Showing results for 
Search instead for 
Do you mean 
Posts: 19
Registered: ‎07-21-2009
0 Kudos

marking DSCP not working

Dear friends,


I have Juniper M10i running 8.5R3.4 & i am trying to mark DSCP by matching DSCP value X  and then marking it to value Y.. But i am not getting any option of dscp in 'then' of firewall options.






Documentation available on juniper website shows that dscp option is available in 'then' . Can someone suggest why my router is not showing this option???



The options i m getting are following;
router-1# set firewall filter testing term 1 then ?
Possible completions:
  accept               Accept the packet
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  count                Count the packet in the named counter
> discard              Discard the packet
  forwarding-class     Classify packet to forwarding class
  ipsec-sa             Use specified IPSec security association
  load-balance         Use specified load balancing group
  log                  Log the packet
> logical-router       Packets are directed to specified logical router
  loss-priority        Packet's loss priority
  next                 Continue to next term in a filter
  next-hop-group       Use specified next-hop group
  policer              Name of policer to use to rate-limit traffic
  port-mirror          Port-mirror the packet
  prefix-action        Police or count packets using named prefix action
> reject               Reject the packet
  routing-instance     Packets are directed to specified routing instance
  sample               Sample the packet
  syslog               System log (syslog) information about the packet
> three-color-policer  Police the packet using a three-color-policer



Distinguished Expert
Posts: 2,199
Registered: ‎08-21-2009
0 Kudos

Re: marking DSCP not working



"then dscp" is available in FW filters since JUNOS 10.0 for packets generated by Routing Engine






Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Super Contributor
Posts: 158
Registered: ‎04-20-2009
0 Kudos

Re: marking DSCP not working

If I'm understanding your question correctly, you are trying to change the DSCP marking for transit traffic.  This is actually a two step process.


First, you must place the packet in the forwarding class (in ingress) that has the DSCP marking you want the final packet to have.

Your then action:


then forwarding-class <blah>


Second, you need to have rewrite rules to change the DSCP value of the packets egressing the M10i.




Note:  By default, M-series do not change the DSCP/IP Prec values for transit traffic - you need rewrite rules.  Additionally, IP Prec is the default for the classifier - you need to specifiy DSCP. 


I'm attching an old dipiction of QOS operation in M-series, but it is still relevent and my favorite Smiley Happy