[j-nsp] Set 802.1p bits for DHCP packets generated from the routing-engine

Alex D. listensammler at gmx.de
Thu Dec 20 15:00:29 EST 2018 

Hi Saku,
> On Thu, 20 Dec 2018 at 14:24, Alex D.<listensammler at gmx.de>  wrote:
>
> Hey Alex,
>
>> i tried that, but as mentioned, it didn't work. For testing purposes, i
>> configured a "log all" as first term:
>> term log-all-re-traffic {
>>       then log;
>> }
>> DHCP packets from routing-engine to the DHCP-server and DHCP packets
>> from client to the router are logged as expected. But mysteriously, I
> Sorry for my confusion, where did you put the filter? lo0.0 egress
> should not show you packets from client to the router.
Sorry, my fault. My firewall filter is configured as an egress filter on 
lo0.0 and (and some other units which are part of an L3 VPN) and i 
wrongly said "from client to the router". Actually i meant from client 
to the dhcp server. In case of a DHCP renewal sent directly to the 
server, traffic is punted to the RE and the outgoing packet is logged 
with src address of the client.

> 1. It punts all transit DHCP in all interfaces, and lo0.0 FW filter
> must allow these punted packets, otherwise you kill customers' dhcp
I am aware of that. In another setup, I have already painfully stumbled 
over it
> 2. It encapsulates the punted traffic with another set of IP headers
> (if you do 'monitor traffic ... write-file dhcp.pcap' you'll see the
> encapsulation, without 'write-file' you'll just see the bottom headers
> you expect to see, as the inline parser will hide the encapsulation
> headers
> 3. lo0 filter does not see the original headers but the encapsulation headers
Okay, that's quite interesting. I'll take a closer look how the 
encapsulated header looks like.
>
> I wouldn't be surprised if for some reason it is not subject to normal
> rules in CoS either, but I've not specifically tried to set or observe
> their QoS.
Do i understand correctly, that you also not tried to change anything in 
outbound DHCP traffic using a firewall filter yet?
I think i try to do some further testing in lab and if i do not get it 
running, i will open a TAC case.
If you have any further hints, I would be grateful if you would tell me

Many thanks.
Regards,
Alex

More information about the juniper-nsp mailing list