[j-nsp] CoS and ingress traffic with DSCP markings

Mark Tinka mark.tinka at seacom.mu
Sat Jan 25 10:44:25 EST 2014


On Friday, January 24, 2014 07:29:58 PM John Neiberger 
wrote:

> I have a follow-up to make sure I understand this. Let's
> say we have egress rewrite rules that look purely at
> forwarding class. If we have an ingress firewall filter
> on another interface that sets the forwarding class
> correctly, that will override the default classifiers on
> the ingress interface, right?

Correct.

> I think it's starting to
> click. The classifier applied in the class-of-service
> config is a Behavior Aggregate classifer,...

Correct.

> but if we use
> a firewall filter for this purpose, it's called a
> multifield classifier, right?

Correct.

> As long as one or the
> other is setting the forwarding class correctly, we're
> okay, but we run into problems if ingress traffic has
> DSCP markings already but doesn't match against a BA or
> MF classifier.

BA classifiers should match any incoming DSCP value. All 64 
DSCP code points are associated with a forwarding class by 
default, in Junos. The only question is whether you like the 
default code-point-to-forwarding-class-and-loss-priority 
mappings, or whether you want to switch them up to your 
desire.

My QoS strategy tends to be more wholesale than specific 
(I've never been one for millions of queues or classes of 
service), so the default values in Junos work for me just 
fine.

> In that case, the egress rewrite rules
> will re-mark the traffic unexpectedly.

Well, the point of remarking is that you don't like/trust 
what came in, and you want to change it so that subsequent 
hops in the network treat traffic a certain way re: QoS. And 
that is why, for me, remarking on egress has been a big 
issue with Juniper for many, many years. It just isn't 
granular enough, particularly in complex topologies such as 
collapsed core (P/PE) designs.

On the Trio chipset, firewall filters now support ingress 
remarking of DSCP values, both for IPv4 and IPv6. I use this 
at present. The only drawback is that EXP remarking is not 
currently supported in a firewall filter.

IQE and IQ2E PIC's on the M320 and T320 have proper ingress 
remarking with the ToS Translation Tables, supporting 
DSCPv4, DSCPv6 and EXP. But those are the only platforms you 
can get this capability on, sadly, and anyone would be mad 
to invest money in those boxes today.

> Do I finally have this straight in my head? lol

Yep.

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20140125/e599660d/attachment.sig>


More information about the juniper-nsp mailing list