Switching

last person joined: 20 hours ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  DSCP marking on the edge

    Posted 01-15-2020 06:05

    I know this topic has been discussed ad nauseam, so I'm mostly asking about peripheral questions here (and I have read the applicable documentation on the subject).

     

    First, I'm setting up an EX to emulate the DSCP marking strategy that we do with our Cisco access switches. I've gathered that most EX platforms can't do this inbound, so the approach is instead to classify inbound into different queues and then rewrite the DSCP tag outbound. I've got this working as a simple PoC, but I have a few questions:

     

    1) Is there any way to reuse the same firewall filter on switched ports and routed ports? Since the filters are family-specific, you need to specify whether it's for inet or ethernet-switching or what have you, and an inet filter isn't usable on a switched port and vice versa.

     

    2) Are from statements in a firewall filter ANDed or ORed? I'm guessing AND, but what about situations where the consituents are incompatible? I.e.

     

    "from" : {
                                "destination-port" : ["161", "1812"],
                                "ip-protocol" : ["icmp"]
                            },

    Does that match TCP/UDP port 161 or 1812 or ICMP? Or just nothing since a packet can't have more than one destination port (especially over ICMP)? What about a case where you're specifying source and destination ports? 

     

    Thanks much,

    Ian



  • 2.  RE: DSCP marking on the edge
    Best Answer

     
    Posted 01-15-2020 13:52

    To answer your question.

     

    1. You may try filter with "family any". There're limitation with family any filter because for each type of interface, the filter can match different types of the packet. Usually we only define very generic matching conditions for family any filters, eg accept everything and do port-mirror

     

    2. Within the same criteria, it's OR.  For different criteria, it's AND. You gave a really bad example, since it won't match anything. Let me give another example. Below matches all LDP packets, And [if it's udp OR tcp], AND [if source address is 1.1.1.1/32 OR 2.2.2.2/32]

     

    family inet {
    filter test {
    term 1 {
    from {
    source-address {
    1.1.1.1/32;
    2.2.2.2/32;
    }
    protocol [ udp tcp ];
    port ldp;
    }
    }
    }
    }

     



  • 3.  RE: DSCP marking on the edge

    Posted 01-15-2020 14:48

    Great, thanks for your explanation. I suppose I'll need to rework my from statements to get things to work.