those boxes today.
> Do I finally have this straight in my head? lol
Yep.
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20140125/e599660d/attachment.sig>
More information about the juniper-nsp
mailing list