Switching

     Iam using Multifield classifier using firewall filter to classify the incoming packets based on the source address and trying to mark the dscp for that packet. Iam using set dscp xx and applying the firewall filter to input of the interface, but when i try to sniff the packet from the outgoing interface i dont see the marked dscp values. I know we can use the rewrite rules at the egress to re-mark the packet, was wondering why set dscp is not working.

Any information on this greatly appreciated.

according to

http://www.juniper.net/us/en/local/pdf/implementation-guides/8010073-en.pdf

you can change the dscp only in the following ways:

• -Interface specific rewrite: Binding a rewrite rule to the interface.
• -Multifield remarking: Using egress firewall filters to remark specific traffic bases. This can only be applied to an L2/L3 physical or logical interface. Multifield remarking firewall filter cannot be bound to a VLAN.

Unfortunately for you ingress MF is not mentioned here

regards

alexander

Thanks Alexander for the quick response.

Do you know why using dscp in the action field of filter doesnt work. When i commit, i dont see any warning/error message.

HI

Could you try the below 

set class-of-service rewrite-rules dscp VOICE-DSCP-REWRITE import default
set class-of-service rewrite-rules dscp VOICE-DSCP-REWRITE forwarding-class VOICE-EF-CLASS loss-priority low code-point ef
set class-of-service rewrite-rules dscp VOICE-DSCP-REWRITE forwarding-class assured-forwarding loss-priority low code-point af32
set class-of-service rewrite-rules dscp VOICE-DSCP-REWRITE forwarding-class assured-forwarding loss-priority high code-point af32
set class-of-service rewrite-rules dscp VOICE-DSCP-REWRITE forwarding-class network-control loss-priority low code-point cs7
set class-of-service rewrite-rules dscp VOICE-DSCP-REWRITE forwarding-class network-control loss-priority high code-point cs6
set class-of-service rewrite-rules dscp VOICE-DSCP-REWRITE forwarding-class best-effort loss-priority low code-point be

set class-of-service interfaces ge-* unit 0 rewrite-rules dscp VOICE-DSCP-REWRITE

Thanks

Partha 

I have the rewrite dscp working as it is marking the desired dscp values on the outgoing interface, Iam trying to change the dscp values of the packet in the incoming interface using firewall filter. We have an option on the action modifier to set dscp values,here is what i have and trying to understand why this is not working.

set firewall family inet filter test term t1 from source-address 1.1.1.1/32

set firewall family inet filter test term t1 then dscp ef


set firewall family inet filter test term t1 then accept


set interfaces ge-0/0/0 unit 0 family inet filter input test

When i analyze the packet capture on the output interface, i dont see the dscp ef on the packets.

Thanks

Multified classifier only classifies the traffic it does not manipulate the packet header You should check to see if it is being classified. You have not aded the following: 

I have added the forwarding class and loss priority on the MF and could see the packets being classified.  so the purpose of setting dscp action modifier on the firewall filter is only used for the classification ?

 so, if we need to mark the packets header then it has to be done using the re-write dscp at the egress interface.

Yes

HI Velu

Are you saying you are just configuring MF without any COS profile?

Did you check this example

http://www.juniper.net/techpubs/en_US/junos/topics/example/firewall-filter-stateless-example-act-on-dscp-bit.html

Thanks

Partha