06-22-2010 01:50 AM
I have Juniper M10i running 8.5R3.4 & i am trying to mark DSCP by matching DSCP value X and then marking it to value Y.. But i am not getting any option of dscp in 'then' of firewall options.
Documentation available on juniper website shows that dscp option is available in 'then' . Can someone suggest why my router is not showing this option???
The options i m getting are following;
router-1# set firewall filter testing term 1 then ?
accept Accept the packet
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
count Count the packet in the named counter
> discard Discard the packet
forwarding-class Classify packet to forwarding class
ipsec-sa Use specified IPSec security association
load-balance Use specified load balancing group
log Log the packet
> logical-router Packets are directed to specified logical router
loss-priority Packet's loss priority
next Continue to next term in a filter
next-hop-group Use specified next-hop group
policer Name of policer to use to rate-limit traffic
port-mirror Port-mirror the packet
prefix-action Police or count packets using named prefix action
> reject Reject the packet
routing-instance Packets are directed to specified routing instance
sample Sample the packet
syslog System log (syslog) information about the packet
> three-color-policer Police the packet using a three-color-policer
06-22-2010 02:28 AM
"then dscp" is available in FW filters since JUNOS 10.0 for packets generated by Routing Engine
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
06-30-2010 06:30 AM
If I'm understanding your question correctly, you are trying to change the DSCP marking for transit traffic. This is actually a two step process.
First, you must place the packet in the forwarding class (in ingress) that has the DSCP marking you want the final packet to have.
Your then action:
then forwarding-class <blah>
Second, you need to have rewrite rules to change the DSCP value of the packets egressing the M10i.
Note: By default, M-series do not change the DSCP/IP Prec values for transit traffic - you need rewrite rules. Additionally, IP Prec is the default for the classifier - you need to specifiy DSCP.
I'm attching an old dipiction of QOS operation in M-series, but it is still relevent and my favorite