Iam using Multifield classifier using firewall filter to classify the incoming packets based on the source address and trying to mark the dscp for that packet. Iam using set dscp xx and applying the firewall filter to input of the interface, but when i try to sniff the packet from the outgoing interface i dont see the marked dscp values. I know we can use the rewrite rules at the egress to re-mark the packet, was wondering why set dscp is not working.
you can change the dscp only in the following ways:
Remarking involves changing the QoS priority markings (802.1p or DSCP) for the next hop to act on.
-Interface specific rewrite: Binding a rewrite rule to the interface.
-Multifield remarking: Using egress firewall filters to remark specific traffic bases. This can only be applied to an L2/L3 physical or logical interface. Multifield remarking firewall filter cannot be bound to a VLAN.
Unfortunately for you ingress MF is not mentioned here
I have the rewrite dscp working as it is marking the desired dscp values on the outgoing interface, Iam trying to change the dscp values of the packet in the incoming interface using firewall filter. We have an option on the action modifier to set dscp values,here is what i have and trying to understand why this is not working.
set firewall family inet filter test term t1 from source-address 220.127.116.11/32
set firewall family inet filter test term t1 then dscp ef
set firewall family inet filter test term t1 then accept
set interfaces ge-0/0/0 unit 0 family inet filter input test
When i analyze the packet capture on the output interface, i dont see the dscp ef on the packets.
I have added the forwarding class and loss priority on the MF and could see the packets being classified. so the purpose of setting dscp action modifier on the firewall filter is only used for the classification ?
so, if we need to mark the packets header then it has to be done using the re-write dscp at the egress interface.